As by the ToS of HackTheBox, solutions cannot be posted before the machine is retired, so you won’t be able to use this post as your way into the described machine, since it’ll already be out-of-service.
Preface
HackTheBox was the first CTF site that I signed up and actually got my hands dirty. The experience is being awesome. If you want somewhere to practice, gather more knowledge, or have some fun, give it a try: https://www.hackthebox.eu/invite Reminder: You have to hack your way in to the registration process. It is worth.
Let’s begin
As my first CTF machine, I’ve chosen Mirai due the difficulty ratings on the list of available machines: Mirai was the lowest hanging fruit. It’s IP was 10.10.10.48. Let the games begin!
Enumerating
On my machine
That’s good. We have a SSH and HTTP service to work on. I’d have started brute-forcing on SSH immediately if I knew any users, so I put it aside for the moment.
HTTP server
Accessing http://10.10.10.48 returned an empty page.
Empty page on http://10.10.10.48
Nothing to work with. So I fired up nmap again with some native scripts to see if any of them returned stuff I could further explore. The interesting results are below.
On my machine
Now we know about the existence of /admin/ and /admin/index.php (that end up both returning the same page). Pi-hole page at http://10.10.10.48/admin
While searching about Pi-hole, I found it’s github repository. From there, I started looking for possible users that might be used on the Mirai machine, ending up discovering pihole.
Since it was the easiest machine at the time, I assumed that it would be enough to proceed.
Release the hydra
I went forward and fired up hydra
On my machine
rockyou.txt is fairly large, so after some minutes I thought I could go have dinner while hydra did it’s thing, not putting so much faith on the outcome, honestly.
With refreshed mind, I came back and noticed that I’d forgotten to add -e nsr, so I went ahead and tested some combinations manually aswell. The followed combinations resulted in nothing.
Suddenly, I had the epiphany. Damn, it might be a Raspberry Pi which had the default credentials pi:raspberry.
On my machine
Great! I was in!
On the server
Seeing root.txt made me cat root.txt but it was empty. It was probably left behind by other people as other files on the same directory.
Getting the user flag
Getting the user flag was pretty straightforward:
On the server
One down. Let’s root it now!
Getting the root flag
Another thing that Raspbian has is being able to sudo without a password.
On the server
As I ls‘ed on /root I saw:
On the server
It was almost a ‘not so fast, young man’. That engaged me more on the challenge.
To find the mounted partitions, I ran df -h
On the server
There you are.
On the server
Damn it, James! lost+found had nothing. Well, maybe James tried to recover the file. Let’s check the history (only the relevant info is shown).
On the server
I ls‘ed /home/pi/.local/share/Trash/files but there was nothing relevant. Let’s try this extundelete command.
On the server
I naïvely tried installing it via apt. The box couldn’t communicate with the outer-world.
I searched about extundelete and found it’s sourceforce page, where I spent a few minutes learning about it. That’s when I saw:
It made a lot of sense. If I could make a backup of the usb stick and download it, I could mount the backup it on my machine and run extundelete locally, since it was only 8MB (check df -h output) and it could be downloaded easily. And so I proceeded. I ran dd if=/dev/sdb of=usb_backup bs=1M and downloaded it via scp.
Before searching the proper way to mount a file as a directory, why not run strings usb_backup?
On the server
There you are, root hash!
Wrapping up
I was my first CTF machine, so some actions were naïve and I overthought a lot, that made me miss some kind of obvious stuff at first glance. It felt very good to start with an IP and work my way in using some knowledge I previously had, get a shell on the machine and finally some out-of-the-box thinking to find the root hash. If it wasn’t for the previously knowledge about the default credentials of Raspbian, it’d have taken a LOT of time to get in. . It motivated me more to keep working on these machines, gaining knowledge and having fun (and sometimes wanting to hit my head on the wall :)