Writeup – HTB – Mirai

Writeup – HTB – Mirai

After adding this to my hosts file, I kicked off my autorecon and let it rip while I grabbed a drink. As the full nmap scan finished, we see Ports 22, 53, 80, 1615, 32400, and 32469 open.

Oh boy! Plex!

OpenSSH 6.7p1 is a pretty new version, so no real exploits there. The next step in enumeration is to start looking up the versions of the software on each port and see what we can find.

There’s a series of exploits available for dnsmasq 2.76, but none look like they’ll allow for Remote Code Execution, so on we go!

No luck with port 53? We shall see.

Browsing to port 80 on the web server we find that we are blocked by Pi-Hole. Pi-Hole is a dns blocker that runs on Raspberry Pis.

Blocked, but good info! It’s a Pi-hole!

Doing a search for Raspberry Pi default credentials lets us find credentials of pi:raspberry. This works for ssh!

And we’re in!

It’s always great when you see (ALL : ALL) ALL, and (ALL) NOPASSWD: ALL. Quickly do a ‘sudo su’, and we’re root. Now to find some flags!

user.txt on the Desktop!

One down, looking for the root flag though proves a little trickier!

How do I find a USB stick on Linux?

After some googling showing how to mount a USB stick into Linux, I checked the /media folder. Inside was a usbstick folder! Could it be too good to be true?

Yes – yes, it could be too good to be true.

However, if you go to /dev, and cat sdb, which is the second mounted device, you can filter through the wreckage and find the flag!

Obfuscated root flag above!

That’s all she wrote for this one! A bit trickier than my last boxes, but great teaching box! Thanks to HackTheBox!