Moria:1 surfaced on VulnHub on April 20th, 2017. Created by Abatchy, it can be found at https://www.vulnhub.com/entry/moria-1,187/. It is the first machine in the Moria series. The objective is to get root privileges and find flag.txt.
For the attacking machine, I will be using Kali 2017.1 running on Virtual Box.
For the victim machine, I will be using Virtual Box. I tried to run on VMware Fusion on MacOS, but for some reason, it was getting an IP assigned. I used a bridged network to make it work.
Once booted, this is what the victim machine will look like:
We start the attack by finding the IP of the victim machine by using the netdiscover command:
and we find the IP to be 192.168.0.111.
Now that we know our target IP, let’s start by scanning the ports and try to get more information about it:
The scan shows us that the following ports are open:
- Port 21 – Running FTP
- Port 22 – Running OpenSSH
- Port 80 – Running Apache server
Let’s head over to the browser to see if we find something useful:
Looking at the web page and the source code, I do not find anything interesting. Let’s fire up dirbuster and see what the mysterious artifacts hidden behind the gate are:
I see that /w/h/… is building up to something, let’s see to what:
After reaching http://192.168.0.111/w/h/i/s/p/e/r/the_abyss/, this is what I see:
I accidentally refreshed the page and saw that the text had changed:
Logically speaking, these could be a list of users on the machine, but what about their password? After spending a lot of time here, I decided to move on to the FTP server.
Seeing this, we know that the username is Balrog, but what about the password? The search brought me to this page, http://tolkiengateway.net/wiki/Doors_of_Durin where I thought of brushing up my LOTR trivia when suddenly I realized the phrase “Say friend and enter.” I tried friend as the password, but it did not work.
Next, I tried Friend followed by FRIEND, but none of them worked. After looking at the above page, I thought of trying Mellon, which is a friend in Dwarven. So I tried mellon, but even that did not work. Next, I tried Mellon, and it worked, and I was in:
Now that I was in, I thought of first checking out the web application running and see if there’s anything I might’ve missed.
Note: Run the command pass to turn on passive mode and use command dir to list rather than ls.
So, I went to /var/www/html and found this:
Opening that in the browser turned out this:
Ethical Hacking Training – Resources (InfoSec)
And after looking at the source code, it made me happy!
Time for some cracking!
Before that, I organized data a bit:
To crack them, I used john dynamic format with the following command:
$ john -form=dynamic_6 crack_input.txt
and within seconds I had my answer:
Next, I tried to SSH with the details I just got and was able to get in using Ori’s credentials:
As soon as I logged in, I saw a file called poem.txt, and this is what it said:
Since this made no sense to me, I tried to see if anything more was available for Ori:
Oh well, we can ssh from within! Let’s see where that gets us:
$ ssh -i id_rsa email@example.com
And voila! We are root!