If you never heard about Hack the box before, I recommend you to check my first writeup on the Lame box.
Mirai was a botnet that used default credentials to exploit and infect a great quantity of IoT devices. This box is inspired by that, we will exploit an insecure device.
We start as usual with a port scanning using nmap.
There is an HTTP server that could be interesting.
We use our browser and go to http://10.10.10.48/. There is only a blank page.
We use DirBuster to brute-force the tree of the website.
Some seconds later, few results appear.
We navigate to http://10.10.10.48/admin/ and discover that is the Pi-hole administration page. As the box name Mirai tells us that the solution is probably using default credentials, maybe we can find it for Pi-hole. But after some search, there is no default password for Pi-hole.
However, we have not yet said our last word on this. As the name Pi-hole let us suggest, it’s probably hosted on a Raspberry PI machine, and this has a default password. Let’s try with the credentials username:
pi and password:
~ ssh firstname.lastname@example.org The authenticity of host '10.10.10.48 (10.10.10.48)' can't be established. ECDSA key fingerprint is SHA256:UkDz3Z1kWt2O5g2GRlullQ3UY/cVIx/oXtiqLPXiXMY. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.10.10.48' (ECDSA) to the list of known hosts. email@example.com's password: The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sun Aug 27 14:47:50 2017 from localhost SSH is enabled and the default password for the 'pi' user has not been changed. This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password. SSH is enabled and the default password for the 'pi' user has not been changed. This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password. pi@raspberrypi:~ $
Bingo we are connected! We can now already grab the user flag located
We can now switch to root user.
sudo su -
Let’s now cat the
Retrieving the flag in the backup
The content of the
root.txt says that there is a backup on his USB drive.
So we do a
df to see what disks are mounted and trying to locate the device.
root@raspberrypi:~# df -lh Filesystem Size Used Avail Use% Mounted on aufs 8.5G 2.8G 5.3G 34% / tmpfs 100M 4.8M 96M 5% /run /dev/sda1 1.3G 1.3G 0 100% /lib/live/mount/persistence/sda1 /dev/loop0 1.3G 1.3G 0 100% /lib/live/mount/rootfs/filesystem.squashfs tmpfs 250M 0 250M 0% /lib/live/mount/overlay /dev/sda2 8.5G 2.8G 5.3G 34% /lib/live/mount/persistence/sda2 devtmpfs 10M 0 10M 0% /dev tmpfs 250M 8.0K 250M 1% /dev/shm tmpfs 5.0M 4.0K 5.0M 1% /run/lock tmpfs 250M 0 250M 0% /sys/fs/cgroup tmpfs 250M 8.0K 250M 1% /tmp /dev/sdb 8.7M 93K 7.9M 2% /media/usbstick tmpfs 50M 0 50M 0% /run/user/999 tmpfs 50M 0 50M 0% /run/user/1000 root@raspberrypi:~#
The USB drive should be this
/dev/sdb 8.7M 93K 7.9M 2% /media/usbstick/dev/sdb 8.7M 93K 7.9M 2% /media/usbstick
Let’s navigate to the USB stick mounted folder
Okay okay… 🤦🤦
Retrieving the removed flag
There is a
/media/usbstick but nothing there.
So how will we get back the flag? It’s probably still there in the memory of the device but has just been marked as removed. Fortunately, in a Unix system, we can access the disk as a file. In our case, it is
/dev/sdb. We simply use
strings to find all the strings in the disk.
root@raspberrypi:/media/usbstick/lost+found# strings /dev/sdb >r & /media/usbstick lost+found root.txt damnit.txt >r & >r & /media/usbstick lost+found root.txt damnit.txt >r & /media/usbstick 2]8^ lost+found root.txt damnit.txt >r & THIS_IS_THE_ROOT_FLAG Damnit! Sorry man I accidentally deleted your files off the USB stick. Do you know if there is any way to get them back? -James
Bingo! We get the root flag. The box is now done 👏
(In the strings dump, I replaced the root flag by
THIS_IS_THE_ROOT_FLAG. It would be too easy if I show it there and let you copy paste it in HTB. If you want to get it, go do it yourself, practice!)