1. Executive Summary
Default authentication is used in the machine specifically for their SSH service. It helps attackers to get into the shell pretty easy and there is no restriction in user permission which causes any user can log in as root.
2. Description
2.1 Enumeration
According to nmap scan result, the given address (10.10.10.48) has three open ports.
First I tried to enumerate port 80 by access the port on my browser. The page is empty, even after I tried to inspect element.
Since we do not have any clue about the website, so I decided to use gobuster to see if there is a hidden repository under port 80. Following below are the usual command I used for directory listing.
gobuster dir -u http://10.10.10.48 -w /root/Documents/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 100 — timeout 100s -k — no-error
I kinda forgot to screenshot the result but based on my note there are two hidden repositories which are /admin and /versions.
The /admin directory contain some kind of dashboard named Pi-hole. Based on this page, Pi-hole is a DNS sinkhole that protects your devices from unwanted content, without installing any client-side software. I also found this interesting article.
I went back to Pi-hole dashboard and found Login menu is actually ask for password only. I tried to look for default password of Pi-hole and according to this website, Pi-hole actually does not have default password but if it used on Raspberry Pi, the default username is “pi” and password is “raspberry”.
2.2 Exploitation
Suddenly I remember that there is ssh services inside Mirai machine. So using the default authentication of Rapberry Pi, I logged in to their SSH.
Logged in as pi, I manage to locate the user flag which is under two directories actually /home/pi/Desktop and /lib/live/mount/persistence/sda2/home/pi/Desktop.
Both files return same value. So our last job is to locate the root flag. I began to check the permission for “pi” using sudo -l command.
According to picture in above, Mirai machine does not restrict their user permission which allow “pi” able to perform sudo without entering any password. In other words, I can switch from “pi” to “root” very easily.
Using “sudo -su”, I obtain “root” user. However the root flag that we are expecting actually return non flag string.
So I check “mount” and discover the “usbstick” actually exist.
I went to usbstick directory which is in /media/usbstick. And discover two files inside it, “damnit.txt” and “lost+found”.
The “damnit.txt” contain this very interesting note,
Damnit! Sorry man I accidentally deleted your files off the USB stick. Do you know if there is any way to get them back?
-James
So I tried to read the storage /dev/sdb using command “cat /dev/sdb”, it was messy and full of strange unreadable character however I found “root” candidate as seen in the screenshot.
I tried to submit this possible root flag on hack the box, and thankfully it is a root flag.
