Hack The Box Mirai HTB CTF Machine Walkthrough

Hack the Box Mirai CTF Challenge

Today we are going to solve Mirai CTF challenge, which is available on Hack the Box. It is an easy CTF box. At this time, this machine has been retired. You will get to know a lot of knowledge, for example, Directory scanning, sudo rights, strings command, etc.


Table of Content

Scanning

  • Port Scanning (Nmap Tool)

Enumeration

  • Directory Scanning through Gobuster

Exploitation

  • Nothing Exploitation (Default Creds)
  • Read (User.txt)

Privilege Escalation

  • Sudo Rights (ALL : ALL )
  • Read (root.txt)

Scanning

As you know, we do first scan the target network. Nmap may be the best tool for network scanning. To get more information regarding the Nmap command, Following the below link.

nmap -sC -sV -oA nmap/mirai 10.10.10.48

I found port 22 for SSH, port 53 for DNS, 80 for HTTP are opened.

Nmap Scan

Enumeration

In most penetration testing phases, we need directory scanning. The Kali Linux carries several directory scanning tools for the penetration tester. Gobuster is a popular directory scanning tool, and we will use this tool for directory scanning. Let’s follow the below command.

gobuster dir --url http://10.10.10.48/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 200 --no-error

We have encountered some exciting directories.

/admin
/versions

Directory Scan

According to the above information, let’s open the web page and check the Mirai versions. It may be a vulnerable version and seem to look like Raspberry Pi. After some research on google, we noticed that Mirai is not vulnerable. Let’s explore the admin page.

Admin Page

We will explore its username and password. I think Google can be most suitable for default credentials.

Mirai Login Page

Sometimes, Default usernames and passwords provide login access. We got the default credentials from the official Raspberry Pi website. Let tried default ssh credentials on the Raspberry Pi.

Default Username&Password

Exploitation

As soon as I logged with the default credentials, Login Successful.

ssh pi@10.10.10.48 
  • Username: pi
  • Password: raspberry

Congrats! We have gained our first user.txt flag.

Got user.txt file

Privilege Escalation

Let’s proceed on the privilege escalation stages. I notice something special with sudo rights. It can change root without any password. Follow the below command.

sudo -l

(ALL : ALL) ALL

sudo su 

As soon as we executed the above command, and I got a root shell. We noticed the root.txt flag and got a hint that our root flag is on a USB stick.

Sudo Rights

I guess that the USB stick file may be store in the media folder. Let’s enter the media/usbstick folder, and we found some text files.

cat damnit.txt

Usbstick

Oops!! James has accidentally deleted the root.txt file. “Don’t worry” we will recover the root.txt file. Let’s move back to the root directory and type the following command.

strings /dev/sdb

Congrats! We have gained our second root.txt flag.

Got Root.txt file

Rating: 5 out of 5.


Recent Posts



Most Popular Posts


Add a Comment

Your email address will not be published. Required fields are marked *