Mirai

Overview

Initial foothold : Default Credentials

Privilege Escalation : sudo rights

Enumeration

Start with port scanning

kali@kali:~/htb$ sudo nmap -sS -T4 -A 10.10.10.48
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey: 
|   1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)
|   2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)
|   256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)
|_  256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)
53/tcp    open  domain  dnsmasq 2.76
| dns-nsid: 
|_  bind.version: dnsmasq-2.76
80/tcp    open  http    lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Website Blocked
1593/tcp  open  upnp    Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
32400/tcp open  http    Plex Media Server httpd
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Server returned status 401 but no WWW-Authenticate header.
|_http-cors: HEAD GET POST PUT DELETE OPTIONS
|_http-title: Unauthorized
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.16 (95%), Linux 3.2 - 4.9 (95%), Linux 3.8 - 3.11 (95%), Linux 4.8 (95%), Linux 4.4 (95%), Linux 3.18 (95%), Linux 4.2 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Start with web enumeration

Web Enumeration

Visit the webpage

Unable to see the contents of the webpage

Lets add the mirai.htb hostname into our host file

Now visit the webpage using this hostname

It looks like website is blocked for our ip and something whitelist things is running

See the source code of the website

Got some interesting directory

Visit /admin/ directory

Pi-hole console was running here

There was also login page which requires some password

Google Pi-Hole with its version for finding what exactly it is

After searching for default password got that the default username for ssh logging if Pi and password is raspberry

Exploitation

Got ssh credentials Pi : raspberry

try this creds on ssh login

Yeah ! we got shell as user pi

Privilege Escalation

Run sudo -l command

Here it is clear that we can run any command as root user

In this way we got root shell

Oo there wasn't the hash of root.txt file. But it was pointing us towards usb stick

Lets visit /media/usbstick

but after visiting /media/usbstick/ we haven't found any root.txt file

It must have deleted. We can confirm it by damit.txt file

For getting trash content we will use below command

here was the content of root.txt file

That's all for this box

Good Bye :)