Today we are going to solve Mirai CTF challenge, which is available on Hack the Box. It is an easy CTF box. At this time, this machine has been retired. You will get to know a lot of knowledge, for example, Directory scanning, sudo rights, strings command, etc.
Table of Content
Port Scanning (Nmap Tool)
Directory Scanning through Gobuster
Nothing Exploitation (Default Creds)
Sudo Rights (ALL: ALL )
As you know, we do first scan the target network. Nmap may be the best tool for network scanning. To get more information regarding the Nmap command, Following the below link.
nmap -sC -sV -oA nmap/mirai 10.10.10.48
I found port 22 for SSH, port 53 for DNS, 80 for HTTP are opened.
In most penetration testing phases, we need directory scanning. The Kali Linux carries several directory scanning tools for the penetration tester. Gobuster is a popular directory scanning tool, and we will use this tool for directory scanning. Let’s follow the below command.
gobuster dir --url http://10.10.10.48/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 200 --no-error
We have encountered some exciting directories.
According to the above information, let’s open the web page and check the Mirai versions. It may be a vulnerable version and seem to look like Raspberry Pi. After some research on google, we noticed that Mirai is not vulnerable. Let’s explore the admin page.
We will explore its username and password. I think Google can be most suitable for default credentials.
Sometimes, Default usernames and passwords provide login access. We got the default credentials from the official Raspberry Pi website. Let tried default ssh credentials on the Raspberry Pi.
As soon as I logged with the default credentials, Login Successful.
Congrats! We have gained our first user.txt flag.
Let’s proceed on the privilege escalation stages. I notice something special with sudo rights. It can change root without any password. Follow the below command.
(ALL : ALL) ALL
As soon as we executed the above command, and I got a root shell. We noticed the root.txt flag and got a hint that our root flag is on a USB stick.
I guess that the USB stickfile may be store in the media folder. Let’s enter the media/usbstick folder, and we found some text files.
Oops!! James has accidentally deleted the root.txt file. “Don’t worry” we will recover the root.txt file. Let’s move back to the root directory and type the following command.
Congrats! We have gained our second root.txt flag.