MIRAI
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLpAKxsd4R8JAHdOUWkVEOsr0urSKf_t_Oc5YSd0ckLwqf0N0g2GQc5mAykvkw6AhhUW8K9n0RvVgk-nNI-JmoiQbPVmJoFLQZ5KsmYpS_pMqVoNvU-ys3soncgs9eY1BzuA0uC4lccbbb/s640/screenshot.20.jpg)
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine Mirai, what is a retired machine from the Hack The Box pentesting platform:
https://www.hackthebox.eu/
2 - ENUMERATION
- Mirai's IP is 10.10.10.48:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7JMPLCNp7ORwlrNYCMoyK98OzkmMRemveGilrZdIleVvPZ0H3vA_wKZ7ft2BXFldNC566Z5HONqF18HTJoqoQvcGejNmk5IFNQpv7yR1PeFoLzyv5D96ECRX9583EeS0Ee6CEuee5Gmj_/s400/screenshot.2.jpg)
- Scanning with Nmap:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdAKuVtFhtLjC4GX5QUZWyzOHsEHdeZKJuup-PTtsKLSv8NyxW9zcqDG46no5s-tedjov8Ins5-JZN0Hx0myZvh6a9qITWo-Yq5897T5b8CshvW1p3ROo9Z8gBq0x-5X2zODhzwsb6Wolm/s1600/screenshot.3.jpg)
- Scanning deeper ports 22,53 and 80:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKQIJct20SpQ1Xgo06-8UIt62Kpdf527XSl9ubeCm6oGz50dLmyZEjVz3JW1M2f_v2BNxnCXfgM6SUVAivcH9Q3X4c-wfb3-VesVYL-nWTUaJsIB2NVkpUibEX5qEcrnzfdBFOEBbjKb_r/s1600/screenshot.4.jpg)
- Dirbusting the web server we find the folder /admin:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCz4acFH0hrQsDdq3TftvUT0sT58hfkxmn5mJrg0fuLhmYTukRPVFFj_Nh1SfWPnCnrWOTSgWi7vKiU5lBit7pms26GDJSziswV5H5_PQO34uZbJ826TrdRvw8nl_TE7pj6tnzJcHflvE6/s1600/screenshot.6.jpg)
- Connecting with the browser:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkP6ygYpr_46fXjw3FXzqgKFos7fCXGTNixcnctv0watq3IrulS6U4hEsA_54xWBoOQKChIIw9skHpGNbADuFXNoXRpzKd41eazsDH89vwrP9Hyh-XznksDGME5gyhRqbVYyy_rR7-Qdv9/s1600/screenshot.7.jpg)
- Pi-hole is a network-wide ad blocker used by Raspberry Pi to block advertisements on all devices connected to a home network:
https://www.raspberrypi.org/blog/pi-hole-raspberry-pi/
3 - EXPLOITATION
- Default credentials for SSH to Raspberry Pi are pi:raspberry
https://www.raspberrypi.org/documentation/linux/usage/users.md
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5VWpUcjR7Pa0ZfSg2uSAet80nynFhEGUhiTZX6K1vvuqyuDa-HWfceudlS1WQFCiotD0wQ6ghbY6IC-sJj-00d3TsPDzx0fQD5WngcItGlWy_8YOUSq6RQNanuMP1WZR5_CJxljpuNiZW/s640/screenshot.21.jpg)
- In this case there is no need of exploitation because SSH connection with default credentials is successful:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhu1SpmqDt9u-etmEHkVzbyOiQy_UWbN-FAXB8fYihvb9B3dIDtk377GgtG24vLIbvJvIzUD3JlbSmW4lSir2hAzWqXOq5pOxc9_rzdrbWGjJ3IVxGsfV3VE8kZd1r96ncSH2MtjATox42k/s1600/screenshot.8.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmC7dEg0RWJqAMGKGLHvDgGtA3BEXiOYvPywqjr11cjyOACfVY9iKXk2SPXMLQJ7H6iWZwfSSImA9bAOGDlyJOlt7Ca4oVmtPCUdtnFc105hW9CVJsYUMXUmBkFKv-Tdr616jpfhlF2JQ_/s1600/screenshot.9.jpg)
