HackTheBox Mirai - Raspberry Pi Pentesting
Skills:
Network Security80%
Key Takeaways
The video demonstrates penetration testing on a Raspberry Pi running Pi-hole using techniques from the HackTheBox platform, specifically the retired box 'Mirai'. The video covers intermediate-level cybersecurity concepts and tools such as HackTheBox, Raspberry Pi, and Pi-hole.
Full Transcript
[Music] hey guys hackersploit here back again with another video in this video we're going to be taking a look at a little bit of an interesting topic and that of course is essentially penetration testing on a raspberry pi right and of course i'm going to be using hack the box to facilitate this because in my opinion the box mirai is probably the best way or you know example that i can use to demonstrate this and why performing enumeration is very very important now the name of this box is you know fairly interesting because it's called mirai now if you're not familiar with um you know cyber security breaches and attacks over the last five to ten years you probably wouldn't know what mira is now in the context of cyber security mirai uh is essentially in reference to a botnet attack called mirai that targeted internet of things devices and the way it did this was of course you know finding out uh ips or enumerating ips um and there's multiple ways you can do this i've explored the process of using shodan i'll probably make a follow-up video that will actually highlight this in the future uh but what happens is uh the the creators of the botnet actually you know found or discovered all of these raspberry pi's on the internet that could be accessed remotely and then of course try to authenticate to them using the default credentials and in some cases it was successful and in some cases it wasn't right so this particular box is based on that on that attack uh to a certain extent and that's why i'm going to be covering it so you can see that i've just spawned it and we'll just copy the ip here and again i'll just paste that in there let's see whether we have anything running in the web server we get a blank page so i've already performed an nmap scan and you can see if i just cut out the contents of the scan here the ip is going to be different because i ran this before the the results of the scanner displayed here and you can take a look at my scan options there by the way i will be making a video that covers the process of utilizing rust scan because a lot of you guys have actually been requesting for that so i'll actually make a video on that but you can see you have um you have ssh running so that's running open sh 6.7 p1 and it's on debian so no ubuntu this time and of course you have port 22. that's standard you also have dns which is probably why let me just close that up is probably why we're getting this blank page here because we have to add this ip to our hosts and add the domain which i'm guessing is going to be mirai dot hack the box and we have a web server we also have a plex media server uh and universal plug-and-play um interface running on port one eight eight four right and um yeah and in addition to that you also have that running on port three two four six nine so there's a lot of ports here and again if you have an idea of what's running on the target you can pretty much you know uh tailor your approach in regards to gaining initial access and i'll show you that right now so the first thing i'm going to do is i'm going to say i'm just going to edit my hosts file here so vim and we'll edit the host file and i'll just add that here so uh let me just add the ip here which i believe i copied and it will say mirai dot hack the box right and write and quit and if we now open that up if i say http uh not https because we don't have port 443 running so mirai dot hack the box if i can type that in there we are so it's going to tell us website is blocked access to the following website has been blocked if you have an ongoing use for the website make sure i please ask the owner of the pie hole in your network all right so there's the first clue so pihole is a um essentially an open source uh piece of software that is used on a raspberry pi to block ads on your network so you plug it in on your network and it acts as sort of like a proxy and essentially blocks all ads on your network for all the devices on your network right and again if we just display the source here we just get a you know basic source in regards to the data that's being output here we also get the version of pi hole right so we we have a pretty good idea of what might be running um in regards to the operating system of this target and the device itself because that's very important so let's perform some directory brute forcing on this particular on this particular web server right so i'm just going to again head over into my terminal here and we'll just minimize that slightly and i'll zoom in here so we'll use go buster right and we'll say directory brute force and i'm just going to say the url is going to be the following right and i then say i can paste in the ip there primarily because go buster will resolve it to its uh domain but we'll actually test and see where that works out so word list will use uh we'll use set lists this time and we'll head over into discovery web content and we'll use the big word list here and i can change the threads to maybe something like 20 to speed it up so i'm just going to hit enter and let's see what we're able to enumerate from go buster so i'm just going to let this complete all right so uh i just received our first result here and that is the admin directory so let's try and see what that brings up here so admin there we are hit enter give that a few seconds it's probably taking uh time because we are running a brute force on this so i'm just going to let that continue all right so the web page has loaded and it looks like it's the pi hole administrator the administrator panel here or rather the interface the web interface for pi hold which essentially allows you to authenticate and provides you with status for your raspberry pi right because that's the typical deployment of this uh of this piece of software and at the bottom you can see you have the buy all version which is 3.1.4 and then the web