OSCP PREPROTİONS – HTB Mirai

Mirai machine is among the retired machines with linux operating system. After detecting and exploiting the vulnerabilities in this machine, we are expected to obtain user and root flags.
Let’s get to know the target machine.
Classic Scan

Full port Scan

As a result of port scanning, we saw that “22/tcp ssh”, “53/tcp domain dnsmasq 2.76”, “80/tcp open lighttpd 1.4.35, 1358/tcp connlcli, 32400/tcp plex, 32469/tcp ” ports are open and services are running.
On port 80, the http protocol is running, so we are looking through the borwser.
We could not get any information through the browser, there were no results in the source code.

We run a gobuster and dirbuster directory scan.

on the /admin page

We encounter a screen like this. On this screen, we encounter that there is a pi-hole project, let’s provide enumjration on the web.
We see the Login tab, here we tried all default passwords and there was no login.

We looked at the default password of the Pi-hole project.

We tried raspberry and no login. Since this is a defaut login, we tried to try ssh.
We were able to provide ssh connection with default credentials

Here we can access our user flag after obtaining the login

Then we ran sudo -l to check our root privileges and see which applications we can run as root.
As you can see, we can run all applications with sudo authorization.

Let’s try to get our root flag here

As you can see here “I lost my original root.txt! I think I may have a backup on my USB stick…” in the text. This means that we need to access the original root file and to access it we need to take a backup of the USB.
Here we use the “df” command to list the inserted media.

Here we first go to the /media/usbstick directory.

Here we read the contents of the damnit.txt file.

It says here that he deleted the files by mistake. We understand that we need to perform data recovery forensics here. We then checked the lost+found content to see if we could find any other information and it was empty.

Here we use the “mount” command to see where it is mounted in /media/usbstick.

Here we see that the usbstick is mounted in the “/dev/sdb” directory, where we have the possibility to image it with dd and obtain the data in it.
To image with dd
dd if=/dev/sdb of=/tmp/usb.dd
using the command.

Here we saw that the usb.dd file was created. To analyze the contents of this file, we imported it to our machine with scp.

We tried to recover with test disk and recphot tools, but we could not read the contents of the root file in the file.

Let’s look at the contents of the dd file using the strigns command

We were able to find the root flag here.