4 - CAPTURING THE 1st FLAG
- Reading user.txt:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzLkCAa6HNDXlN1aBC9wGC-7wePzfpkop-rWCcR5zSrFiDA4ipBRb-nmsAoeHWHHnp1nWZrd0-Et7T08FcfTIgEEpOZn5_mJOaVESFByKNsu3hyIcyN-Wf7Bq7m0xwFjGGAHlca2x16Ows/s1600/screenshot.11.jpg)
5 - PRIVILEGE ESCALATION
- Checking sudoer privileges:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgm0K_12iWXfhaze-g_AnsWqdDPZGNyMTslEsIu8qkXbJ1xJfxiJdBpHFIJAJ-2WZOprBLKMUXdnZj_TKyKcCEoctWtnLqAvA805liu7UDZ4XSVKyuJMKj32zcLX5zPNMXE21JeF_O9eaFN/s1600/screenshot.10.jpg)
- Starting a bash shell as a root user:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRk803vmVS1MfCbkkeFK1SfisWPwTZ7g4rd1vjks79C7zCzXfIQ9Z2iTTkrmJEfU5-jEptx_tzU6y_9kUXAJ6kO25PTHEypnyvILbe86pmc6JZjtK9ycvAORrrIPrqVVn_25YnN_ctmcL5/s1600/screenshot.12.jpg)
6 - CAPTURING THE 2ns FLAG
- Reading root.txt there is a hint about the original root.txt:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggqditiKmPggApexrlDfsZi_edSyHfY9NSkJK2siW2wiaon2_xJz_VgUtxUVRcfix4_M4hv5BbhVIQxjcDnCBeukFrfW1BhfzTl4logv5SBQABOUpPhuwwoqdIaF3wlFUUF65M3TX9RXqt/s1600/screenshot.13.jpg)
- df displays the amount of available disk space for file systems:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOS8M_ozWzzHd9mJA0_xgSAyEVCRWYz5UoX5ImimDw91VOsi2fwrQyQDuaqGhjMGPz2iSZQ3raJMIXlqb0AeJIz9aeDcMnZ4AoSD4il5ZZHr4JL93y2kWHP-a88SQmpFFlMi3U7tG4dwpd/s1600/screenshot.14.jpg)
- Going to /media/usbstick there is a text file that probably holds interesting information:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5pDvZ1Xxatqq0uuk34n48cEnbLAvu-4y4IJl54EIGnyoGa6DBcS9yEG54AF7FXsdfzuSuZR5nrkV3MZ3OILNBk6paxIQ3PMhi49DQm9GOI_o-bA8a4LEHoc-HNkv8FOLxO4-LJaro7e-h/s1600/screenshot.15.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0d67iX9UkKr2Nu5soZgIo9kuj-fzjHfPGIxSrHb0b1kSGNTORUWrqjCEeWDp3rzhbKN8f61_VC4nrStQq_GzVuMfmJiH7ZGHgO-6BGgLa7-sKMwIPzy5ADpCt9s6bfNLhAHpJc66OmvxE/s1600/screenshot.16.jpg)
- So it seems that the original root.txt was been accidentally deleted.
- Reading the content of the disk b we find the 2nd flag:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgevW8DszAt2pG-s6rIFpI2gdXRe6VjyRGAYiujjCT7_DzJi9LctPKWZaRFIqt7y51qni6yZ5mVikEqHyGnFS4J3aJWavVMugmuj9HfbD4TpfKGIXQShEfDaD4eqi2EhQuYXExPoLoqXDS8/s400/screenshot.17.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmC_2R47_1-EKVUOvUILxIqhIPUIsF8PfJzFyYx-E_cKauaFb2TMYD76ZSnRoXOvie8TcTreOKBLK-ryyOFZj1DgAOlOBNeAUiTCYtK_pza9uMLL8SxWNMAtxa5Joa3O1-SPRl46_JlPTK/s1600/screenshot.18.jpg)
- Also, strings helps to provide the 2nd flag:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmLG1PNtPjcDfYyMAVZZS7XLW9mafl421Q1L4fTdIP0yfx5aUUevX2BDdS2hfuqqt3k0nSfcuxphREcqYdlOW9iJhUFatBT-mnLZDqAcQ1iU_UgynK6rBZyHIpnRAP0AgHmzmQrkADos1p/s1600/screenshot.1.jpg)