interface version and the fdl version right and we're not authenticated by default so if i log in it's going to ask us for our password right and again we can try and uh locate the default credentials however we can also you know try and identify whether we have any vulnerabilities for piohol so i'm just going to use i'm just going to perform a search split search so and i've cleared up that there so search split and i'll just paste that in there let me just extend this here so you guys can see what's going on and you can see for piehole versions lower than 4.4 we have an authenticated remote code execution script it's a python script here and i believe that that requires authentication right because it says authenticated remote code execution there that's fairly standard we don't have the password so i'm just going to paste and go here and let's see whether we can identify any information pertaining to this particular exploit and how it works so you can see it's a python script here and it provides you the test the test information and how it works right so it looks like right from the get go you'll need to provide let's see whether yeah we need to provide a password um the local ip and it looks like it provides you with a shell through the use of python now we pretty much uh you know can at this point deduce that the the target system is a raspberry pi and if we take a look at the nmap results here let me just close this out here you can see that it's running ssh so why don't we try and identify some default credentials for the raspberry pi right so i'm going to say search for raspberry pi and default default credentials right and there we are we can see the default raspbian login credentials so those are the operating system user credentials so this pro this will probably work via ssh so the username is pi and the password is raspberry so let's try that out and i'm just going to say right over here ssh pi and we get the ip here i believe i have it copied but i'll copy it again there we are and we hit enter looks like that is working and then we type in the password which again let me just make sure i'm getting it correct here is raspberry we hit enter and we get uh initial access right so that's really the power of um of performing enumeration and having another understanding of what the target is running and how the target is being used in regards to its deployment use case so in this case we can you know pretty much tell that the raspberry pi has been set up on a network to block ads right and from that we can deduce that the operating system that's typically used on a raspberry pi is raspbian and we got the default credentials so that we can log in via ssh and in in we go right so the first thing we are going to need to do is of course enumerate our current privileges you can see right now we're locked in as the user pi right and nothing else provides us you know with any additional information there you can see we're logged in as pi and if i list out the contents of my current working directory or the home directory for the pi user you can see if i let's head over to our desktop we get the user flag so there we are cat user dot txt and we get it there right if we list out the current users on the system we can see that we have the pi um the pi user we also have the pi hall user which is interesting which we can't actually log into that's a service account and we have a root account so uh again no other user accounts that we can detect here just the use of pi as well as the plex media server which is interesting and of course we've not touched upon that but if you have gone through this box that can be uh construed as a rabbit hole if you will because you most likely target the plex server the plex media server all right cool so um if i enumerate the kernel version here you can see linux raspberry pi kernel versions six eight 3.16.0468 p a e right and uh cat at c release this should be running debian in this case it is running debian and debian8 at that all right cool so again if we try and access the roots directory you can see permission denied right but let's try and identify our current privileges and whether we can actually do things that we aren't supposed to do so we can do this using an automated script like line-enum or lin-piece to identify whether we can run certain binaries as as the administrator or as the root user whether we have any new password flag set for any particular scripts or binary similar to the other boxes that we've taken a look at but for example if i run sudo and you know i just say sudo l you can see that this will display out the the current permissions for this user right so the user pi can actually run all commands without providing a password so they can this user can run all system commands including the commands limited to administrators and can run them without providing a password or providing the root password so again if we what we can do is we can actually say sudo password and change the password for the root user and i'll just specify a new password for the root user and let me just make sure i'm typing that correctly there we are password are updated successfully so if i say switch user if i want to switch my user into the root user i provide the password that i just created or set up and we have root access there we are we're currently the root user so let's head over into the root uh directory and if we list the contents in here we have the root flag let's cut that out oh looks like we have an interesting message here so it says i lost my original root.txt i think i may have a backup on my usb stick alright so that's all that also ties into the use case off a raspberry pi in that we saw that the target was also running a plex media server and you can of course have your videos movies and multimedia data stored in another location on your network but you what you can do is also attach a usb stick or a usb hard drive an external hard drive to your raspberry pi and then you set up likes to share the videos uh or serve the videos on the hard drive through plex right right so we can list out the current um devices or the attached storage devices on the target by using um lsblk and saying grep sds or storage devices in this case you can see you