NodeZero vs Mirai

Hack The Box – Mirai

NodeZero  |
  December 6, 2021  |
  Attack Paths

The Mirai machine from the Hack The Box platform is named after the infamous Mirai malware from 2016 that infected hundreds and thousands of home routers and IoT devices by scanning for default credentials.

TL;DR

NodeZero obtained initial access to Mirai by scanning it for common default SSH credentials. It found default credentials for the user pi, then escalated privileges from pi to root using sudo.

Timeline of Notable Events

Timestamp (UTC)Event
2021-12-03 06:09:35 AMAssessment started
2021-12-03 06:11:26 AMDiscovered default SSH credentials for the pi user
2021-12-03 06:15:17 AMObtained root level privileges using sudo

Attack Graph

This is the attack graph that represents what NodeZero did. A detailed walkthrough is provided below.

Walkthrough

06:09:35 AM UTC – NodeZero started the assessment. It was provided Mirai’s IP address: 10.10.10.48. It confirmed the machine was live using an nmap ping sweep.

NodeZero ran TCP and UDP port scans using nmap and found multiple ports open. The SSH and web ports stood out as most interesting to explore.

06:11:26 AM UTC: NodeZero scanned for default SSH credentials using the Metasploit framework and a known list of default credentials available in the SecLists Github repository. It discovered access as the user pi with the password raspberry.

06:15:13 AM UTC: NodeZero logged into Mirai over SSH as the pi user. It used the LinPEAS script  to assess the host for sensitive data and privilege escalation vectors. The output of LinPEAS showed that pi could use the sudo utility to elevate privileges to the root user.

Specifically, the output of sudo -l shows that pi can execute any command as any user without a password.

06:15:22 AM UTC: NodeZero used the sudo privileges of the pi user to execute the id and cat /etc/shadow commands as root. The /etc/shadow file contains user password hashes and can only be accessed by root. This proves full system compromise.

Conclusion

NodeZero took advantage of two significant weaknesses to fully compromise the Mirai machine: default SSH credentials and unrestricted sudo privileges.

Default credentials are a finding NodeZero commonly encounters in pentests, and it is what was used to exploit another Hack The Box machine, Jerry, previously assessed. SSH credentials are most often found on “forgotten infrastructure” such as devices and remote management interfaces like iDRACs and iLOs.

Exploiting sudo configuration is a common way to escalate privileges on Linux systems. For this particular machine, what’s most worrisome is that the pi user could sudo and run any command as root without having to re-enter the pi user’s password.

Recommended Fixes

To address these issues, NodeZero recommended the following actions:

  • Set a strong, hard-to-guess password for the pi user
  • Modify the sudo configuration to remove the NOPASSWD option, so that pi has to re-enter the user’s password to run commands as root
How can NodeZero help you?
Let our experts walk you through a demonstration of NodeZero®, so you can see how to put it to work for your organization.
Get a Demo
Share: