# Mirai Walkthrough

Welcome all at walkthrough for **HackTheBox** machine “**Mirai**”. Let’s take a look at the machine’s information

<figure><img src="https://cdn-images-1.medium.com/max/800/1*q_YbqRwhQgWeIFBXjJudxQ.png" alt=""><figcaption></figcaption></figure>

<figure><img src="https://cdn-images-1.medium.com/max/800/1*KbjrKpTpGm0_yciy-vee3g.png" alt=""><figcaption></figcaption></figure>

Okay it’s easy and based on Linux OS, let’s get started…

## **Nmap Scan**

In this step, we aim to know all open ports and the services which work on them and other information we will see it now

`nmap -A -T4 -O -oG mirai.gnmap 10.10.10.48`

<figure><img src="https://cdn-images-1.medium.com/max/800/1*gEk7ATF5vEtUjQg8QxHQaw.png" alt=""><figcaption></figcaption></figure>

We used `-oG` to generate results in a file with `gnmap` ext to use it through brute-forcing credentials if there’s a port that may be brute-forcing like `ssh/ftp`

We have 3 open ports and 3 services working on them, for now just note them in any text file upon we finish collecting information steps

## **Website Enumeration**

In this step, we will review the source code, check the functions, discover hidden directories, check the response header, and so on.

At first, we will use `nikto` to check for a bunch of information and from the results, we found there’s an unfamiliar response header `x-pi hole` so note it.

<figure><img src="https://cdn-images-1.medium.com/max/800/1*fEykPVlGES-E8iWGfNPo3Q.png" alt=""><figcaption></figcaption></figure>

Let’s discover the hidden directories, you can use `dirsearch/dirbuster/gobuster/ffuf/metasploit modules` or any tool which performs the same task

`python3 dirsearch -u 10.10.10.48 -e php -t 40`

<figure><img src="https://cdn-images-1.medium.com/max/800/1*2v4uL3dz_4r0ZQJ4mxKkIQ.png" alt=""><figcaption><p>Dirsearch results</p></figcaption></figure>

Now we have `/admin` the directory is available and when you're open it you will find the default admin page for **Pi-Hole, but** you’re not authenticated, and you need to log in as an admin

<figure><img src="https://cdn-images-1.medium.com/max/800/1*wmpxEdUYXIRZRqDGa0GeJA.png" alt=""><figcaption></figcaption></figure>

The version of Pi-Hole is at the bottom as you can see at the bottom of the page but after searching for exploitation related to this version I’ve faced a problem that I must be authenticated as you can see here

<figure><img src="https://cdn-images-1.medium.com/max/800/1*bgAw3s-doMC7eonrcj9TjQ.png" alt=""><figcaption></figcaption></figure>

So I tried to search for the default credentials for Pi-Hole, and I’ve found it

<figure><img src="https://cdn-images-1.medium.com/max/800/1*3LLw0ko1nb7i34PrmCUqbw.png" alt=""><figcaption></figcaption></figure>

If you try to use these credentials to log in to the admin panel you will fail, so I’ve used a new technique to know what are these credentials valid for.

I’ve used a new tool called `medusa`

> Installation: `apt-get install medusa`

<figure><img src="https://cdn-images-1.medium.com/max/800/1*JpdZ2u8uEwlaoDG18XxCVw.png" alt=""><figcaption></figcaption></figure>

We will check for ssh credentials

<figure><img src="https://cdn-images-1.medium.com/max/800/1*21p5KrLWcIdBP7wkYA03hA.png" alt=""><figcaption></figcaption></figure>

And it’s valid. Let's login to ssh using these credentials

<figure><img src="https://cdn-images-1.medium.com/max/800/1*Xaqxml5qdGaZIrAiOzynlw.png" alt=""><figcaption></figcaption></figure>

Good, we now have user privileges and get the user flag. Let’s try to get the `root` role and search for root flag.

I’ve just typed `sudo su` to be admin, easy right? But unfortunately the root flag isn’t easy :(

<figure><img src="https://cdn-images-1.medium.com/max/800/1*X_MbIzU-OvJPbVC28fuZuQ.png" alt=""><figcaption></figcaption></figure>

Let’s do small google search about `usb stick in kali terminal` to know where I will search exactly

<figure><img src="https://cdn-images-1.medium.com/max/800/1*A4ENgdENEW0974V9DWeiHw.png" alt=""><figcaption></figcaption></figure>

As you can see I’ve found this resource and the directory which should have the flag, let’s search for it

<figure><img src="https://cdn-images-1.medium.com/max/800/1*0jlIYLDY4FOWVmaYyl1m6g.png" alt=""><figcaption></figcaption></figure>

good we have this file, after opening it `cat sdb`

We have the flag now :):)

<figure><img src="https://cdn-images-1.medium.com/max/800/1*n3X2EPtSCH5QSgIKUcYEFA.png" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://eslam3kl.gitbook.io/blog/hack-the-box-machines/mirai-walkthrough.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.