Mirai – HackTheBox writeup
info

Exploitation Summary

Initial Exploitation

  • Vulnerability: pi-hole default id / password
  • Explanation: default installation without changing password

Privilege Escalation

  • Vulnerability: sudo full access
  • Explanation: pi user can escalate using sudo

Enumeration

nmap -p- -A -T4 10.10.10.48
TCP 22: OpenSSH 6.7p1
TCP 53: dnsmasq 2.76
TCP 80: lighttpd 1.4.35
TCP 1834, 32469: Platinum UPnP 1.0.5.13
TCP 32400: Plex Media Server httpd

Initial Shell Exploitation

Let’s first check out the website at port 80

homepage

Oh! It’s a blank page. Then let’s see if gobuster directory scan will give us something

gobuster dir -u http://10.10.10.48/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -e -k -l -s "200,204,301,302,307,401,403"
gobuster

There’s a folder admin. Let’s check it out!

pi-hole

All right! It’s admin page for Pi-hole. Pi-hole has default id/password of pi:raspberry.

default id/pwd

Let’s try that using ssh:

ssh pi@10.10.10.48
initial shell

Initial shell obtained. That’s pretty straight forward.

Note: I did spent some time searching for exploitable vulnerabilities on other services including pi-hole, dnsmasq and plex before this. A classic example we should try out default id/password first.

User flag is obtained easily:

Privilege Escalation

Getting to root is also simple:

root shell

User pi can use sudo freely. sudo su brings us to root straight away. Now, on to root flag:

root flag info

Ok. Root flag is less straight forward as getting root shell. lol

It hinted we may find it in USB stick. So I run the command df:

df

Looks like /media/usbstick is the spot. Let’s check it out.

usb

Ok. We got second hint that the files were deleted by James. Great.

In general, deleting files do not actually clear the data stored in the drive. We just don’t have the file pointer the reference the data anymore. But we may still be able to find the information by examine what is stored in the drive. So let’s make a copy of the USB drive using command dd.

dd if=/dev/sdb of=/tmp/usb.image
dd

Then we can examine text data in the file usb.image.

strings /tmp/usb.image
root flag

There we go. We find the root flag! Mission accomplished.

Thank you for the box Mirai, Arrexel!

Leave a Reply

Close Menu