Hack The Box —— Mirai

信息搜集

nmap

1

nmap -T4 -A -v 10.10.10.48

get:

The server has TCP ports 53, 80, and 22 open.

Access port 80, which is a blank page.

目录爆破

1

python3 dirsearch.py -u http://10.10.10.48/-e html -t 20

get:

Discover the admin directory.

Visit, get:

Search for relevant information and found that it is a service built on a Raspberry Pi

漏洞利用

Try to log in with the Raspberry Pi default password, search for relevant information, and find that the default password of the Raspberry Pi is as follows:

Try to log in:

1

ssh [email protected]

Login was found to be successful:

Directly cat /home/pi/user.txt to get the first flag.

Use the sudo -l command to view the permissions that can be executed at the moment:

Discover all commands that can be executed without a password, and directly switch to the root user with sudo su.

Directly cat /root/root.txt to find the following information:

Try to see which devices are mounted on the current system:

1

df -lh

Found that the /dev/sdb device is mounted under /media/stick:

方法一

Directly use the strings command to obtain all strings in the device:

1

strings /dev/sdb

Get a string that is suspected to be a flag, and after submitting it, it is found to be correct.

方法二

Extract usb image using dd command :

1

dcfldd if=/dev/sdb of=/home/pi/usb.dd

Then, analyze the mirror content:

1

binwalk usb.dd

Three files were found to exist. Use binwalk to extract files:

1

binwalk -Me usb.dd

View the original file and get flag