Another retire box from HTB. Let have a look ..
I start as usual with nmap enumeration.
nmap -sC -sV -oA nmap/initial 10.10.10.48
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-28 16:37 EST
Nmap scan report for 10.10.10.48
Host is up (0.15s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey:
| 1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)
| 2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)
| 256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)
|_ 256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)
53/tcp open domain dnsmasq 2.76
| dns-nsid:
|_ bind.version: dnsmasq-2.76
80/tcp open http lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.27 seconds
I also run full port scan..
nmap -p - -oA nmap/allports 10.10.10.48
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-28 16:38 EST
Stats: 0:14:43 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 79.21% done; ETC: 16:56 (0:03:52 remaining)
Nmap scan report for 10.10.10.48
Host is up (0.15s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
1193/tcp open fiveacross
32400/tcp open plex
32469/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 1080.92 seconds
I have few ports to look into it.
- port 22 is SSH
- port 53 is DNS
- port 80 for HTTP
- port 1193 fiveacross? which i have no idea what it is
- port 32400 plex which is media server to share content
- port 3246 is unknown
I look into website but did not just blank screen
I run content discovery agains this website
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 25 -o gobuster -u http://10.10.10.48
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.48
[+] Threads: 25
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2021/02/28 16:44:21 Starting gobuster
===============================================================
/admin (Status: 301)
/versions (Status: 200)
===============================================================
2021/02/28 16:53:13 Finished
===============================================================
/admin look really interesting. Lets look into this.
THis is older version of Pi-hole. I start looking for some exploits on internet but most of them require passwords or be authenticated. Pi-hole is dns backlist application to filter unwanted traffic. It was created to be used on raspberry-pi devices. As default this devices come with default credentials (pi:raspberry).
ssh pi@10.10.10.48
The authenticity of host '10.10.10.48 (10.10.10.48)' can't be established.
ECDSA key fingerprint is SHA256:UkDz3Z1kWt2O5g2GRlullQ3UY/cVIx/oXtiqLPXiXMY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.48' (ECDSA) to the list of known hosts.
pi@10.10.10.48's password:
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
Last login: Sun Aug 27 14:47:50 2017 from localhost
SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.
SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.
pi@raspberrypi:~
I was in. Run sudo -l to see if i can run any program as root
pi@raspberrypi:/home $ sudo -l
Matching Defaults entries for pi on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User pi may run the following commands on localhost:
(ALL : ALL) ALL
(ALL) NOPASSWD: ALL
I can quicklu run sudo su and become root. When i look into root folder flag was not there
root@raspberrypi:~# cat /root/root.txt
I lost my original root.txt! I think I may have a backup on my USB stick...
So flag is somewhere is USB stick. Lets see if any partition is mounted
root@raspberrypi:~# df
Filesystem 1K-blocks Used Available Use% Mounted on
aufs 8856504 2837056 5546516 34% /
tmpfs 102396 4868 97528 5% /run
/dev/sda1 1354528 1354528 0 100% /lib/live/mount/persistence/sda1
/dev/loop0 1267456 1267456 0 100% /lib/live/mount/rootfs/filesystem.squashfs
tmpfs 255988 0 255988 0% /lib/live/mount/overlay
/dev/sda2 8856504 2837056 5546516 34% /lib/live/mount/persistence/sda2
devtmpfs 10240 0 10240 0% /dev
tmpfs 255988 8 255980 1% /dev/shm
tmpfs 5120 4 5116 1% /run/lock
tmpfs 255988 0 255988 0% /sys/fs/cgroup
tmpfs 255988 8 255980 1% /tmp
/dev/sdb 8887 93 8078 2% /media/usbstick
tmpfs 51200 0 51200 0% /run/user/999
tmpfs 51200 0 51200 0% /run/user/1000
I looked into /media/usbstick
root@raspberrypi:~# ls /media/usbstick/
damnit.txt lost+found
root@raspberrypi:~# cat /media/usbstick/damnit.txt
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James
Hmm this was tricky a little but i used command string on /dev/sdb to get root flag :)
I look more into ports I did not understand 32469 belong to Plex service. 1193 belong to pihole application called pihole-ftp. I believe Plex was rabbit hole because i never heard about any bypasses for it.
I hope you enjoy reading it …..