An easy Linux box from HackTheBox, get initial access by enumerating that the victim is a Raspberry Pi and just use the default password to SSH in with root privileges, then have to recover a deleted root flag.


Running the default nmap

sudo nmap -sC -sV -oA nmap/init
22/tcp open  ssh     OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey: 
|   1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)
|   2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)
|   256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)
|_  256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)
53/tcp open  domain  dnsmasq 2.76
| dns-nsid: 
|_  bind.version: dnsmasq-2.76
80/tcp open  http    lighttpd 1.4.35
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: lighttpd/1.4.35
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Then running gobuster on the HTTP server

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt --url

Find an /admin page, navigating to it find an instance of Pi-Hole running, giving away that the box is a raspberry pi

Going back to the SSH try to connect using the default credentials of the raspberry pi, pi:raspberry

And get in!


Not much exploitation on this box, it consisted of tracking down the root text file

The pi user had sudo privileges, so just needed to run

sudo su

To get root on the box

The only problem is that the root.txt file was stored on a USB stick and then deleted

cat root.txt

I think I misplaced the file, maybe it's on my USB?

Then going to the USB folder, /media/usbstick find another textfile

cat damnit.txt

Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?

So it was deleted off of the usbstick, but can likely still be recovered

Going to /dev, see the usbstick as /dev/sdb - its actual mounting point

To see if we can recover any data off of it, run

strings /dev/sdb

And inside the output, find the root flag