Hello Again All!
Here with another write up and this time it will be Mirai from HackTheBox.
Difficulty level: Easy
So lets begin!
Command:
Nmap -sC -sV -T4 -oN nmap.txt 10.10.10.48
- -sC = equivalent to --script=default
- -sV = Probe open ports to determine service/Versions info
- -T4 = Set timing for faster output (0-5)
- -oN = Output to save it to a file
Open Ports displayed:
- 22 OpenSSH
- 53 DNSmasq
- 80 Lighthttpd
- 1185 Platinum
Let's head over to the website to see what is there.
Nothing appears to display when going to the site so let's try the following.
Command:
Right-click on the page.
Still nothing is displaying.
Alright, lets check out the other ports open on the box.
Command:
ssh 10.10.10.48
So no luck with trying to just SSH into the machine. I am going to run a nmap Vuln Scan on the machine to check.
Command:
Nmap --script vuln -oN vuln.txt 10.10.10.48
If you scroll down to the middle of the page there is a reference to something called "Pi-Hole".
I am going to try something else to see if anything comes up.
Command:
curl -vvv 10.10.10.48
- Simply curl or command-line tool and library for transferring data with URLs.
So we can now see again there is something with "Pi-Hole" going on here.
Directory Busting is usually helpful when trying to find hidden directories on a site.
Command:
dirb http://10.10.10.48
After a few minuets of this running we come back with a success with /admin/.
Great, lets now head over to the site to see if there is anything there.
So if you never heard of Pi-Hole or Pihole this is a linux network-level advertisement and internet tracker blocking application which acts as a DNS Sinkhole and/or DHCP Server.
After playing around withthe site for a few minuets I head over to the Login landing page.
So I tried doing a few things here, attempted to use Hydra to gain access on the site as well as use hydra for the SSH login but no luck. From here I head over to Google.
So it looks like the Username/Password gets set to pi:raspberry.
I tried using this on the login page but that didn't work so I turned to the SSH login.
Command:
ssh pi@10.10.10.48
raspberry
Looks like we got our first access to the SSH server!
Command:
wc user.txt
Lets run some Sudo commands.
sudo -l will list the allowed and forbidden commands for the invoking user on the current host.
Command:
sudo -l
Welp that is interesting....
Alright I am going to try and switch users.
Command:
sudo su-
whoami
Command:
ls
cat root.txt
Looks like someone removed the root.txt from this file and its in a USB stick....
Take the time and go into the files and see if there is anything that pops-out at you.
Command:
ls -la
After some searching I come across the /media location with a usbstick there.
Command:
cd media
ls
cd usbstick
cat damnit.txt
It appears that someone else deleted your files off the usb stick.
Commnd:
df -lh
- Df = Will report file system disk space usage
- lh = local and print sizes in powers of 1024 Nice cheat sheet on these commands Link
Will show free disk space and lets focus on the /media/usbstick
You can use Strings to look for characters or you could have used cat as well.
Command:
strings /dev/sdb
Thanks for stopping by!
Top comments (2)
Hi a few questions.
-sC = equivalent to --script=default
1) What does default script here mean? So nmap has some internal scripts it runs against the target?
-T4 = Set timing for faster output (0-5)
2) Does faster output impact us? Does faster output means less script is ran?
3) what does the vuln script do? Is it slower and more thorough?
Hey, thanks for taking a look at the walk-through. The -sC will run the Nmap Script Engine (NSE) scripts. There are 4 main types of NSE scripts, Prerule, Host, Service and Postrule scripts. For the -T4 you can basically use ranges from 0-5 to speed things up. Timing comes into play when you are trying to hide yourself from a defender on a box because sending too many packets will get flagged. Being that this is a HTB machine I really dont care so I want to go faster.
The Vuln script will run some default checks on the box to see if you have a CVE that you can use. After getting the CVE go to searchsploit or Google to look up the exploit code.
Hope this helps!