Mirai — HTB walkthrough

Nmap scan


Visiting website gave us a blank page so I decided to make a gobuster scan

admin and versions directory found

Login page

Tried some sql injection — didn’t work

Searched for pi-hole attacks

No one worked, path /scripts/pi-hole/php was not there so all attacks were of no use. Suddenly, a thought struck and I thought of default username passwords to try

I tried login in, using this password , but it didn’t work. Enumerating a more

Let’s try it, default creds of SSH.

Enumerating sudo privileges for user pi

We see we can run any command with sudo priv without passwd on localhost

Great let’s do sudo bash

Trolls by machine maker. He wants you to dig more. The flag says , Flag is in usb stick, and usb can be a mounted media device. So I checked in /mnt and /media directories.

James said he lost it. Then there must be a backup. But no luck, no backup. So did df -lh to see space occupied and left on disk

df command : stands for disk free : df is a standard Unix command used to display the amount of available disk space for file systems on which the invoking user has appropriate read access.

On /dev/ we see we have /sdb.

The disk names in Linux are alphabetical. /dev/sda is the first hard drive (the primary master), /dev/sdb is the second etc. The numbers refer to partitions, so /dev/sda1 is the first partition of the first drive

cat /dev/sdb

It has root.txt, so lets filter out strings




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store