Hack The Box — Mirai Writeup
Hey Guys, This is my first blog which I shall be documenting through my journey of pursuing OSCP. Inspired by @thecybermentor and Joe Helle.
Let’s get started!
Reconnaissance
Run Nmap to enumerate open ports and services running on the box.
We see that there are 6 open ports, since there is not much we can do about the ssh port unless its version is vulnerable or may be bruteforcing for creds let's not begin with this. Which leaves us with port 80 and 32400 for web enumeration. Before that let's add the box name /etc/hosts file.
The host's file will help in mapping out the IP address with the mentioned URL.
On Navigating to http://mirai.htb:80 and we see that we are blocked by the admin.
Enumeration
PORT 80
Start off by checking the Robots.txt file, which we see that it's not available.
- Next, we check whether the website is using any PHP modules. This can be done manually by visiting (http://mirai.htb/index.php) or by an extension called as wappalyzer.
3. Since we dint find anything interesting let's check the source code of the application. Here we found a special website which is at (http://pi.hole/admin)
4. At this point, the only thing that comes to mind is running a directory Bruteforce against the web application which doesn’t contain any sensitive directory or information.
PORT 32400
- Upon navigating we see that the website is displaying this info
2. Let's capture the request through burp and start checking for every endpoint. Here we see that the application is using some kind of regex to verify the directory structure.
Now on enumerating these ports we came to the conclusion that the application is referring to a website which is at ( http://pi.hole/admin ), since the DNS port 53 is opened let's enumerate on that.
PORT 53 (DNS)
The job of a DNS server is used to translate a domain name to an IP address.
Recursive DNS Query:
This process is called Name Resolution. If this is found by the local DNS server then it's called a Recursive DNS query,
Iterative DNS Query:
If the IP address is returned by TOP level domains or Authoritative domains then this type of query is called an Iterative DNS query.
- Using the dig command lets enumerate the port (Dig command is similar to that of nslookup in windows which translates a domain name to an IP address)
To learn more on dig please refer to this article (https://phoenixnap.com/kb/linux-dig-command-examples#:~:text=The%20dig%20command%20in%20Linux,used%20to%20display%20DNS%20information)
The above command specifies to use the Target DNS server and check for name resolution at pi.hole
2. Now since we found a new internal IP address let's change the host's file URL to pi.hole and check the web application on this address (http://pi.hole/admin)
3. On logging into the application with default creds then we get an error
4. As we know that this webserver is running on the pi. We shall try gaining a shell through ssh. Try to get the defaults creds of Pi and perform the operation.
Privilege Escalation
- Let's perform a basic enumeration regarding the user and system.
2. On executing the below command we find that the user has Sudo privilege
3. Using the above command we can gain the root shell
Thus we have successfully gained the root shell. Leaving behind a small task to enumerate further and gain the root flag. Wish you guys find them successfully.
Hope this write-up was helpful. Collaboration and networking is something that I always enjoy. Let’s connect
Twitter — https://twitter.com/Begin_hunt
Linkedin — https://www.linkedin.com/in/balapraneeth/
Happy hacking !!!
If you have reached this far, thank you for reading this article. Kindly feel free to point out any mistakes and do let me know where I can improve in writing and explaining in detail. Appreciate it!!. All the best. God bless