Mirai | HTB | OSCP | Box 5

Tanzil Rehman

Published in

Tanzil Rehman

5 min readOct 25, 2021

Interesting and easy box

Enumeration

NMAP -TCP

┌──(root💀kali)-[/home/kali/htb/mirai]
└─# nmap -A -sV -sC -O -p- 10.10.10.48
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-24 14:17 EDT
Nmap scan report for 10.10.10.48
Host is up (0.10s latency).
Not shown: 65529 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey: 
|   1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)
|   2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)
|   256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)
|_  256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)
53/tcp    open  domain  dnsmasq 2.76
| dns-nsid: 
|_  bind.version: dnsmasq-2.76
80/tcp    open  http    lighttpd 1.4.35
|_http-server-header: lighttpd/1.4.35
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
2021/tcp  open  upnp    Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
32400/tcp open  http    Plex Media Server httpd
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Server returned status 401 but no WWW-Authenticate header.
|_http-cors: HEAD GET POST PUT DELETE OPTIONS
|_http-favicon: Plex
|_http-title: Unauthorized
32469/tcp open  upnp    Platinum UPnP 1.0.5.13 (UPnP/1.0 DLNADOC/1.50)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=10/24%OT=22%CT=1%CU=36605%PV=Y%DS=2%DC=T%G=Y%TM=6175A4
OS:B1%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=10B%TI=Z%CI=I%II=I%TS=8)OP
OS:S(O1=M54DST11NW6%O2=M54DST11NW6%O3=M54DNNT11NW6%O4=M54DST11NW6%O5=M54DST
OS:11NW6%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)EC
OS:N(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)U1(R=N)IE(R=Y%DFI=N
OS:%T=40%CD=S)Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE (using port 3389/tcp)
HOP RTT       ADDRESS
1   103.42 ms 10.10.14.1
2   105.72 ms 10.10.10.48OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 388.38 seconds

Top 1000 UPD port scan


┌──(root💀kali)-[/home/kali/htb/mirai]
└─# nmap -sU -A -p 1-1000 10.10.10.48 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-24 14:18 EDT
Nmap scan report for 10.10.10.48
Host is up (0.11s latency).
Not shown: 997 closed ports
PORT    STATE         SERVICE VERSION
53/udp  open          domain  dnsmasq 2.76
| dns-nsid: 
|_  bind.version: dnsmasq-2.76
68/udp  open|filtered dhcpc
123/udp open          ntp     NTP v4 (unsynchronized)
| ntp-info: 
|_  
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hopsHost script results:
|_clock-skew: 2m26sTRACEROUTE (using port 443/tcp)
HOP RTT       ADDRESS
1   110.54 ms 10.10.14.1
2   111.02 ms 10.10.10.48OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1124.62 seconds

DNS — port 53

Since there is DNS port open, let’s if we can do zone transfer:

Nothing useful was found.

Port 80 and 32400

When I visited landing page at port 80, it was just blank. I tried to enumerate further burpsuite but nothing useful was found.

However I did directory bruteforce on port 80.

feroxbuster --url http://10.10.10.48 --wordlist /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -o port80.log

I further enumerated port 32400.

There were many sub-directories available but because number was so high, I decided to start with port 80 .

Through Google, I found this:

Default password: raspberry

I tried to use it password but I didn’t work. and I tried to look for further sub-directories, again, nothing was there.

However, when I read more about Pi-hole and what is this and how it works, and I tried to ssh as pi user into it the box with default cred. it worked.

User.txt

Privilege Escalation

I used df command. So, what is df command?

df command operates on filesystems rather than files and directories. the df command display used and available disk space for all mounted filesystems on per-filesystem basis.

In this one I have used lsblk command.

From man page, the lsblk command prints all block devices (except RAM disks) in a tree-like format by default. Use lsblk — help to get a list of all available columns.

If I do

cat /dev/sdb