Again, we start with nmap -sC -sV -oA ./mirai 10.10.10.48
SSH, DNS, and HTTP. Judging from the name Mirai, we can deduce that this is an IoT device as the Mirai Botnet singularly
attacked IoT devices. Let's start with the HTTP service. Simply Navigate to it while GoBuster does it's thing. Unfortunately, the web page is a bust. Totally blank. Not even a Default page. GoBuster found some interesting things though.
Let's try navigating to these folders. /versions is just a file that contains ",v3.1.4,v3.1,v2.10". /admin on the other
hand paid off quite nicely.
Yep! Right in the Pi-hole.....
So, one of the characteristics of the Mirai botnet is that the IoT devices had never changed the default credentials.
That being said, a quick Google search finds this site https://discourse.pi-hole.net/t/password-for-pre-configured-pi-hole/13629/3
So, let's try SSH with pi:raspberry. Success! Small segue.... Even the logon banner says to change the default password.
Let's check the user information before we worry about LinEnum.
Sweet Georgia with a fiddle! [Burn Notice reference in case anyone else caught that XD]. The user pi is in the sudo group. Let's see what they can do in sudo.
So, the user can do anything in sudo AND it doesn't require a password. Go ahead and sudo su straight to root. Here's the "gotcha" moment. User flag? Plain and simple. Root flag has a bit of a breadcrumb trail. If we cat the usual locations we get:
So, we check mount to discover the usbstick is mounted as /media/usbstick. Inside it, we find a message from James.
That could put a monkey wrench into the works. Looking at lost+found doesn't provide any thing useful. Let's try
strings on /dev/sdb which is where /media/usbstick points to. Success again! We have the root flag now.