Hack The Box: Mirai Write-up (#25)

Reconnaissance

./nmapAutomater 10.10.10.48 All
  • All: Runs all the scans consecutively (~20–30 minutes)
Running all scans on 10.10.10.48Host is likely running Linux---------------------Starting Nmap Quick Scan---------------------Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-27 01:17 +08
Nmap scan report for mirai.htb (10.10.10.48)
Host is up (0.011s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds---------------------Starting Nmap Basic Scan---------------------Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-27 01:17 +08
Nmap scan report for mirai.htb (10.10.10.48)
Host is up (0.0093s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey:
| 1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)
| 2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)
| 256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)
|_ 256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)
53/tcp open domain dnsmasq 2.76
| dns-nsid:
|_ bind.version: dnsmasq-2.76
80/tcp open http lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Website Blocked
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.92 seconds
----------------------Starting Nmap UDP Scan----------------------Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-27 01:17 +08
Warning: 10.10.10.48 giving up on port because retransmission cap hit (1).
Nmap scan report for mirai.htb (10.10.10.48)
Host is up (0.0085s latency).
Not shown: 980 open|filtered ports, 18 closed ports
PORT STATE SERVICE
123/udp open ntp
5353/udp open zeroconf
Nmap done: 1 IP address (1 host up) scanned in 12.43 secondsMaking a script scan on UDP ports: 123, 5353Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-27 01:17 +08
Nmap scan report for mirai.htb (10.10.10.48)
Host is up (0.0085s latency).
PORT STATE SERVICE VERSION
123/udp open ntp NTP v4 (unsynchronized)
| vulners:
| NTP v4:
| CVE-2015-7871 7.5 https://vulners.com/cve/CVE-2015-7871
| CVE-2015-7853 7.5 https://vulners.com/cve/CVE-2015-7853
| CVE-2015-7705 7.5 https://vulners.com/cve/CVE-2015-7705
| CVE-2014-9295 7.5 https://vulners.com/cve/CVE-2014-9295
| CVE-2014-9294 7.5 https://vulners.com/cve/CVE-2014-9294
| CVE-2014-9293 7.5 https://vulners.com/cve/CVE-2014-9293
| CVE-2016-9311 7.1 https://vulners.com/cve/CVE-2016-9311
|_ CVE-2016-2516 7.1 https://vulners.com/cve/CVE-2016-2516
5353/udp open mdns DNS-based service discovery
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.82 seconds
---------------------Starting Nmap Full Scan----------------------Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-27 01:18 +08
Initiating SYN Stealth Scan at 01:18
Scanning mirai.htb (10.10.10.48) [65535 ports]
Discovered open port 22/tcp on 10.10.10.48
Discovered open port 53/tcp on 10.10.10.48
Discovered open port 80/tcp on 10.10.10.48
Discovered open port 1747/tcp on 10.10.10.48
SYN Stealth Scan Timing: About 23.05% done; ETC: 01:20 (0:01:44 remaining)
SYN Stealth Scan Timing: About 45.94% done; ETC: 01:20 (0:01:12 remaining)
Discovered open port 32400/tcp on 10.10.10.48
SYN Stealth Scan Timing: About 68.82% done; ETC: 01:20 (0:00:41 remaining)
Discovered open port 32469/tcp on 10.10.10.48
Completed SYN Stealth Scan at 01:20, 131.09s elapsed (65535 total ports)
Nmap scan report for mirai.htb (10.10.10.48)
Host is up (0.0076s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
1747/tcp open ftrapid-2
32400/tcp open plex
32469/tcp open unknown
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 131.17 seconds
Raw packets sent: 65544 (2.884MB) | Rcvd: 65538 (2.622MB)
Making a script scan on extra ports: 1747, 32400, 32469Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-27 01:20 +08
Nmap scan report for mirai.htb (10.10.10.48)
Host is up (0.012s latency).
PORT STATE SERVICE VERSION
1747/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
32400/tcp open http Plex Media Server httpd
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Server returned status 401 but no WWW-Authenticate header.
|_http-cors: HEAD GET POST PUT DELETE OPTIONS
|_http-title: Unauthorized
32469/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.77 seconds
---------------------Starting Nmap Vulns Scan---------------------Running CVE scan on all portsStarting Nmap 7.80 ( https://nmap.org ) at 2020-09-27 01:20 +08
Nmap scan report for mirai.htb (10.10.10.48)
Host is up (0.0083s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:6.7p1:
| CVE-2008-3844 9.3 https://vulners.com/cve/CVE-2008-3844
|_ CVE-2015-5600 8.5 https://vulners.com/cve/CVE-2015-5600
53/tcp open domain dnsmasq 2.76
| vulners:
| cpe:/a:thekelleys:dnsmasq:2.76:
| CVE-2017-14496 7.8 https://vulners.com/cve/CVE-2017-14496
| CVE-2017-14493 7.5 https://vulners.com/cve/CVE-2017-14493
| CVE-2017-14492 7.5 https://vulners.com/cve/CVE-2017-14492
|_ CVE-2017-14491 7.5 https://vulners.com/cve/CVE-2017-14491
80/tcp open http lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
| vulners:
| lighttpd 1.4.35:
|_ CVE-2019-11072 7.5 https://vulners.com/cve/CVE-2019-11072
1747/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
32400/tcp open http Plex Media Server httpd
32469/tcp open upnp Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.28 seconds
  • Port 22: — running ssh service, OpenSSH 6.7p1 Debian 5+deb8u3.
  • Port 53: — running DNS service, dnsmasq 2.76.
  • Port 80: — running http service, Lighttpd 1.4.35.
  • Port 1747: — running upnp, Platinum UPnP 1.0.5.13.
  • Port 32400: — running http service, Plex Media Server.
  • Port 32469: — running upnp, Platinum UPnP 1.0.5.13.
  • Port 123: — running NTP service.
  • Port 5353: — running zeroconf.
  • SSH service has no associated exploits that give us an initial foothold unless if we find any credentials during the enumeration phase and use them to access.
  • For DNS service, we’ll enumerate to find subdomains like an admin login page or internal host. If we found any, we can find a way to get an initial foothold.
  • Port 80, we enumerate the pages and find any possible hidden directories that have sensitive information.
  • NTP service for clock synchronization between computer systems over packet-switched, variable-latency data networks. This is mostly related to a DOS attack. So we’ll not enumerate this service.
  • Port 1747 and 32469 are components of Plex Media Server which is running on port 32400. We’ll enumerate Plex media service from the browser.

Service Enumeration

Port 53 (DNS Service)

dig axfr 10.10.10.48 @10.10.10.48
root@kali:/htb/Mirai# dig axfr 10.10.10.48 @10.10.10.48; <<>> DiG 9.16.6-Debian <<>> axfr 10.10.10.48 @10.10.10.48
;; global options: +cmd
;; connection timed out; no servers could be reached

Port 80 (HTTP)

mirai.htb

Exploitation/Just Login

grep -a '[a-fA-F0-9]\{32\}' /dev/sdb
  • -a: equivalent to — binary-files=text
  • [a-fA-F0–9]\{32\}: alphanumeric with length of 32 characters.

Attack Strategy Map

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Joshua Surendran

Joshua Surendran

47 Followers

I am a security enthusiast. Learning new things every day for a joy. I love ethical hacking. I am deeply loved by God.