have sda right which is your main disk it's only 10 gigs and then you have sda1 these are the two partitions and you have sdb which again is the name is usb stick so if we head over to cd uh if i say cd media usb stick and i'll list out the contents there you can see we have dammit.txt so let me cut that out it's going to tell you damn it sorry man i accidentally deleted your files off the usb stick do you know if there is any way to get them back and that's by james our kind of james well if we take a close look at the directories within the usb stick we have a lost and found directory which is uh sort of an acronym or rather another word or rather two words for the recycle um for the recycle bin so if we head over into lost and found uh that doesn't display anything right so what if we try and list out the strings within this particular directory so we can say uh strings and dev sdb because that's the storage device b we hit enter and it looks like we get the flag here right and of course that's different from the user flag that we cut it out earlier let me just compare that yes it is different and we get both the flags right and yep that's pretty much it so this was a very interesting box one that i really enjoyed when i did it uh initially because it wasn't structured in the traditional sense and you know it wasn't it has a few ctf like um you know configurations like for example uh the flags here uh but the initial access uh you know vector was uh really really uh accurate in the sense that you know raspberry pi's that people buy and set up out there for whatever reason in most cases will have default credentials and you know gaining access in this case we were able to elevate our privileges because our user could run any command which is not really accurate but we we could have found another way of actually elevating our privileges irregardless of whether the user we logged in at uh had any special privileges in regards to the commands or binaries that they could execute however in this case it was fairly straightforward as i said the initial the initial section that involved enumeration for this box uh you know could send you down various rabbit holes like for example the plex media server which has a few vulnerabilities but i wasn't successful in gaining access that way i did or i was able to use the remote code authentication python script once i gained access to the target system and checked out the configuration file for the default for the credentials to log into the pi hole web interface and then i used that with the authenticated cookie and i was able to get remote code you know authenticated rce on the target system but of course that's after the fact um that being said that's going to be it for this video let me know what you guys think if you have any other content ideas or suggestions leave them in the comment section if you want to reach me personally you can you can contact me via twitter or via our discord server the link is in the description section we have fantastic discussions regarding you know various topics pertaining to penetration testing red teaming blue teaming malware analysis reverse engineering etc etc and yeah feel free to join in and we always welcome to have you there and i'm always available to answer your questions that being said that's going to be it for this video and i'll be seeing you in the next video a huge thank you to all of our patreons uh your support is greatly appreciated and this is a formal thank you so thank you shamir douglas ryan carr sandor michael busby sits up doozy defean bari dustin umpres and michael hubbard your support is greatly appreciated and you keep us making even more high quality content for you guys so thank you [Music] you
Original Description
In this video, we will be taking a look at how to perform a penetration test on a Raspberry Pi running Pi-hole. The techniques demonstrated in this video were performed on the retired box "Mirai" on the HackTheBox platform.
-----------------------------------------------------------------------------------
BLOG ►► https://bit.ly/3qjvSjK
FORUM ►► https://bit.ly/39r2kcY
ACADEMY ►► https://bit.ly/39CuORr
-----------------------------------------------------------------------------------
TWITTER ►► https://bit.ly/3sNKXfq
DISCORD ►► https://bit.ly/3hkIDsK
INSTAGRAM ►► https://bit.ly/3sP1Syh
LINKEDIN ►► https://bit.ly/360qwlN
PATREON ►► https://bit.ly/365iDLK
MERCHANDISE ►► https://bit.ly/3c2jDEn
-----------------------------------------------------------------------------------
CYBERTALK PODCAST ►► https://open.spotify.com/show/6j0RhRiofxkt39AskIpwP7
-----------------------------------------------------------------------------------
We hope you enjoyed the video and found value in the content. We value your feedback, If you have any questions or suggestions feel free to post them in the comments section or contact us directly via our social platforms.
-----------------------------------------------------------------------------------
Thanks for watching!
Благодарю за просмотр!
Kiitos katsomisesta
Danke fürs Zuschauen!
感谢您观看
Merci d'avoir regardé
Obrigado por assistir
دیکھنے کے لیے شکریہ
देखने के लिए धन्यवाद
Grazie per la visione
Gracias por ver
شكرا للمشاهدة
-----------------------------------------------------------------------------------
#HTB#Pentesting
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from HackerSploit · HackerSploit · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
How To Install Kali Linux 2.0 On Virtual Box
HackerSploit
100 Subscriber Q&A! - How I Learned Ethical Hacking
HackerSploit
BlackArch Linux Review - Better Than Kali Linux?
HackerSploit
How to Access the Deep Web Safely | Deep Web Starter Guide 1.0
HackerSploit
Wireshark Tutorial for Beginners - Installation
HackerSploit
Wireshark Tutorial for Beginners - Overview of the environment
HackerSploit
Wireshark Tutorial for Beginners - Capture options
HackerSploit
Wireshark Tutorial for Beginners - Filters
HackerSploit
Complete Ethical Hacking Course - Become a Hacker Today - #1 Hacking Terminology
HackerSploit
Complete Ethical Hacking Course #2 - Installing Kali Linux
HackerSploit
Parrot OS 3.5 Review | The Best Kali Linux Alternative
HackerSploit
Nmap Tutorial For Beginners - 1 - What is Nmap?
