Mirai – HackTheBox writeup

Mirai – HackTheBox writeup
info

Mirai is a retired vulnerable machine available from HackTheBox. The machine maker is Arrexel, thank you. It is a pretty easy machine with a difficulty rating of 3.7 out of 10. No automated tools are required to solve the machine.

Kali Linux is used to carry out the enumeration, exploitation and privilege escalation. The goal is to obtain root shell together with both user & root flags.

Exploitation Summary (tap to reveal)

Initial Exploitation

  • Vulnerability: pi-hole default id / password
  • Explanation: default installation without changing password

Privilege Escalation

  • Vulnerability: sudo full access
  • Explanation: pi user can escalate using sudo

Enumeration

nmap -p- -A -T4 10.10.10.48
TCP 22: OpenSSH 6.7p1
TCP 53: dnsmasq 2.76
TCP 80: lighttpd 1.4.35
TCP 1834, 32469: Platinum UPnP 1.0.5.13
TCP 32400: Plex Media Server httpd

Initial Shell Exploitation

Let’s first check out the website at port 80

homepage

Oh! It’s a blank page. Then let’s see if gobuster directory scan will give us something

gobuster dir -u http://10.10.10.48/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -e -k -l -s "200,204,301,302,307,401,403"
gobuster

There’s a folder admin. Let’s check it out!

pi-hole

All right! It’s admin page for Pi-hole. Pi-hole has default id/password of pi:raspberry.

default id/pwd

Let’s try that using ssh:

ssh pi@10.10.10.48
initial shell

Initial shell obtained. That’s pretty straight forward.

Note: I did spent some time searching for exploitable vulnerabilities on other services including pi-hole, dnsmasq and plex before this. A classic example we should try out default id/password first.

User flag is obtained easily:

Privilege Escalation

Getting to root is also simple:

root shell

User pi can use sudo freely. sudo su brings us to root straight away. Now, on to root flag:

root flag info

Ok. Root flag is less straight forward as getting root shell. lol

It hinted we may find it in USB stick. So I run the command df:

df

Looks like /media/usbstick is the spot. Let’s check it out.

usb

Ok. We got second hint that the files were deleted by James. Great.

In general, deleting files do not actually clear the data stored in the drive. We just don’t have the file pointer the reference the data anymore. But we may still be able to find the information by examine what is stored in the drive. So let’s make a copy of the USB drive using command dd.

dd if=/dev/sdb of=/tmp/usb.image
dd

Then we can examine text data in the file usb.image.

strings /tmp/usb.image
root flag

There we go. We find the root flag! Mission accomplished.

Thank you for the box Mirai, Arrexel!

Leave a Reply

Close Menu