Hack The Box: Mirai Write-up (#25)

This is my 25th box out of 42 boxes for OSCP preparation. I am doing my best learning and mastering the key skills for my upcoming OSCP exams by writing this series of blogs. So let’s begin.

Reconnaissance

Run the nmapAutomator script to enumerate open ports and services running on those ports.

./nmapAutomater 10.10.10.48 All
  • All: Runs all the scans consecutively (~20–30 minutes)

We get the back the following result:

Running all scans on 10.10.10.48Host is likely running Linux---------------------Starting Nmap Quick Scan---------------------Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-27 01:17 +08
Nmap scan report for mirai.htb (10.10.10.48)
Host is up (0.011s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds---------------------Starting Nmap Basic Scan---------------------Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-27 01:17 +08
Nmap scan report for mirai.htb (10.10.10.48)
Host is up (0.0093s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey:
| 1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)
| 2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)
| 256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)
|_ 256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)
53/tcp open domain dnsmasq 2.76
| dns-nsid:
|_ bind.version: dnsmasq-2.76
80/tcp open http lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Website Blocked
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.92 seconds
----------------------Starting Nmap UDP Scan----------------------Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-27 01:17 +08
Warning: 10.10.10.48 giving up on port because retransmission cap hit (1).
Nmap scan report for mirai.htb (10.10.10.48)
Host is up (0.0085s latency).
Not shown: 980 open|filtered ports, 18 closed ports
PORT STATE SERVICE
123/udp open ntp
5353/udp open zeroconf
Nmap done: 1 IP address (1 host up) scanned in 12.43 secondsMaking a script scan on UDP ports: 123, 5353Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-27 01:17 +08
Nmap scan report for mirai.htb (10.10.10.48)
Host is up (0.0085s latency).
PORT STATE SERVICE VERSION
123/udp open ntp NTP v4 (unsynchronized)
| vulners:
| NTP v4:
| CVE-2015-7871 7.5 https://vulners.com/cve/CVE-2015-7871
| CVE-2015-7853 7.5 https://vulners.com/cve/CVE-2015-7853
| CVE-2015-7705 7.5 https://vulners.com/cve/CVE-2015-7705
| CVE-2014-9295 7.5 https://vulners.com/cve/CVE-2014-9295
| CVE-2014-9294 7.5 https://vulners.com/cve/CVE-2014-9294
| CVE-2014-9293 7.5 https://vulners.com/cve/CVE-2014-9293
| CVE-2016-9311 7.1 https://vulners.com/cve/CVE-2016-9311
|_ CVE-2016-2516 7.1 https://vulners.com/cve/CVE-2016-2516
5353/udp open mdns DNS-based service discovery
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.82 seconds
---------------------Starting Nmap Full Scan----------------------Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-27 01:18 +08
Initiating SYN Stealth Scan at 01:18
Scanning mirai.htb (10.10.10.48) [65535 ports]
Discovered open port 22/tcp on 10.10.10.48
Discovered open port 53/tcp on 10.10.10.48
Discovered open port 80/tcp on 10.10.10.48
Discovered open port 1747/tcp on 10.10.10.48
SYN Stealth Scan Timing: About 23.05% done; ETC: 01:20 (0:01:44 remaining)
SYN Stealth Scan Timing: About 45.94% done; ETC: 01:20 (0:01:12 remaining)
Discovered open port 32400/tcp on 10.10.10.48
SYN Stealth Scan Timing: About 68.82% done; ETC: 01:20 (0:00:41 remaining)
Discovered open port 32469/tcp on 10.10.10.48
Completed SYN Stealth Scan at 01:20, 131.09s elapsed (65535 total ports)
Nmap scan report for mirai.htb (10.10.10.48)
Host is up (0.0076s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
1747/tcp open ftrapid-2
32400/tcp open plex
32469/tcp open unknown
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 131.17 seconds
Raw packets sent: 65544 (2.884MB) | Rcvd: 65538 (2.622MB)
Making a script scan on extra ports: 1747, 32400, 32469Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-27 01:20 +08
Nmap scan report for mirai.htb (10.10.10.48)
Host is up (0.012s latency).
PORT STATE SERVICE VERSION
1747/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
32400/tcp open http Plex Media Server httpd
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Server returned status 401 but no WWW-Authenticate header.
|_http-cors: HEAD GET POST PUT DELETE OPTIONS
|_http-title: Unauthorized
32469/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.77 seconds
---------------------Starting Nmap Vulns Scan---------------------Running CVE scan on all portsStarting Nmap 7.80 ( https://nmap.org ) at 2020-09-27 01:20 +08
Nmap scan report for mirai.htb (10.10.10.48)
Host is up (0.0083s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:6.7p1:
| CVE-2008-3844 9.3 https://vulners.com/cve/CVE-2008-3844
|_ CVE-2015-5600 8.5 https://vulners.com/cve/CVE-2015-5600
53/tcp open domain dnsmasq 2.76
| vulners:
| cpe:/a:thekelleys:dnsmasq:2.76:
| CVE-2017-14496 7.8 https://vulners.com/cve/CVE-2017-14496
| CVE-2017-14493 7.5 https://vulners.com/cve/CVE-2017-14493
| CVE-2017-14492 7.5 https://vulners.com/cve/CVE-2017-14492
|_ CVE-2017-14491 7.5 https://vulners.com/cve/CVE-2017-14491
80/tcp open http lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
| vulners:
| lighttpd 1.4.35:
|_ CVE-2019-11072 7.5 https://vulners.com/cve/CVE-2019-11072
1747/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
32400/tcp open http Plex Media Server httpd
32469/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.28 seconds

We have a total of 8 ports open: 6 TCP ports and 2 UDP.