HackerSploit
Katoolin | How To Install Pentesting Tools On Any Linux Distro
HackerSploit
Nmap Tutorial For Beginners - 2 - Advanced Scanning
HackerSploit
Nmap Tutorial For Beginners - 3 - Aggressive Scanning
HackerSploit
Zenmap Tutorial For Beginners
HackerSploit
How To Setup Proxychains In Kali Linux - #1 - Stay Anonymous
HackerSploit
How To Setup Proxychains In Kali Linux - #2 - Change Your IP
HackerSploit
How To Change Mac Address In Kali Linux | Macchanger
HackerSploit
How To Setup And Use anonsurf On Kali Linux | Stay Anonymous
HackerSploit
Ubuntu 17.04 "Zesty Zapus" Review - Bye Unity
HackerSploit
VPN And DNS For Beginners | Kali Linux
HackerSploit
Tails OS Installation And Review - Access The Deep Web/Dark Net
HackerSploit
Steganography Tutorial - Hide Messages In Images
HackerSploit
The Lazy Script - Kali Linux 2017.1 - Automate Penetration Testing!
HackerSploit
Best Linux Distributions For Penetration Testing
HackerSploit
Netcat Tutorial - The Swiss Army Knife Of Networking - Reverse Shell
HackerSploit
Gaining Access - Web Server Hacking - Metasploitable - #1
HackerSploit
Web Server Hacking - FTP Backdoor Command Execution With Metasploit - #2
HackerSploit
How To Install Kali Linux On VMware - Complete Guide 2018
HackerSploit
Q&A #1 - Best Cyber-security Certifications?
HackerSploit
Terminator - Kali Linux - Multiple Terminals
HackerSploit
Shodan Search Engine Tutorial - Access Routers,Servers,Webcams + Install CLI
HackerSploit
Q&A #2 - Mr Robot?
HackerSploit
Metasploit Community Web GUI - Installation And Overview
HackerSploit
Linux Expl0rer - Forensics Toolbox - Installation & Configuration
HackerSploit
QuasarRAT - The Best Windows RAT? - Remote Administration Tool for Windows
HackerSploit
Metasploit For Beginners - #1 - The Basics - Modules, Exploits & Payloads
HackerSploit
Metasploit For Beginners - #2 - Understanding Metasploit Modules
HackerSploit
Kali Linux Quick Tips - #1 - Adding a non-root user
HackerSploit
Metasploit For Beginners - #3 - Information Gathering - Auxiliary Scanners
HackerSploit
Spectre Meltdown Vulnerability - How To Check Your System
HackerSploit
Metasploit For Beginners - #4 - Basic Exploitation
HackerSploit
ARP Spoofing With arpspoof - MITM
HackerSploit
WordPress Vulnerability Scanning With WPScan
HackerSploit
Generating A PHP Backdoor with weevely
HackerSploit
Nikto Web Vulnerability Scanner - Web Penetration Testing - #1
HackerSploit
How To Install Kali Linux On Windows 10 - Windows Subsystem For Linux
HackerSploit
Stacer - System Optimizer And Monitoring Tool For Linux
HackerSploit
Kali Linux 2018.1 - Kernel Updates & Patches
HackerSploit
MITM With Ettercap - ARP Poisoning
HackerSploit
Password Cracking With John The Ripper - RAR/ZIP & Linux Passwords
HackerSploit
How To Detect Rootkits On Kali Linux - chkrootkit & rkhunter
HackerSploit
Channel Updates - How To Post Questions & Video Suggestions
HackerSploit
Web App Penetration Testing - #1 - Setting Up Burp Suite
HackerSploit
Web App Penetration Testing - #2 - Spidering & DVWA
HackerSploit
Cl0neMast3r - GitHub Repository Cloning Tool
HackerSploit
Kali Linux On Windows 10 Official - WSL - Installation & Configuration
HackerSploit
DoS/DDoS Protection - How To Enable ICMP, UDP & TCP Flood Filtering
HackerSploit
Web App Penetration Testing - #3 - Brute Force With Burp Suite
HackerSploit
More on: Network Security
View skill →Related Reads
📰
📰
📰
📰
Stop Getting Drained by CAPTCHAs: How to Calculate Usable Responses per GB (The Retry Multiplier Math)
Dev.to · proxyvero
5 HIPAA Violations Hiding in Your Next.js Healthcare App Right Now
Dev.to · Francosimon53
Node.js patches six permission bypasses; Zeta2 improves accuracy
Dev.to · The Dev Signal
Kali Linux In VirtualBox Installation Guide
Medium · Cybersecurity
🎓
Tutor Explanation
DeepCamp AI