Hey Guys, This is my first blog which I shall be documenting through my journey of pursuing OSCP. Inspired by @thecybermentor and Joe Helle.

Image for post
Image for post
Box Owned

Let’s get started!

Reconnaissance

Run Nmap to enumerate open ports and services running on the box.

Image for post
Image for post
Nmap scans

We see that there are 6 open ports, since there is not much we can do about the ssh port unless its version is vulnerable or may be bruteforcing for creds let's not begin with this. Which leaves us with port 80 and 32400 for web enumeration. Before that let's add the box name /etc/hosts file.

The host's file will help in mapping out the IP address with the mentioned URL.

On Navigating to http://mirai.htb:80 and we see that we are blocked by the admin.

Image for post
Image for post
Blocked page

Enumeration

Start off by checking the Robots.txt file, which we see that it's not available.

  1. Next, we check whether the website is using any PHP modules. This can be done manually by visiting (http://mirai.htb/index.php) or by an extension called as wappalyzer.

3. Since we dint find anything interesting let's check the source code of the application. Here we found a special website which is at (http://pi.hole/admin)

Image for post
Image for post
Website

4. At this point, the only thing that comes to mind is running a directory Bruteforce against the web application which doesn’t contain any sensitive directory or information.

Image for post
Image for post
Gobuster Scans
  1. Upon navigating we see that the website is displaying this info
Image for post
Image for post
Web response

2. Let's capture the request through burp and start checking for every endpoint. Here we see that the application is using some kind of regex to verify the directory structure.

Image for post
Image for post
Burp Response

Now on enumerating these ports we came to the conclusion that the application is referring to a website which is at ( http://pi.hole/admin ), since the DNS port 53 is opened let's enumerate on that.

The job of a DNS server is used to translate a domain name to an IP address.

This process is called Name Resolution. If this is found by the local DNS server then it's called a Recursive DNS query,

If the IP address is returned by TOP level domains or Authoritative domains then this type of query is called an Iterative DNS query.

  1. Using the dig command lets enumerate the port (Dig command is similar to that of nslookup in windows which translates a domain name to an IP address)

To learn more on dig please refer to this article (https://phoenixnap.com/kb/linux-dig-command-examples#:~:text=The%20dig%20command%20in%20Linux,used%20to%20display%20DNS%20information)

The above command specifies to use the Target DNS server and check for name resolution at pi.hole

Image for post
Image for post
Dig command

2. Now since we found a new internal IP address let's change the host's file URL to pi.hole and check the web application on this address (http://pi.hole/admin)

Image for post
Image for post
Dashboard

3. On logging into the application with default creds then we get an error

4. As we know that this webserver is running on the pi. We shall try gaining a shell through ssh. Try to get the defaults creds of Pi and perform the operation.

Image for post
Image for post
Ssh login

Privilege Escalation

  1. Let's perform a basic enumeration regarding the user and system.
Image for post
Image for post
Priv Esc Enumeration

2. On executing the below command we find that the user has Sudo privilege

Image for post
Image for post
Sudo command

3. Using the above command we can gain the root shell

Image for post
Image for post
Root shell

Thus we have successfully gained the root shell. Leaving behind a small task to enumerate further and gain the root flag. Wish you guys find them successfully.

Hope this write-up was helpful. Collaboration and networking is something that I always enjoy. Let’s connect

Twitter — https://twitter.com/Begin_hunt

Linkedin — https://www.linkedin.com/in/balapraneeth/

Happy hacking !!!
If you have reached this far, thank you for reading this article. Kindly feel free to point out any mistakes and do let me know where I can improve in writing and explaining in detail. Appreciate it!!. All the best. God bless

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store