[Linux] Mirai (포렌식)

라즈베리파이(IOT) + 포렌식 문제

 

Nmap
pihole 3.1.4
ftl 2.10

 

디폴트 패스워드 재사용(PI admin = SSH root 계정)

SSH

 

username:pi.

password:raspberry.

 

root.txt가 USB에 존재

 

마운트된 디스크 확인
df -h
fdisk -l

/medea/usbstick

lost+found 디렉토리 확인 => 파일이 없어서 fsck 복구 어렵.

 

 

방법1
strings /media/usbstick

 

방법2 이미징, 복구
Method 2 - Imaging and Recovery
The command sudo dcfldd if=/dev/sdb of=/home/pi/usb.dd will create an image of the USB stick and save it to the pi user’s home directory. From there, the file can be exfiltrated many ways. In this case, a simple SCP from the attacking machine will suffice. The following command copies usb.dd to the local machine’s working directory: scp pi@10.10.10.48:/home/pi/usb.dd .
With the USB image at hand, it is possible to run a large range of tools against it to extract the data.

Unfortunately, in this case, the data between the filename and the contents of the file itself has been overwritten, so recovery with most tools is not possible. A quick check with testdisk shows the file with a size of 0.

Knowing that the file did exist at one point, it is safe to assume the data may still be in the image. Opening it with any text or hex editor will reveal the flag, as will running strings against the image.

Method 2 - Imaging and Recovery
The command sudo dcfldd if=/dev/sdb of=/home/pi/usb.dd will create an image of the USB stick and save it to the pi user’s home directory. From there, the file can be exfiltrated many ways. In this case, a simple SCP from the attacking machine will suffice. The following command copies usb.dd to the local machine’s working directory: scp pi@10.10.10.48:/home/pi/usb.dd .

With the USB image at hand, it is possible to run a large range of tools against it to extract the data.

Unfortunately, in this case, the data between the filename and the contents of the file itself has been overwritten, so recovery with most tools is not possible. A quick check with testdisk shows the file with a size of 0.

Knowing that the file did exist at one point, it is safe to assume the data may still be in the image. Opening it with any text or hex editor will reveal the flag, as will running strings against the image.