Mirai writeup HTB

Mirai

An easy box requiring default credentials to log into an unlikely place and the recovery of a deleted root flag off of a USB stick.

Discovery

I also ran a scan with rustscan. This modern port scanner, written with Rust, scans ports with speed. This means we can identify the more random ports faster that nmap could have missed with its initial scan :

We can take a closer look at these ports by telling nmap to exclusively scan them : 

It looks like we have 2 web servers, running on port 80 and port 32400

Web server (port 32400)

I have the option to sign up and make an account, but it leads to nothing interesting. We also can’t seem to guess the admin account’s password (if there even is one). Let’s move on for now.

Web server (port 80)

Cool, a blank web page. Since I couldn’t find any subdomains with dig or nslookup (tools for querying DNS servers, there was an open DNS server on port 53), I ran a gobuster scan to brute force directories and pages. We find the /admin page :

This is a dashboard, but it doesn’t look like we are logged in as anything. To start a session, we only need a password : 

Shell as pi

A quick google search showed me that the default credentials for a pre-configured pi-hole application is pi:raspberry. However, the password “raspberry” doesn’t work here. Instead, it seems the password was randomly generated by the pihole utility when it was first installed. I tried to brute-force this password with hydra and the rockyou.txt wordlist, but to no avail. I also tried to search for known exploits of the pi-hole version and found a few, but they were all authenticated exploits. This meant I absolutely needed this password to proceed. This was very frustrating. 

About an hour later, I looked at the tags for this machine and noticed “default credentials” as one of them. Then it struck me. I could try to log in into ssh with the default credentials pi:raspberry :

Privilege escalation

The user pi is basically root :

Our challenge is not over however. We get a nice surprise when opening the root.txt file :

I check the mounting points on the machine to try and find the USB stick :

We found it! But we have another surprise waiting for us :

Nice one James. Thankfully, when you delete a file, it doesn’t immediately delete itself. Instead, the file system marks it as being deleted and indicates the space it took is now free. As long as that space isn’t taken by another file, we should still be able to find the root flag somewhere. You can find the nice article on file recovery here

In the /dev directory, there is a file named sdb (mounted on /media/usbstick). Reading that file with cat or strings reveals the root flag :

It’s also possible to read the flag with a file recovery tool like Testdisk.