HTB | Mirai
Last updated
Last updated
This is the Box on Hack The Box Linux Privilege Escalation 101 Track. Find the box here.
Forensic file recovery
IP: 10.10.10.48
Port 80
On visiting it gives a blank page. Since it was a blank page I wanted to see the headers.
We found X-Pi-Hole header. X-Pi-hole implies this is (or is meant to look like) a PiHole, a small DNS server designed to run on a RaspberryPi.
Let's do directory fuzzing. and we found /admin
/admin seems like an admin dashboard.
Here we can see it's version
Port 32400
Let's do directory fuzzing. Nothing interesting was found
The default creds for a Raspberry Pi device are pi/raspberry. I’ll try those here: pi:raspberry
We are in and found user.txt
pi can run sudo as root for any command:
and we are the root
on root.txt I found a message
on lsblk we found /media/usbstick
on /media/usbstick we found a text saying all our files are deleted
When the file gets deleted, the structure of the filesystem removes the metadata about that file. That includes the timestamps, filename, and a pointer to where the raw file is on disk. The delete operation does not go to that point on the disk and does anything to clean up the data, like writing all nulls over it. That means there’s a good chance that the contents of root.txt are still there, even if the filesystem no longer knows of a file by that name. The raw USB device is /dev/sdb, and I can interact with that just like any other file. grep / strings grep is made to pull strings of a given pattern out of a file (which I can treat the raw device as). I’ll call with the following arguments:
I’ll give it the pattern [a-fA-F0-9]{32}, which should find a 32-character hex string. It works and we have the root flag
Knowing that the flag is a string, I can also use strings:
