Skip to main content

HackTheBox: Mirai

EasyHTBLinuxRaspberry PiDefault CredentialsData Recovery2018-02-103 min read
Back to Writeups

This was my first write-up, for the Mirai box on Hack the Box. We will cover breaking in as user pi and recovering both flags, including a deleted root flag from a USB stick's raw block device.

Breaking In

First, we scan the server for open ports using nmap.

nmap -sV -sC -oA output 10.10.10.48

Options used:

  • -sV — determine service/version information
  • -sC — use default scripts
  • -oA — output in all three major formats at once

nmap scan results

The scan reveals three active ports: 22 (SSH), 53 (dnsmasq), and 80 (HTTP).

Opening http://10.10.10.48:80 in the browser shows an empty page with nothing of interest in the source code.

empty web page

We enumerate directories with dirb.

dirb http://10.10.10.48 -r -o mirai.dirb

Options used:

  • -r — no recursive scan
  • -o — save results to output file

dirb directory scan results

The scan surfaces /admin/. Opening it reveals a Pi-hole admin panel.

Pi-hole admin panel

Pi-hole is an ad-blocking software commonly run on Raspberry Pi hardware. Knowing this, we searched for the default SSH credentials. The official Raspberry Pi documentation confirms the defaults: user pi, password raspberry.

Raspberry Pi SSH documentation

We try them immediately.

ssh pi@10.10.10.48

SSH login successful as pi

We are in.

Enumeration

We check our identity and privileges.

id

id output — uid 1000

We have uid=1000(pi). Next, we check what commands we can run as root.

sudo -l

sudo -l output — ALL commands allowed

We can run all commands as root with no password. We escalate immediately with sudo -i and drop into a root shell.

Getting the Flags

Checking the root flag in root's home directory produces an unexpected message.

cat root.txt — message about USB backup

Note

I lost my original root.txt! I think I may have a backup on my USB stick.

We run mount to find any attached USB storage.

mount output showing USB stick

We navigate to /media/usbstick/ and read the only file there, damnit.txt.

cat damnit.txt — James deleted the files

Note

Damnit! Sorry man I accidentally deleted your files off the USB stick. Do you know if there is any way to get them back? — James

The file was deleted, but in Unix everything is a file — including block devices. Deleted data often remains on the raw device until overwritten. We read the entire USB partition directly with strings.

strings /dev/sdb

root flag recovered from raw block device

The root flag is recovered from the unallocated space of the device.

Finally, we grab the user flag from pi's home directory.

user flag

Both flags captured. Mirai is a straightforward box that teaches two important lessons: default credentials are dangerous, and deleted data is not always gone. Thank you for following along, be happy, and keep hacking.

Related Writeups

HackTheBox: UnderPass
Easy

HackTheBox: UnderPass

HTBLinuxSNMPRADIUSMosh
Read More
HackTheBox: Code
Medium

HackTheBox: Code

HTBLinuxPythonRCESQLitePath Traversal
Read More
HackTheBox: SecNotes
Medium

HackTheBox: SecNotes

HTBWindowsWebSQLiSMB
Read More