Open in app

Sign in

Write

Sign in

Hack The Box — Mirai —(TJNull’s list for OSCP)

Daniyal Ahmed
4 min readMay 22, 2023

--

This is my 14th write-up for Mirai, a machine from TJNull’s list of HackTheBox machines for OSCP Practice. The full list can be found here.

In a general penetration test or a CTF, there are usually 3 major phases that are involved.

  1. Enumeration and Scanning (Information Gathering).
  2. Initial Foothold.
  3. Privilege Escalation.

Let’s get started with the box!

Enumeration

In order to hack into a system we need to first gather some information about it. For that, we use Nmap to scan the ports of the target machine to find out what services are running; services that we can target. First let’s try to find out what ports are open and then we will run a detailed scan only on those ports to save time.

nmap -p- 10.129.228.246 --max-retries=2
nmap all ports

We can see what ports are open here. Let’s do a detailed nmap on these ports.

nmap -sC -sV -A -T4 -p22,53,80,1060,32400,32469 10.129.228.246
nmap targetted

Let’s start with port 80.

Navigating to the IP address through web browser doesn’t show anything. We are presented with a blank page.

Let’s run gobuster.

gobuster dir -u http://10.129.228.246 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.txt -x php,html,log,txt -t 200 -k --no-error
gobuster

Gobuster reveals 2 pages. /admin and /versions

/versions only downloads a file with a random number it. I don’t know what that is.

/versions

Let’s navigate to /admin

pi-hole

And we are presented with a pi-hole page. It also reveals the version of the pi-hole at the bottom. (ie 3.1.4)

Let’s search for default credentials for pi-hole first.

default credentials

The default username is pi and the default password is raspberry.

login

At the login page, we are not asked for the username. Let’s try the password anyway, assuming that the username is set to default.

wrong password!

That doesn’t work.

Initial foothold

Let’s try SSH with username pi and password raspberry.

ssh pi@10.129.228.246

And we are in!

Let’s grab the flag from Desktop

cat ~/Desktop/user.txt

Privilege Escalation

Let’s see what commands we can run as sudo.

sudo -l

That’s weird lol.

It seems user pi can run all the commands as sudo.

sudo su
root

Let’s grab the root flag from /root.

root.txt message

There’s no flag here, but a message. It says that the original root.txt is present on the USB stick.

Since we know that USB drives are mounted on /media, so let’s go there.

damnit.txt

We found a damnit.txt file but no root. The file says that James has accidentally deleted the files form the USB stick.

Let’s check the lost+found directory.

Nothing….

Let’s create an image of the USB stick. First we need to know what’s the drive path.

df -h

It’s /dev/sdb

Let’s create a dd image of that drive.

dd if=/dev/sdb of=/home/pi/usb.dd

Okay, so we have created the image of the USB stick. Let’s try running strings command on it to fetch all the strings stored in that dd image.

strings usb.dd

And here is the flag :)

EZ!

Mirai
Oscp
Ctf
Forensics
Data Recovery

--

--

Daniyal Ahmed
Daniyal Ahmed

Written by Daniyal Ahmed

63 Followers
5 Following

Cyber Security Engineer

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams