Mirai is by far one of the most simple machines that has ever had the pleasure of being hosted on HTB. But, it’s also a very good learning machine for those just starting out in the penetration testing world, like myself! Before we get into the box itself, let’s take a look at some of the obvious indicators that this box gives hints to.

Mirai Botnet Overview:

Unless you have been living under a rock, you’ve heard of the Mirai Botnet. If you haven’t heard of it, cool Read This. This is the botnet that took down the huge DNS service provider, DYN DNS. It took advantage of Default credentials of the Internet of Things (IoT) devices such as IP cameras, routers, thermostats, and raspberry pi’s. The botnet program essentially went around the internet, brute forced or used dictionary attacks against machines it found, and if it found anything, infected the machine and reported back to a C2 (Command and Control Server). This is a very high-level overview, it’s actually a bit more complex than that.

Scanning:

Just like every other scan, we start with Nmap.

  • sC: Default Scripts
  • sV: Service Version Detection
  • oA: output all formats (HTML, XML, GNMAP)

After the scan, the following ports are open:

  • 22 – OpenSSH 6.7p1
  • 53 – (TCP) DNS
  • 80 – HTTP

Web Server:

I’m going to just briefly go over the web server since it is not the true exploit or the vulnerability that will be exploited. I used Dirb and DirBuster to enumerate all of the possible directories and came upon http://10.10.10.48/admin/index.php. This is actually running an instance of Pi-hole, a network-wide ad blocking mechanism that can be deployed on a raspberry pi. I actually run one of these on my home network. It’s an awesome and cheap way to block shit on the home network. I did attempt to login, and exploit it for fun but, to no avail.

BUT! we now know the system architecture is most likely a raspberry pi!

SSH:

As we had mentioned above, the Mirai botnet took advantage of default username and passwords. We also know that the system is a raspberry pi. The default credentials for the Rasbian Linux distribution is pi, raspberry. So, let’s attempt to login with those credentials.

We easily get a shell! The next thing, I personally always do, is to check the sudo rights of the current user. That is, I need to verify what sudo rights I have, if any, subject to the user I am logged in as. That can be done by using the command sudo -l.

Welp, this is easy. Looks like we have full sudo rights so, let’s escalate to root with sudo su.

And, we’re root.

[hr]

 

This is a very easy box but, it teaches two important lessons:

  1. Names of the Boxes in HTB can be a significant hint. This very well may be applicable in the real world as well considering organization system naming conventions are often very literal!
  2. Enumerating everything is a must. We would not have known this was a raspberry pi right off the bat. When we enumerated the web server and saw that Pi-Hole was running well, that gave it away. So, instead of throwing a username and password dictionary at SSH, we just tried one username/password pair and were logged in.