Mirai

Personal Rating: Easy

Enumeration

sudo nmap -sV -sC -p- <IP>

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey: 
|   1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)
|   2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)
|   256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)
|_  256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)
53/tcp    open  domain  dnsmasq 2.76
| dns-nsid: 
|_  bind.version: dnsmasq-2.76
80/tcp    open  http    lighttpd 1.4.35
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: lighttpd/1.4.35
1615/tcp  open  upnp    Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
32400/tcp open  http    Plex Media Server httpd
|_http-favicon: Plex
|_http-title: Unauthorized
|_http-cors: HEAD GET POST PUT DELETE OPTIONS
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Server returned status 401 but no WWW-Authenticate header.
32469/tcp open  upnp    Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)

The site at port 80 is empty.

dix axfr 10.10.10.48 @10.10.10.48 did not work.

http://10.10.10.48:32400/web/index.html This shows a PLEX login page.

Running a webbrute: feroxbuster -u http://10.10.10.48:32400/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -S 101

/identity was found;

<MediaContainer size="0" machineIdentifier="5c27a36a5b4f7104cb9be08579964da1c5de5949" version="1.7.5.4035-313f93718"> </MediaContainer>

This might be worth giving it a shot: https://www.exploit-db.com/exploits/24455

Well, it did not work. I installed upnpc to try to interact with the upnp server. For port 1615 this did not work either. Investigating the response when accessing Port 80, we see an interesting header:

Running a dirbrute on Port 80:

/versions with info ,v3.1.4,v3.1,v2.10 This can also be seen on the admin interface:

Pi-hole Version v3.1.4 Web Interface Version v3.1 FTL Version v2.10

http://10.10.10.48/admin/ With the PIHole admin interface

According to searchsploit there are authenticated RCEs for this version of pi-hole

Default Credentials

Since we have ssh access, lets try pi:raspberry to authenticate to the website.

Since we know that it is a PiHole, I tried pi:raspberry which also worked for ssh login. sudo su worked to get root access.

USB Drive Data Recovery

root@raspberrypi:/home/pi/Desktop# cat /root/root.txt

I lost my original root.txt! I think I may have a backup on my USB stick...

root@raspberrypi:/home/pi/Desktop# cat /etc/fstab

# UNCONFIGURED FSTAB FOR BASE SYSTEM
aufs / aufs rw 0 0
tmpfs /tmp tmpfs nosuid,nodev 0 0
/dev/sdb /media/usbstick ext4 ro,suid,dev,noexec,auto,user,async 0 0

root@raspberrypi:/media/usbstick# cat damnit.txt

Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James

The .local/share/Trash of “pi” was empty

I ran fsck on the drive, but that did not return the file.

I checked the guided mode and got the tip I needed: You can run “strings /dev/sdb” to read the flag since it is still present in the memory of the stick. It is just not accessible by the filesystem regularly anymore.