# Mirai

## Gaining Access

Nmap scan:

<figure><img src="/files/Zy2gwHjCEDBgKfZORbth" alt=""><figcaption></figcaption></figure>

### SSH Default Credentials

Checking port 80 reveals a Pi-Hole dashboard:

<figure><img src="/files/n4IIHzG6EYMJo63Tv562" alt=""><figcaption></figcaption></figure>

There's a login function, and I managed to login with default credentials of `pi:raspberry`. I also tried to SSH in as `pi` using these credentials, and it worked for some reason:

<figure><img src="/files/euKCIK6Ed3LGBxOlV1Mu" alt=""><figcaption></figcaption></figure>

## Privilege Escalation

### Flag Finding

I was able to run `sudo su` on this machine and search for `root.txt`:

<figure><img src="/files/cXSSICO0ZB6lAXh8rtGy" alt=""><figcaption></figcaption></figure>

Interesting, because the root flag is where on a USB stick. Now, the backup would probably be some file in a different format and compressed. We know that the flag is a string, so we can use `strings` to get it out. It is stored at `/dev/sdb`.

```bash
strings /dev/sdb
```

This would give us the flag once we search the input sufficiently.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://rouvin.gitbook.io/ibreakstuff/writeups/hackthebox/easy/mirai.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.