Capture the flag (CTF)

Moria: 1 – Walkthrough

May 16, 2017 by Chiragh Dewan

Moria:1 surfaced on VulnHub on April 20th, 2017. Created by Abatchy, it can be found at,187/. It is the first machine in the Moria series. The objective is to get root privileges and find flag.txt.

For the attacking machine, I will be using Kali 2017.1 running on Virtual Box.

For the victim machine, I will be using Virtual Box. I tried to run on VMware Fusion on MacOS, but for some reason, it was getting an IP assigned. I used a bridged network to make it work.

Once booted, this is what the victim machine will look like:

We start the attack by finding the IP of the victim machine by using the netdiscover command:

$ netdiscover

and we find the IP to be

Now that we know our target IP, let’s start by scanning the ports and try to get more information about it:

The scan shows us that the following ports are open:

  • Port 21 – Running FTP
  • Port 22 – Running OpenSSH
  • Port 80 – Running Apache server

Let’s head over to the browser to see if we find something useful:

Looking at the web page and the source code, I do not find anything interesting. Let’s fire up dirbuster and see what the mysterious artifacts hidden behind the gate are:

I see that /w/h/… is building up to something, let’s see to what:

After reaching, this is what I see:

I accidentally refreshed the page and saw that the text had changed:

Logically speaking, these could be a list of users on the machine, but what about their password? After spending a lot of time here, I decided to move on to the FTP server.

Seeing this, we know that the username is Balrog, but what about the password? The search brought me to this page, where I thought of brushing up my LOTR trivia when suddenly I realized the phrase “Say friend and enter.” I tried friend as the password, but it did not work.

Next, I tried Friend followed by FRIEND, but none of them worked. After looking at the above page, I thought of trying Mellon, which is a friend in Dwarven. So I tried mellon, but even that did not work. Next, I tried Mellon, and it worked, and I was in:

Now that I was in, I thought of first checking out the web application running and see if there’s anything I might’ve missed.

Note: Run the command pass to turn on passive mode and use command dir to list rather than ls.

So, I went to /var/www/html and found this:

Opening that in the browser turned out this:

And after looking at the source code, it made me happy!

Time for some cracking!

Before that, I organized data a bit:

To crack them, I used john dynamic format with the following command:

$ john -form=dynamic_6 crack_input.txt

and within seconds I had my answer:

Next, I tried to SSH with the details I just got and was able to get in using Ori’s credentials:

As soon as I logged in, I saw a file called poem.txt, and this is what it said:

Since this made no sense to me, I tried to see if anything more was available for Ori:

Oh well, we can ssh from within! Let’s see where that gets us:

$ ssh -i id_rsa root@

And voila! We are root!

Posted: May 16, 2017
Chiragh Dewan
View Profile

A creative problem-solving full-stack web developer with expertise in Information Security Audit, Web Application Audit, Vulnerability Assessment, Penetration Testing/ Ethical Hacking as well as previous experience in Artificial Intelligence, Machine Learning, and Natural Language Processing. He has also been recognised by various companies such as Facebook, Google, Microsoft, PayPal, Netflix, Blackberry, etc for reporting various security vulnerabilities. He has also given various talks on Artificial Intelligence and Cyber Security including at an TEDx event.