Mirai_USB

USB

---

After escalating privilegesto the root user, I found something interesting at the home directory

root@raspberrypi:~# ll
total 22K
4.0K -rw-------  1 root root  549 Dec 24  2017 .bash_history
4.0K drwx------  2 root root 4.0K Aug 27  2017 .ssh
4.0K drwx------  3 root root 4.0K Aug 27  2017 .
4.0K -rw-r--r--  1 root root   76 Aug 14  2017 root.txt
4.0K drwxr-xr-x 35 root root 4.0K Aug 14  2017 ..
1.0K -rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
 512 -rw-r--r--  1 root root  140 Nov 19  2007 .profile
root@raspberrypi:~# cat root.txt
I lost my original root.txt! I think I may have a backup on my USB stick...

There is a note that points out that there is a backup on a USB stick

root@raspberrypi:/# cat /etc/fstab
# UNCONFIGURED FSTAB FOR BASE SYSTEM
aufs / aufs rw 0 0
tmpfs /tmp tmpfs nosuid,nodev 0 0
/dev/sdb /media/usbstick ext4 ro,suid,dev,noexec,auto,user,async 0 0

Checking the filesystem at the /etc/fstab file for external media reveals that there is a device, /dev/sdb, mounted to the /media/usbstick directory

root@raspberrypi:/# cd media/usbstick/ ; ll
total 18K
1.0K drwxr-xr-x 3 root root 1.0K Aug 14  2017 .
1.0K -rw-r--r-- 1 root root  129 Aug 14  2017 damnit.txt
 12K drwx------ 2 root root  12K Aug 14  2017 lost+found
4.0K drwxr-xr-x 3 root root 4.0K Aug 14  2017 ..

There is a note at the /media/usbstick directory

root@raspberrypi:/media/usbstick# cat damnit.txt 
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
 
-James

It’s a note written by someone named, James, and it goes some files have been deleted off the external media. It also points out whether it is possible to get them back.

root@raspberrypi:/media/usbstick# strings /dev/sdb
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
/media/usbstick
2]8^
lost+found
root.txt
damnit.txt
>r &
3d3e483143ff12ec505d026fa13e020b
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James

It would appear that I can. I used strings command to extract printable cleartext strings among binary data

3d3e483143ff12ec505d026fa13e020b That’s like the flag.