
Mirai is a retired vulnerable machine available from HackTheBox. The machine maker is Arrexel, thank you. It is a pretty easy machine with a difficulty rating of 3.7 out of 10. No automated tools are required to solve the machine.
Kali Linux is used to carry out the enumeration, exploitation and privilege escalation. The goal is to obtain root shell together with both user & root flags.
Exploitation Summary (tap to reveal)
Initial Exploitation
- Vulnerability: pi-hole default id / password
- Explanation: default installation without changing password
Privilege Escalation
- Vulnerability: sudo full access
- Explanation: pi user can escalate using sudo
Enumeration
nmap -p- -A -T4 10.10.10.48

TCP 22: OpenSSH 6.7p1 TCP 53: dnsmasq 2.76 TCP 80: lighttpd 1.4.35 TCP 1834, 32469: Platinum UPnP 1.0.5.13 TCP 32400: Plex Media Server httpd
Initial Shell Exploitation
Let’s first check out the website at port 80

Oh! It’s a blank page. Then let’s see if gobuster directory scan will give us something
gobuster dir -u http://10.10.10.48/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -e -k -l -s "200,204,301,302,307,401,403"

There’s a folder admin. Let’s check it out!

All right! It’s admin page for Pi-hole. Pi-hole has default id/password of pi:raspberry.

Let’s try that using ssh:
ssh pi@10.10.10.48

Initial shell obtained. That’s pretty straight forward.
Note: I did spent some time searching for exploitable vulnerabilities on other services including pi-hole, dnsmasq and plex before this. A classic example we should try out default id/password first.
User flag is obtained easily:

Privilege Escalation
Getting to root is also simple:

User pi can use sudo freely. sudo su brings us to root straight away. Now, on to root flag:

Ok. Root flag is less straight forward as getting root shell. lol
It hinted we may find it in USB stick. So I run the command df:

Looks like /media/usbstick is the spot. Let’s check it out.

Ok. We got second hint that the files were deleted by James. Great.
In general, deleting files do not actually clear the data stored in the drive. We just don’t have the file pointer the reference the data anymore. But we may still be able to find the information by examine what is stored in the drive. So let’s make a copy of the USB drive using command dd.
dd if=/dev/sdb of=/tmp/usb.image

Then we can examine text data in the file usb.image.
strings /tmp/usb.image

There we go. We find the root flag! Mission accomplished.
Thank you for the box Mirai, Arrexel!