After adding this to my hosts file, I kicked off my autorecon and let it rip while I grabbed a drink. As the full nmap scan finished, we see Ports 22, 53, 80, 1615, 32400, and 32469 open.
OpenSSH 6.7p1 is a pretty new version, so no real exploits there. The next step in enumeration is to start looking up the versions of the software on each port and see what we can find.
There’s a series of exploits available for dnsmasq 2.76, but none look like they’ll allow for Remote Code Execution, so on we go!
Browsing to port 80 on the web server we find that we are blocked by Pi-Hole. Pi-Hole is a dns blocker that runs on Raspberry Pis.
Doing a search for Raspberry Pi default credentials lets us find credentials of pi:raspberry. This works for ssh!
It’s always great when you see (ALL : ALL) ALL, and (ALL) NOPASSWD: ALL. Quickly do a ‘sudo su’, and we’re root. Now to find some flags!
One down, looking for the root flag though proves a little trickier!
After some googling showing how to mount a USB stick into Linux, I checked the /media folder. Inside was a usbstick folder! Could it be too good to be true?
However, if you go to /dev, and cat sdb, which is the second mounted device, you can filter through the wreckage and find the flag!
That’s all she wrote for this one! A bit trickier than my last boxes, but great teaching box! Thanks to HackTheBox!