HackTheBox - Mirai

Morten Hansen • January 30, 2022

Mirai

IP 10.10.10.48

HOST

gobuster vhost -u 10.10.10.48 -w /usr/share/wordlists/dirb/big.txt -t 100                        

Found: Documents and Settings.10.10.10.48 (Status: 200) [Size: 4341]
Found: Program Files.10.10.10.48 (Status: 200) [Size: 4335]       
Found: cgi-bin/.10.10.10.48 (Status: 200) [Size: 4335]              Found: contact us.10.10.10.48 (Status: 200) [Size: 4335]           
Found: donate cash.10.10.10.48 (Status: 200) [Size: 4332]          Found: external files.10.10.10.48 (Status: 200) [Size: 4338]        Found: home page.10.10.10.48 (Status: 200) [Size: 4326]           
Found: modern mom.10.10.10.48 (Status: 200) [Size: 4332]            Found: my project.10.10.10.48 (Status: 200) [Size: 4320]           
Found: neuf giga photo.10.10.10.48 (Status: 200) [Size: 4326]     
Found: planned giving.10.10.10.48 (Status: 200) [Size: 4335]        Found: press releases.10.10.10.48 (Status: 200) [Size: 4329]       
Found: privacy policy.10.10.10.48 (Status: 200) [Size: 4335]        Found: reports list.10.10.10.48 (Status: 200) [Size: 4335]         
Found: site map.10.10.10.48 (Status: 200) [Size: 4326]              Found: style library.10.10.10.48 (Status: 200) [Size: 4329]       
Found: web references.10.10.10.48 (Status: 200) [Size: 4323]

NMAP

nmap -sC -sV 10.10.10.48 | tee NMAP/log
22/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
53/tcp open  domain  dnsmasq 2.76
| dns-nsid: 
|_  bind.version: dnsmasq-2.76
80/tcp open  http    lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35

BROWSER

gobuster dir -u 10.10.10.48 -w /usr/share/wordlists/dirb/big.txt -t 100 | tee nmap 
#results
/admin                (Status: 301) [Size: 0] [--> http://10.10.10.48/admin/]
/versions             (Status: 200) [Size: 18]

When accessing http://10.10.10.48/versions we get a file calles versions to download. The file contains ,v3.1.4,v3.1,v2.10. By googling the versions and lighttpd we find some exploit regarding piehole from version <3.1.5. This seems promising!

When looking at piehole at github we see that it is an DNS-blocking-service. This explains why we can't get hits when trying http://10.10.10.48 and why we get random stuff with dirbuster VHOST. Github says we can access the piehole api with /admin/api.php and this works on our site. We also see that /admin gives us the piehole-dashboard.

By googling pi-hole we find that the default user for pi-hole is pi and password is raspberry. We use ssh pi@10.10.10.48 and get a shell as pi.

We enumerate /etc/passwd and finds that the users on the server is:

root:x:0:0:root:/root:/bin/bash
pi:x:1000:1000:,,,:/home/pi:/bin/bash
plex:x:112:120::/var/lib/plexmediaserver:/bin/bash

running sudo -l we see that pi has sudo rights. We type sudo /bin/bash and get root shell. When reading /root/root.txt there is a message that says the flag is on a usbstick.

We go to /media and find a file calles damnit.txt

Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?

-James

We list mounted devices on the system with /proc/self/mounts and see that the USBSTICK was mounted as /dev/sda. We then run debugfs -w /dev/sdb and gets in to debugger. We list available commands with lr. When we type dump_unusedwe get the message

Unused block 8234 contains non-zero data:
3d3e483143ff12ec505d026fa13e020b

This looks like our flag and is accepted. Could also read cat /dev/sdbdirectly and get flag.