Hack The Box -Mirai Walkthrough

Like a lot of people I am starting off my OSCP prep by running through TJnull’s OSCP HTB/Vulnhub VM list and doing each box without Metasploit, the fourth Linux box in the list is Mirai.

This machine is the namesake of some IoT malware that caused a stir not to long ago (this turns out to be helpful during research for this box).

Recon

I kicked off my recon process using AutoRecon, as always super helpful and saves a lot of time.

Taking a look at the results we have a couple of interesting ports open:

SSH on this box accepted password auth, so I quickly ran the nmap ssh-brute script

This brute forcing didn't reveal anything useful so I decided to take a look at the other ports running web services.

Port 80 just served a blank index page:

I fired up dirsearch and found an admin endpoint, this turned out to be running a raspberry pi instance:

Exploitation

At this point I attempted to log in with a bunch of different default creds, I also tried to do some further directory fuzzing to no avail (there was a lot of false positives).

I knew about the Mirai malware so had to do a bit of googling to go deeper, the malware itself infected/s IoT devices using default credentials.

Yeah I thought ‘I already tried the Pi default creds’, but I didn't try them across all the other services running on the box, you can access a raspberry pi via SSH also — testing the default credentials via SSH allowed me to access the host!

From here I quickly grabbed the user flag and got on to enumerating for the root flag:

The pi account looks to have sudo access to run everything so getting the root flag should be easy!.. 😜

Cat the root.txt flag and.. Denied! ❌

So the flag is on a usb, I check out the fstab file to see where we are at in terms of mounting:

Navigating to the usb we can find another text file, but still no flag!

From here I was scratching my head to figure out the best way to recover files on Linux hosts (there is a bunch of different ways), it took me 15–20 minutes of poking around, looking in .Trash directories before I remembered “EVERYTHING ON LINUX IS A FILE” so running the strings command against the USB device where the “damnit.txt” file was located and.. reveals the root flag!

Conclusion

This is a super handy and quick to pwn box, always remember to try default creds across all services on a box 👌.

If you are here, thank you for taking the time to read this short article :)