DEV Community

loading...
Cover image for Writeup: HackTheBox Mirai- Without Metasploit (OSCP Prep)

Writeup: HackTheBox Mirai- Without Metasploit (OSCP Prep)

Chris 'Huey' S
Cyber Security enthusiast that wants to build cool things
・4 min read

Hello Again All!

Here with another write up and this time it will be Mirai from HackTheBox.

Difficulty level: Easy

So lets begin!

Command:

Nmap -sC -sV -T4 -oN nmap.txt 10.10.10.48

  1. -sC = equivalent to --script=default
  2. -sV = Probe open ports to determine service/Versions info
  3. -T4 = Set timing for faster output (0-5)
  4. -oN = Output to save it to a file

Alt Text

Open Ports displayed:

  1. 22 OpenSSH
  2. 53 DNSmasq
  3. 80 Lighthttpd
  4. 1185 Platinum

Let's head over to the website to see what is there.

Alt Text

Nothing appears to display when going to the site so let's try the following.

Command:

Right-click on the page.

Alt Text

Still nothing is displaying.

Alt Text

Alright, lets check out the other ports open on the box.

Command:

ssh 10.10.10.48

Alt Text

So no luck with trying to just SSH into the machine. I am going to run a nmap Vuln Scan on the machine to check.

Command:

Nmap --script vuln -oN vuln.txt 10.10.10.48

Alt Text

If you scroll down to the middle of the page there is a reference to something called "Pi-Hole".

I am going to try something else to see if anything comes up.

Command:

curl -vvv 10.10.10.48

  1. Simply curl or command-line tool and library for transferring data with URLs.

Alt Text

So we can now see again there is something with "Pi-Hole" going on here.

Directory Busting is usually helpful when trying to find hidden directories on a site.

Command:

dirb http://10.10.10.48

Alt Text

After a few minuets of this running we come back with a success with /admin/.

Great, lets now head over to the site to see if there is anything there.

Alt Text

So if you never heard of Pi-Hole or Pihole this is a linux network-level advertisement and internet tracker blocking application which acts as a DNS Sinkhole and/or DHCP Server.

After playing around withthe site for a few minuets I head over to the Login landing page.

Alt Text

So I tried doing a few things here, attempted to use Hydra to gain access on the site as well as use hydra for the SSH login but no luck. From here I head over to Google.

Alt Text

So it looks like the Username/Password gets set to pi:raspberry.

I tried using this on the login page but that didn't work so I turned to the SSH login.

Command:

ssh pi@10.10.10.48
raspberry

Alt Text

Looks like we got our first access to the SSH server!

Command:

wc user.txt

Alt Text

Lets run some Sudo commands.

sudo -l will list the allowed and forbidden commands for the invoking user on the current host.

Command:

sudo -l

Alt Text

Welp that is interesting....

Alright I am going to try and switch users.

Command:

sudo su-
whoami

Alt Text

Command:

ls
cat root.txt

Alt Text

Looks like someone removed the root.txt from this file and its in a USB stick....

Take the time and go into the files and see if there is anything that pops-out at you.

Command:

ls -la

Alt Text

After some searching I come across the /media location with a usbstick there.

Command:

cd media
ls
cd usbstick
cat damnit.txt

Alt Text

It appears that someone else deleted your files off the usb stick.

Commnd:

df -lh

  1. Df = Will report file system disk space usage
  2. lh = local and print sizes in powers of 1024 Nice cheat sheet on these commands Link

Will show free disk space and lets focus on the /media/usbstick

Alt Text

You can use Strings to look for characters or you could have used cat as well.

Command:

strings /dev/sdb

Alt Text

Thanks for stopping by!

Discussion (2)

Collapse
wireless90 profile image
wireless90

Hi a few questions.

-sC = equivalent to --script=default
1) What does default script here mean? So nmap has some internal scripts it runs against the target?

-T4 = Set timing for faster output (0-5)
2) Does faster output impact us? Does faster output means less script is ran?

3) what does the vuln script do? Is it slower and more thorough?

Collapse
0xhuey profile image
Chris 'Huey' S Author

Hey, thanks for taking a look at the walk-through. The -sC will run the Nmap Script Engine (NSE) scripts. There are 4 main types of NSE scripts, Prerule, Host, Service and Postrule scripts. For the -T4 you can basically use ranges from 0-5 to speed things up. Timing comes into play when you are trying to hide yourself from a defender on a box because sending too many packets will get flagged. Being that this is a HTB machine I really dont care so I want to go faster.

The Vuln script will run some default checks on the box to see if you have a CVE that you can use. After getting the CVE go to searchsploit or Google to look up the exploit code.

Hope this helps!