Moria:1 surfaced on VulnHub on April 20th, 2017. Created by Abatchy, it can be found at https://www.vulnhub.com/entry/moria-1,187/. It is the first machine in the Moria series. The objective is to get root privileges and find flag.txt.

For the attacking machine, I will be using Kali 2017.1 running on Virtual Box.

For the victim machine, I will be using Virtual Box. I tried to run on VMware Fusion on MacOS, but for some reason, it was getting an IP assigned. I used a bridged network to make it work.

Once booted, this is what the victim machine will look like:

We start the attack by finding the IP of the victim machine by using the netdiscover command:

$ netdiscover

and we find the IP to be 192.168.0.111.

Now that we know our target IP, let’s start by scanning the ports and try to get more information about it:

The scan shows us that the following ports are open:

  • Port 21 – Running FTP
  • Port 22 – Running OpenSSH
  • Port 80 – Running Apache server

Let’s head over to the browser to see if we find something useful:

Looking at the web page and the source code, I do not find anything interesting. Let’s fire up dirbuster and see what the mysterious artifacts hidden behind the gate are:

I see that /w/h/… is building up to something, let’s see to what:

After reaching http://192.168.0.111/w/h/i/s/p/e/r/the_abyss/, this is what I see:

I accidentally refreshed the page and saw that the text had changed:

Logically speaking, these could be a list of users on the machine, but what about their password? After spending a lot of time here, I decided to move on to the FTP server.

Seeing this, we know that the username is Balrog, but what about the password? The search brought me to this page, http://tolkiengateway.net/wiki/Doors_of_Durin where I thought of brushing up my LOTR trivia when suddenly I realized the phrase “Say friend and enter.” I tried friend as the password, but it did not work.

Next, I tried Friend followed by FRIEND, but none of them worked. After looking at the above page, I thought of trying Mellon, which is a friend in Dwarven. So I tried mellon, but even that did not work. Next, I tried Mellon, and it worked, and I was in:

Now that I was in, I thought of first checking out the web application running and see if there’s anything I might’ve missed.

Note: Run the command pass to turn on passive mode and use command dir to list rather than ls.

So, I went to /var/www/html and found this:

Opening that in the browser turned out this:

Ethical Hacking Training – Resources (InfoSec)

And after looking at the source code, it made me happy!

Time for some cracking!

Before that, I organized data a bit:

To crack them, I used john dynamic format with the following command:

$ john -form=dynamic_6 crack_input.txt

and within seconds I had my answer:

Next, I tried to SSH with the details I just got and was able to get in using Ori’s credentials:

As soon as I logged in, I saw a file called poem.txt, and this is what it said:

Since this made no sense to me, I tried to see if anything more was available for Ori:

Oh well, we can ssh from within! Let’s see where that gets us:

$ ssh -i id_rsa root@127.0.0.1

And voila! We are root!