Vulnhub.com — Moria 1.1 CTF *WIP* Solution

I’ve reached an impasse with this one, so I’m writing up my current progress and walking away for a while. I will try to come back to this later, but I’m at a point where I can’t figure out how I could possibly move forward with the information that I have.

Maybe you can help in the comments?

edit: I figured it out :) — this is therefore Part I, and the link is Part II.

Anyway, onward. This is part of a few VMs I’m going to play with as part of my “limbering up” to start my OSCP in a couple of weeks.

This is Moria by abatchy, hosted on Vulnhub.

Standard start with:

arp-scan -l

to identify my VM, followed by

nmap -O -A 172.16.61.149

This gives me:

root@kali:/# nmap -O -A 172.16.61.149Starting Nmap 7.40 ( https://nmap.org ) at 2017–06–21 08:49 BST-----8<---------PORT STATE SERVICE VERSION21/tcp open ftp vsftpd 2.0.8 or later22/tcp open ssh OpenSSH 6.6.1 (protocol 2.0)| ssh-hostkey:| 2048 47:b5:ed:e3:f9:ad:96:88:c0:f2:83:23:7f:a3:d3:4f (RSA)|_ 256 85:cd:a2:d8:bb:85:f6:0f:4e:ae:8c:aa:73:52:ec:63 (ECDSA)80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16|_http-title: Gates of Moria-----8<---------Nmap done: 1 IP address (1 host up) scanned in 16.87 seconds

Whilst I’m here with a probable web server, I’ll also run

nikto -h 172.16.61.149

and see if there’s anything vulnerable that I might be able to easily exploit.

Turns out there’s nothing immediately jumping out, so maybe I’ll come back to that later.

With :80 open, let’s browse to the site and see what we have.

Some kind of thematic image with some orc writing on it, I guess.

A look at the picture with

strings file.jpg

and

binwalk -B file.jpg

don’t give me anything that I can work with.

Let’s throw some common directory names at the webserver using

dirb 172.16.61.149 /user/share/wordlists/dirb/common.txt

Bingo…

root@kali:/# dirb http://172.16.61.149 /usr/share/wordlists/dirb/common.txt — — — — — — — — -DIRB v2.22By The Dark Raver — — — — — — — — -START_TIME: Wed Jun 21 08:57:54 2017URL_BASE: http://172.16.61.149/WORDLIST_FILES: /usr/share/wordlists/dirb/common.txt — — — — — — — — -GENERATED WORDS: 4612 — — Scanning URL: http://172.16.61.149/ — — + http://172.16.61.149/cgi-bin/ (CODE:403|SIZE:210)+ http://172.16.61.149/index.php (CODE:200|SIZE:85)==> DIRECTORY: http://172.16.61.149/w/ — — Entering directory: http://172.16.61.149/w/ — — (!) WARNING: Directory IS LISTABLE. No need to scan it.(Use mode ‘-w’ if you want to scan it anyway) — — — — — — — — -END_TIME: Wed Jun 21 08:57:55 2017DOWNLOADED: 4612 — FOUND: 2

Navigating to /w/ gives me a directory list with a single folder in it… /h/.

This continues to spell out ‘W H I S P E R’ and then ‘the_abyss’

A hint that there’s a message for me somewhere…

Having recently read Web Hacking 101 by Peter Yaworski as part of trying to get into Bug Bounties, I remembered the advice to stick something like Wireshark on and do some browsing around the site.

This I did and re-navigated around where I’d seen.

When I got back to the_abyss, I noticed that I had a different message than before. So I naturally refreshed a bunch of times and saw that it was cycling randomly through a handful of messages.

One of them said “knock knock” so, as a married man not unaccustomed to having to take hints, I deduced that I needed to do some port knocking. Ace.

But, err, anybody got any ports you want knocking?

Back to Wireshark to review the traffic to and from my VM — mostly just simple GET requests, but then…

Traffic coming from port 1337 going to a variety of ports which is then sending back a RST packet.

Knock knock!

Conscious of trying to build my bash skills, I decided to script this bit:

for port in 77 101 108 108 111 110 54 57; do nmap -PS — host_timeout 100 — max_retries 0 -p $port 172.16.61.149 && sleep 2; done

Following this, I reran the nmap scan to see what’s changed, aaaaannnddd: nothing. Nada.

Ok, so maybe it wants more than a SYN packet (the -PS flag) so let’s try a full connection attempt:

for port in 77 101 108 108 111 110 54 57; do nc 172.16.61.149 $port; done

Nope.

I knocked and I knocked and I knocked.

And this, as an aside, is why I don’t like hints — they can be meaningless, misinterpreted, missed, or non-existant. And whichever it is, it’s usually somehow my fault.

Eventually, turning to ASCII to see if there was significance in the port numbers I had, I realised that it was spelling out:

Mellon69

Which looks like a user’s password. It also said “mellon” on that stupid picture.

A reverse image search of the picture showed that it seems to be quite a famous pretend door called “The Doors of Durin”, and the translation of the gibberish on it says to “speak friend and enter” which further translated into some other gibberish language turns out that “mellon” means “friend”.

I tried to SSH onto the box using the name Balrog (since the random messages earlier appeared to be afraid of Balrog, so I assume he’s the baddie), and

root@kali:~# ssh Balrog@172.16.61.149Balrog@172.16.61.149’s password:Last login: Sun Mar 12 22:39:59 2017WRONG GATE!Connection to 172.16.61.149 closed.root@kali:~#

Ok, FTP then, and result! We’re in!

root@kali:~# ftp 172.16.61.149Connected to 172.16.61.149.220 Welcome Balrog!Name (172.16.61.149:root): Balrog331 Please specify the password.Password:230 Login successful.Remote system type is UNIX.Using binary mode to transfer files.ftp>

A look around showed nothing too interesting on the server — a bunch of folders we had no rights to. Checking the webserver in /var/www shows us:

ftp> ls200 PORT command successful. Consider using PASV.150 Here comes the directory listing.drwxr-xr-x 2 0 0 23 Mar 12 20:38 QlVraKW4fbIkXau9zkAPNGzviT3UKntl-r — — — — 1 48 48 85 Mar 12 19:55 index.php-r — — — — 1 48 48 161595 Mar 11 23:12 moria.jpgdrwxr-xr-x 3 0 0 15 Mar 12 04:50 w226 Directory send OK.ftp> pwd257 “/var/www/html”ftp>

somewhere else to browse to.

Browsing there reveals a table with some “Prisoner Names” and “Passkeys”. The passkeys look like hashes, but none of them reverse using pre-compiled dictionaries.

Looking in the source of the page reveals something interesting:

But here’s where my journey ends, I’m afraid.

My situation is thus:

I have a hash, a salt, and the mechanism through which I use MD5 to arrive at the hash, via the salt, from a password. But I don’t have a password.

Maybe I’m being dense, but I can’t fathom of a way of getting from “right to left” in this equation — because it’s a hash!

So, there we go. Stuck. For now.

edit: solved it

Father, husband, security architect, Guardian.