Hello friends how are you? If you know about HackTheBox you would be pretty familiar with how it works. So we will be covering HackTheBox Mirai Walk Through, but for those of you who don’t know what HackTheBox is, it is a kind of lab for testing your skills about system hacking and getting into root using different techniques.
Introduction to the Machine:-
So lets first talk about this machine just to clear thing this machine retired yesterday so write-ups are allowed. As from the name “Mirai” you can tell a bit about what this machine is about. If you don’t know what really is going on then tell get into the history of it.
Mirai was a malware that scanned the internet for different IoT devices and open port on those devices and then tries to log in with 60 different factory default username and password pairs. Then use those devices to perform DDOS attacks on different servers.
The Mirai botnet was first found in August 2016 by MalwareMustDie, a whitehat malware research group.
So that was the brief history so now we will get into how I started my testing for this box.
Into The more Interesting Stuff:-
First, you need to connect to the HackTheBox VPN to access the network. Download the OpenVPN config file and connect using this command.
[email protected]:~# openvpn ./<filename>.ovpn
I can’t stress enough on the topic of “Information Gathering” whenever you begin your testing scan everything with every you got. Run Nmap so you can get a clear idea what the services running and open ports on the server. Search for exploits for those versions of services running that will give a starting point.
That what I did in this machine too.
as you can see in this screenshot that there are 4 open ports on that machine after that when I open the IP of the machine in the browser it a simple blank page and nothing else running there. But when I saw that SSH is enabled in the machine I thought of running DireBuster it is a great tool to find different files and directories on a web server.
I used the default medium word list provided by dirbuster for after a few seconds a directory popped up:
Now that looked interesting and I checked it out and it was running something name Pi-Hole so I decided to take a look at what it is and if there are any default password for it or any exploits that can be used.
But there was nothing the password was being generated using a random function and there were not know exploit for it. After almost 2-3 hours of searching the name caught my eye Pi so I looked up and found that it can be installed in Raspberry Pi.
I knew that Rasbian comes with ssh enabled by default so I tried to ssh with the default credentials and wow I was in 😀
The next step after that was to get the user flag so that was easy:
Now the next step was to test if the root user was having any password or is running on the default configuration. So I thought if the ssh is having default password and username then this must also be running on default settings so I tried it (You can also see that I change the root account password using “sudo passwd” but you can also do this):
After this I looked at the root flag that was in root.txt I was happy that this was really easy machine until I cat the content of root.txt then my happiness was what the hell.
Then I did
[email protected]:~# fdisk -l so i got the usb disk on the system which was mounted already in the OS at
Then in the USB drive, there was damnit.txt after seeing that I was about to leave the machine:
So after seeing this, I decided to take a look at recovery software TestDisk but usually, these are lab machines you can install anything so now I really felt to leave this machine I already had the user flag so I left it for about some hours after that I thought it is a text document.
So I googled how to recover text files in Linux then I got something that you can recover deleted files using “grep” so there was a bit of hope so I asked a friend so it was confirmed that it can be done so then I used grep to recover the file finally.
[email protected]:~# grep -a -B 35 -A 120 'root' /dev/sdb > resuld.txt
This was the reference article I used: https://spin.atomicobject.com/2010/08/18/undelete/
After reading the reslut.txt there I found the root flag in the binary.
finally, it was a relief so if you still have anything or you know another method that could have been used to get the root flag do let me know in the comments and here is the video that you can see of the complete walkthrough.
Do share and subscribe to channel and hit like.
Thanks for watching.