  • Port 22: — running ssh service, OpenSSH 6.7p1 Debian 5+deb8u3.
  • Port 53: — running DNS service, dnsmasq 2.76.
  • Port 80: — running http service, Lighttpd 1.4.35.
  • Port 1747: — running upnp, Platinum UPnP 1.0.5.13.
  • Port 32400: — running http service, Plex Media Server.
  • Port 32469: — running upnp, Platinum UPnP 1.0.5.13.
  • Port 123: — running NTP service.
  • Port 5353: — running zeroconf.

Before we begin, let’s make quick mental notes.

  • SSH service has no associated exploits that give us an initial foothold unless if we find any credentials during the enumeration phase and use them to access.
  • For DNS service, we’ll enumerate to find subdomains like an admin login page or internal host. If we found any, we can find a way to get an initial foothold.
  • Port 80, we enumerate the pages and find any possible hidden directories that have sensitive information.
  • NTP service for clock synchronization between computer systems over packet-switched, variable-latency data networks. This is mostly related to a DOS attack. So we’ll not enumerate this service.
  • Port 1747 and 32469 are components of Plex Media Server which is running on port 32400. We’ll enumerate Plex media service from the browser.

Service Enumeration

Port 53 (DNS Service)

Run the following command to perform a zone transfer.

dig axfr 10.10.10.48 @10.10.10.48

We get back the following results.

root@kali:/htb/Mirai# dig axfr 10.10.10.48 @10.10.10.48; <<>> DiG 9.16.6-Debian <<>> axfr 10.10.10.48 @10.10.10.48
;; global options: +cmd
;; connection timed out; no servers could be reached

We don’t have any subdomains information. I tested a few other ways to enumerate DNS service but returned nothing useful.

Port 80 (HTTP)

First, map the domain of this box into /etc/hosts file.

mirai.htb

Visit the page.

Our access has been blocked. Nothing informative. I already started Burp proxy in the background. Let’s check the history.

We noticed that when we access to mirai.htb another domain pi.hole is called in the background. So let’s add this domain in the /etc/hosts file.

Access to pi.hole.

A quick Google search about the “Pi-hole” reveals that Pi-hole is a Linux network-level advertisement and Internet tracker blocking application which acts as a DNS sinkhole and optionally a DHCP server, intended for use on a private network. Next click on login.

Next, I tried to login with weak and common credentials but they are not working. While searching for the default credentials for pi.hole for version 3.1.4, I got the credentials from raspberry site. I tested that too and it's not working on this login page.

I checked the documentation again, it is stated that these credentials used to access raspberry pi from OS Linux command line. Let’s try SSH into the target machine using pi/raspberry.

Exploitation/Just Login

The credentials works!

In this case, we are not required to enumerate the rest of the service since we are already in the target system. Grab the user.txt flag.

Next, let’s check the user privilege.

It shows sudo privilege enabled to run all commands. This means we can switch to root effortlessly. Let’s switch to root.

Unfortunately, the content of the root.txt flag is not here. It is on the USB drive. Let’s check available drives.

We found one disk drive /dev/sdb is mounted on /media/usbstick directory. Checking the directory found a file called damnit.txt where the content says it has been deleted.

In this case, we can use strings command on disk drive /dev/sdb/ to recover possible deleted data.

We found it! That is the root flag we are looking for. Grab it.

Alternatively, we can use grep command on /dev/sdb drive with a simple regular expression to find the root flag. We know that the flags are md5 hashed. So it has a total of 32 characters: a to f and 0–9.

grep -a '[a-fA-F0-9]\{32\}' /dev/sdb
  • -a: equivalent to — binary-files=text
  • [a-fA-F0–9]\{32\}: alphanumeric with length of 32 characters.

After running the command above, we get back the following result.

Attack Strategy Map

I have summarized the entire attack strategy on this map.

Thank you for reading :-) Next box is Bankrobber.

--

--

--

I am a security enthusiast. Learning new things every day for a joy. I love ethical hacking. I am deeply loved by God.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How You Can Become A Productive Developer By Escaping Tutorial Purgatory

Technologies that will change the world

Techonologies that will change the world (in the picture a person with a VR headset on)

Zookeeper Client Install Fail-Resolved

The default: 63 6f 62 61 6c 74 strike

Designing Core Components of a Data Lake using AWS Services

SQL LeetCode: 180. Consecutive Numbers

7 Common File System Operations You Can Do With Python

4 Tips for Writing Cleaner CSS

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Joshua Surendran

Joshua Surendran

I am a security enthusiast. Learning new things every day for a joy. I love ethical hacking. I am deeply loved by God.

More from Medium

Hack the box shibboleth writeup :

TryHackMe : OVERPASS Walkthrough

Offensive-security | Proving grounds : wpwn

TryHackMe: Conti Walkthrough