Hackthebox - Mirai

From nmap, there are ssh, dns, and http service.

The index page is empty.

With gobuster, we can see that there is an admin directory.

There is a index.php and a login page, it seems like it runs on a raspberry pi.

I tried to access ssh with raspberry pi default credential pi:raspberry. It worked, and I got user.txt.

With sudo -l, we found that we can run any command with sudo. Let’s run sudo su -, and we are root. But it said root.txt is lost and may have a copy on USB disk.

Access the USB disk /media/usbdisk, it said the file was deleted.

We can execute strings /dev/sdb and try to find the flag, since /dev/sdb is the usb device, and it mounts on /media/usbdisk. Luckily, we found the flag.