The Mirai machine from the Hack The Box platform is named after the infamous Mirai malware from 2016 that infected hundreds and thousands of home routers and IoT devices by scanning for default credentials.

TL;DR

I obtained initial access to Mirai by scanning it for common default SSH credentials. I found default credentials for the user pi. I then escalated privileges from pi to root using sudo.

Timeline of Notable Events

Timestamp (UTC) Event
2021-12-03 06:09:35 AM Assessment started
2021-12-03 06:11:26 AM Discovered default SSH credentials for the pi user
2021-12-03 06:15:17 AM Obtained root level privileges using sudo

Attack Graph

This is the attack graph that represents what I did. I’ll walk through this in detail below:

Walkthrough

06:09:35 AM UTC: I started my assessment. I was provided Mirai’s IP address, 10.10.10.48. I confirmed this machine was live with an nmap ping sweep.

I ran TCP and UDP port scans using nmap and found multiple ports open. The SSH and web ports stood out as most interesting to explore.

06:11:26 AM UTC: I scanned for default SSH credentials using the Metasploit framework and a known list of default credentials available in the SecLists Github repository. I discovered access as the user pi with the password raspberry.

06:15:13 AM UTC: I logged into Mirai over SSH as the pi user. I used the LinPEAS script  to assess the host for sensitive data and privilege escalation vectors. The output of LinPEAS showed that pi could use the sudo utility to elevate privileges to the root user.

Specifically, the output of sudo -l shows that pi can execute any command as any user without a password.

06:15:22 AM UTC: I used the sudo privileges of the pi user to execute the id and cat /etc/shadow commands as root. The /etc/shadow file contains user password hashes and can only be accessed by root. This proves full system compromise.

Conclusion

I took advantage of two significant weaknesses to fully compromise the Mirai machine: default SSH credentials, and unrestricted sudo privileges.

Default credentials are a finding I commonly encounter in pentests, and it’s what I used to exploit another Hack The Box machine, Jerry, that I had previously assessed. I find SSH credentials most often with “forgotten infrastructure” such as devices and remote management interfaces like iDRACs and iLOs.

Exploiting sudo configuration is a common way to escalate privileges on Linux systems. For this particular machine, what’s most worrisome is that the pi user can sudo and run any command as root without having to re-enter pi‘s password.

To address these issues, I recommend the following fix actions:

  • Setting a strong, hard-to-guess password for the pi user
  • Modifying the sudo configuration to remove the NOPASSWD option, so that pi has to re-enter pi‘s password to run commands as root