Hack The Box — Mirai

Welcome all at walkthrough for HackTheBox machine “Mirai”. Let’s take a look at the machine’s information

Okay it’s easy and based on Linux OS, let’s get started…

Nmap Scan

In this step we aim to know all open ports and the services which work on them and another information we will see it now

nmap -A -T4 -O -oG mirai.gnmap 10.10.10.48

We used -oG to generate results in file with gnmap ext to use it through brute-forcing credentials if there’s a port which may be brute-forcing like ssh/ftp

We have 3 open ports and 3 services works on them, for now just note them in any text file upon we finish collecting information steps

Website Enumeration

In this step we will review the source code, check the functions, discover hidden directories, check response header and so on.

At first, we will use nikto to check for a bunch of information and from the results we found there’s unfamiliar response header x-pi hole so note it.

Let’s discover the hidden directories, you can use dirsearch/dirbuster/gobuster/ffuf/metasploit modules or any tool which perform the same task

python3 dirsearch -u 10.10.10.48 -e php -t 40

Dirsearch results

Now we have /admin directory is available and when you opening it you will find default admin page for Pi-Hole but you’re not authenticated and you need to login as an admin

The version of Pi-Hole is at the bottom as you can see at the bottom of the page but after searching for a exploitation related to this version I’ve faced a problem that I must be authenticated as you can see here

So I tried to search about the default credentials for Pi-Hole and I’ve found it

If you try to use these credentials to login to the admin panel you will fail, so I’ve used a new technique to know what are these credentials valid for ?

I’ve used a new tool called medusa

Installation: apt-get install medusa

We will check for ssh credentials

And it’s valid. Let’s login to ssh using these credentials

Good, we now have user privileges and get the user flag. Let’s try to get the root role and search for root flag.

I’ve just typed sudo su to be admin, easy right? But unfortunately the root flag isn’t easy :(

Let’s do small google search about usb stick in kali terminal to know where I will search exactly

As you can see I’ve found this resource and the directory which should have the flag, let’s search for it

good we have this file, after opening it cat sdb

We have the flag now :):)

Congrats and Thank you ❤

Stay in touch

LinkedIn | GitHub | Twitter

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Eslam Akl

Eslam Akl

Penetration Tester, Bug Hunter, Author of 10 CVEs, Author of multiple security tools, and more :) You can find me on Twitter @eslam3kll