The Mirai machine from the Hack The Box platform is named after the infamous Mirai malware from 2016 that infected hundreds and thousands of home routers and IoT devices by scanning for default credentials.
I obtained initial access to Mirai by scanning it for common default SSH credentials. I found default credentials for the user
pi. I then escalated privileges from
Timeline of Notable Events
|2021-12-03 06:09:35 AM||Assessment started|
|2021-12-03 06:11:26 AM||Discovered default SSH credentials for the
|2021-12-03 06:15:17 AM||Obtained
This is the attack graph that represents what I did. I’ll walk through this in detail below:
06:09:35 AM UTC: I started my assessment. I was provided Mirai’s IP address, 10.10.10.48. I confirmed this machine was live with an
nmap ping sweep.
I ran TCP and UDP port scans using
nmap and found multiple ports open. The SSH and web ports stood out as most interesting to explore.
06:11:26 AM UTC: I scanned for default SSH credentials using the Metasploit framework and a known list of default credentials available in the SecLists Github repository. I discovered access as the user
pi with the password
06:15:13 AM UTC: I logged into Mirai over SSH as the
pi user. I used the LinPEAS script to assess the host for sensitive data and privilege escalation vectors. The output of LinPEAS showed that
pi could use the
sudo utility to elevate privileges to the
Specifically, the output of
sudo -l shows that
pi can execute any command as any user without a password.
06:15:22 AM UTC: I used the
sudo privileges of the
pi user to execute the
cat /etc/shadow commands as
/etc/shadow file contains user password hashes and can only be accessed by
root. This proves full system compromise.
I took advantage of two significant weaknesses to fully compromise the Mirai machine: default SSH credentials, and unrestricted
Default credentials are a finding I commonly encounter in pentests, and it’s what I used to exploit another Hack The Box machine, Jerry, that I had previously assessed. I find SSH credentials most often with “forgotten infrastructure” such as devices and remote management interfaces like iDRACs and iLOs.
sudo configuration is a common way to escalate privileges on Linux systems. For this particular machine, what’s most worrisome is that the
pi user can
sudo and run any command as
root without having to re-enter
To address these issues, I recommend the following fix actions:
- Setting a strong, hard-to-guess password for the
- Modifying the
sudoconfiguration to remove the
NOPASSWDoption, so that
pihas to re-enter
pi‘s password to run commands as