Mark Clowes (38M 🇬🇧)

Index - hackthebox.com CTF Mirai

2023-09-27
I've had this forgotten in my drafts folder for a long time. This is my solution for the CTF box "Mirai" over at hackthebox.com. It was not a difficult CTF and there are other published solutions available online.
root@kali:~# nmap -v 10.10.10.48

Starting Nmap 7.60 ( https://nmap.org ) at 2017-12-23 14:31 GMT
Initiating Ping Scan at 14:31
Scanning 10.10.10.48 [4 ports]
Completed Ping Scan at 14:31, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:31
Completed Parallel DNS resolution of 1 host. at 14:31, 0.04s elapsed
Initiating SYN Stealth Scan at 14:31
Scanning 10.10.10.48 [1000 ports]
Discovered open port 53/tcp on 10.10.10.48
Discovered open port 80/tcp on 10.10.10.48
Discovered open port 22/tcp on 10.10.10.48
Increasing send delay for 10.10.10.48 from 0 to 5 due to 183 out of 609 dropped probes since last increase.
Completed SYN Stealth Scan at 14:32, 9.24s elapsed (1000 total ports)
Nmap scan report for 10.10.10.48
Host is up (0.041s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
53/tcp open  domain
80/tcp open  http

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 9.48 seconds
           Raw packets sent: 1652 (72.664KB) | Rcvd: 1014 (42.312KB)

root@kali:~# curl 10.10.10.48 -v
* Rebuilt URL to: 10.10.10.48/
*   Trying 10.10.10.48...
* TCP_NODELAY set
* Connected to 10.10.10.48 (10.10.10.48) port 80 (#0)
> GET / HTTP/1.1
> Host: 10.10.10.48
> User-Agent: curl/7.57.0
> Accept: */*
> 
< HTTP/1.1 404 Not Found
< X-Pi-hole: A black hole for Internet advertisements.
< Content-type: text/html; charset=UTF-8
< Content-Length: 0
< Date: Sat, 23 Dec 2017 14:36:57 GMT
< Server: lighttpd/1.4.35
Okay; it's a Pi-Hole. Let's try the default credentials for a raspberry pi... Yep, we're in. That was easy. We've got root via sudo. There are two flags per machine; user and root. The user flag is in /home/pi/Desktop. However the root flag is more convoluted:
root@raspberrypi:~# cat /root/root.txt 
I lost my original root.txt! I think I may have a backup on my USB stick...
root@raspberrypi:~# cat /media/usbstick/damnit.txt 
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?  
Alright, there's probably several ways of overcoming this. Here's my method:
root@raspberrypi:~# df -h /dev/sdb
Filesystem      Size  Used Avail Use% Mounted on
/dev/sdb        8.7M   93K  7.9M   2% /media/usbstick
That is quite a small usb stick! Small enough to just browse it manually:
hexdump /dev/sdb -C | less
00800800  2a 00 00 00 2c 00 00 00  2e 00 00 00 85 1a f5 04  |*...,...........|
00800810  02 00 00 00 00 00 00 00  00 00 00 00 f5 04 84 82  |................|
00800820  2b 00 00 00 2d 00 00 00  ce 00 00 00 d6 07 00 05  |+...-...........|
00800830  00 00 01 00 00 00 00 00  00 00 00 00 00 05 d4 03  |................|
00800840  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
0080a800  33 64 33 65 34 38 33 31  34 33 66 66 31 32 65 63  |3d3e483143ff12ec|
0080a810  35 30 35 64 30 32 36 66  61 31 33 65 30 32 30 62  |505d026fa13e020b|
0080a820  0a 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
0080a830  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
0080ac00  44 61 6d 6e 69 74 21 20  53 6f 72 72 79 20 6d 61  |Damnit! Sorry ma|
0080ac10  6e 20 49 20 61 63 63 69  64 65 6e 74 61 6c 6c 79  |n I accidentally|
0080ac20  20 64 65 6c 65 74 65 64  20 79 6f 75 72 20 66 69  | deleted your fi|
0080ac30  6c 65 73 20 6f 66 66 20  74 68 65 20 55 53 42 20  |les off the USB |
0080ac40  73 74 69 63 6b 2e 0a 44  6f 20 79 6f 75 20 6b 6e  |stick..Do you kn|
0080ac50  6f 77 20 69 66 20 74 68  65 72 65 20 69 73 20 61  |ow if there is a|
0080ac60  6e 79 20 77 61 79 20 74  6f 20 67 65 74 20 74 68  |ny way to get th|
0080ac70  65 6d 20 62 61 63 6b 3f  0a 0a 2d 4a 61 6d 65 73  |em back?..-James|
0080ac80  0a 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
0080ac90  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
And that is indeed the deleted data.