Hack The Box Mirai HTB CTF Machine Walkthrough
Today we are going to solve Mirai CTF challenge, which is available on Hack the Box. It is an easy CTF box. At this time, this machine has been retired. You will get to know a lot of knowledge, for example, Directory scanning, sudo rights, strings command, etc.
Table of Content
Scanning
- Port Scanning (Nmap Tool)
Enumeration
- Directory Scanning through Gobuster
Exploitation
- Nothing Exploitation (Default Creds)
- Read (User.txt)
Privilege Escalation
- Sudo Rights (ALL : ALL )
- Read (root.txt)
Scanning
As you know, we do first scan the target network. Nmap may be the best tool for network scanning. To get more information regarding the Nmap command, Following the below link.
nmap -sC -sV -oA nmap/mirai 10.10.10.48
I found port 22 for SSH, port 53 for DNS, 80 for HTTP are opened.
Enumeration
In most penetration testing phases, we need directory scanning. The Kali Linux carries several directory scanning tools for the penetration tester. Gobuster is a popular directory scanning tool, and we will use this tool for directory scanning. Let’s follow the below command.
gobuster dir --url http://10.10.10.48/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 200 --no-error
We have encountered some exciting directories.
/admin
/versions
According to the above information, let’s open the web page and check the Mirai versions. It may be a vulnerable version and seem to look like Raspberry Pi. After some research on google, we noticed that Mirai is not vulnerable. Let’s explore the admin page.
We will explore its username and password. I think Google can be most suitable for default credentials.
Sometimes, Default usernames and passwords provide login access. We got the default credentials from the official Raspberry Pi website. Let tried default ssh credentials on the Raspberry Pi.
Exploitation
As soon as I logged with the default credentials, Login Successful.
ssh pi@10.10.10.48
- Username: pi
- Password: raspberry
Congrats! We have gained our first user.txt flag.
Privilege Escalation
Let’s proceed on the privilege escalation stages. I notice something special with sudo rights. It can change root without any password. Follow the below command.
sudo -l
(ALL : ALL) ALL
sudo su
As soon as we executed the above command, and I got a root shell. We noticed the root.txt flag and got a hint that our root flag is on a USB stick.
I guess that the USB stick file may be store in the media folder. Let’s enter the media/usbstick folder, and we found some text files.
cat damnit.txt
Oops!! James has accidentally deleted the root.txt file. “Don’t worry” we will recover the root.txt file. Let’s move back to the root directory and type the following command.
strings /dev/sdb
Congrats! We have gained our second root.txt flag.
Recent Posts
- SQL INJECTION – Extracting Username and Password From Database
- How To Dump Username And Password Using SQLMap Tool?
- Protected: Exploit Apache Log4j Security Vulnerabilities – CVE-2021-44228
- Hack The Box Previse HTB CTF Machine Walkthrough
- How Can I See List All Users In A MySQL Database Server
excellent issues altogether, you just received a emblem new reader.
What may you suggest about your put up that you
just made some days in the past? Any positive?