HTB | Mirai

This is the Box on Hack The Box Linux Privilege Escalation 101 Track. Find the box here.

Skill Learned

• Forensic file recovery

NMAP

IP: 10.10.10.48

nmap -sT -p- --min-rate 10000 10.10.10.48

nmap

Port 80 & 32400

Port 80

On visiting it gives a blank page. Since it was a blank page I wanted to see the headers.

curl -i http://10.10.10.48/

We found X-Pi-Hole header. X-Pi-hole implies this is (or is meant to look like) a PiHole, a small DNS server designed to run on a RaspberryPi.

Let's do directory fuzzing. and we found /admin

dirsearch

/admin seems like an admin dashboard.

/admin

Here we can see it's version

Port 32400

Let's do directory fuzzing. Nothing interesting was found

Foothold/shell

The default creds for a Raspberry Pi device are pi/raspberry. I’ll try those here: pi:raspberry

We are in and found user.txt

Priv Esc

pi can run sudo as root for any command:

sudo -l

and we are the root

on root.txt I found a message

root.txt

on lsblk we found /media/usbstick

on /media/usbstick we found a text saying all our files are deleted

Recovery of root.txt

When the file gets deleted, the structure of the filesystem removes the metadata about that file. That includes the timestamps, filename, and a pointer to where the raw file is on disk. The delete operation does not go to that point on the disk and does anything to clean up the data, like writing all nulls over it. That means there’s a good chance that the contents of root.txt are still there, even if the filesystem no longer knows of a file by that name. The raw USB device is /dev/sdb, and I can interact with that just like any other file. grep / strings grep is made to pull strings of a given pattern out of a file (which I can treat the raw device as). I’ll call with the following arguments:

grep -aPo '[a-fA-F0-9]{32}' /dev/sdb


-a - Process a binary file as if it were text
-P - Interpret PATTERN as a Perl regular expression
-o - Print only the matched (non-empty) parts of a matching line, with each such part on a separate output line.

I’ll give it the pattern [a-fA-F0-9]{32}, which should find a 32-character hex string. It works and we have the root flag

grep -aPo '[a-fA-F0-9]{32}' /dev/sdb

Knowing that the flag is a string, I can also use strings:

strigs /dev/sdb