Mirai
An easy Linux box from HackTheBox, get initial access by enumerating that the victim is a Raspberry Pi and just use the default password to SSH in with root privileges, then have to recover a deleted root flag.
Recon
Running the default nmap
sudo nmap -sC -sV -oA nmap/init 10.10.10.48
ORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
| ssh-hostkey:
| 1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)
| 2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)
| 256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)
|_ 256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)
53/tcp open domain dnsmasq 2.76
| dns-nsid:
|_ bind.version: dnsmasq-2.76
80/tcp open http lighttpd 1.4.35
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: lighttpd/1.4.35
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Then running gobuster on the HTTP server
gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt --url http://10.10.10.48
Find an /admin page, navigating to it find an instance of Pi-Hole running, giving away that the box is a raspberry pi
Going back to the SSH try to connect using the default credentials of the raspberry pi, pi:raspberry
And get in!
Exploitation
Not much exploitation on this box, it consisted of tracking down the root text file
The pi user had sudo privileges, so just needed to run
sudo su
To get root on the box
The only problem is that the root.txt file was stored on a USB stick and then deleted
cat root.txt
I think I misplaced the file, maybe it's on my USB?
Then going to the USB folder, /media/usbstick find another textfile
cat damnit.txt
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James
So it was deleted off of the usbstick, but can likely still be recovered
Going to /dev, see the usbstick as /dev/sdb - its actual mounting point
To see if we can recover any data off of it, run
strings /dev/sdb
And inside the output, find the root flag