Second Boot2Root Moria

Hello Folks!
Link to the box :- https://www.vulnhub.com/entry/moria-11,187/
Rating :- 8/10
Time :- 2-3 hours

Welcome to the second Boot2Root, as always we started the box and did a arp-scan -l followed by the nmap scan to see any open ports to poke at
root@localhost:~# arp-scan -l
Interface: wlan0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.1.1 0c:d2:b5:64:6e:82 Binatone Telecommunication Pvt. Ltd
192.168.1.161 08:00:27:50:fc:90 CADMUS COMPUTER SYSTEMS
root@localhost:~# nmap -sV -O -A 192.168.1.161
Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-09 10:18 IST
Nmap scan report for Moria.lan (192.168.1.161)
Host is up (0.00038s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
22/tcp open ssh OpenSSH 6.6.1 (protocol 2.0)
| ssh-hostkey:
| 2048 47:b5:ed:e3:f9:ad:96:88:c0:f2:83:23:7f:a3:d3:4f (RSA)
| 256 85:cd:a2:d8:bb:85:f6:0f:4e:ae:8c:aa:73:52:ec:63 (ECDSA)
|_ 256 b1:77:7e:08:b3:a0:84:f8:f4:5d:f9:8e:d5:85:b9:34 (EdDSA)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Gates of Moria
MAC Address: 08:00:27:50:FC:90 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.38 ms Moria.lan (192.168.1.161)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.92 seconds
view raw gistfile1.txt hosted with ❤ by GitHub
So we found a port 80 open without further delay let's head into that and see what it got?
I checked the source page for some info and it came out clean so nothing there to look at, moving on the dirb scan

visited w/ and found a directory /h it's all connected to http://192.168.1.161/w/h/i/s/p/e/r/the_abyss/  just click the links and says  Dain:"Is that human deaf? Why is it not listening?" maybe there's something in the image? some audio file? or something hidden in the gate on the main page? i just googled what the main quote on page said after failed stegno attempts, so after a bunch of googling i found a hint "Mellon", so tried SSH and nothing came up then i tried to FTP with Anonymous and Mellon but it said "Welcome Balrog" so i tried "Balrog:Mellon" once i am inside the FTP i went to cd /var/www/html and found this "QlVraKW4fblkXau9zkAPNGzviT3UKntl" let's visit the page and see what we get?
So this looked like some hashes and i did an Inspect element right away to see if there's something more i can use and actually to my surprise this habit paid off with MD5 salts this time


 So now we have username password and salt after a little bit of googling i found i can use this as

the correct format is User:Hash$Salt it's dynamic 6 we are supposed to use found this after a while on google after executing this with the john commands I came up with this :-

root@localhost:~# john -format=dynamic_6 moria
Using default input encoding: UTF-8
Loaded 9 password hashes with 9 different salts (dynamic_6 [md5(md5($p).$s) 128/128 AVX 4x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
rainbow (Oin)
flower (Balin)
fuckoff (Maeglin)
spanky (Ori)
abcdef (Dain)
warrior (Nain)
magic (Telchar)
darkness (Thrain)
hunter2 (Fundin)
9g 0:00:00:00 DONE 2/3 (2017-10-09 11:43) 15.51g/s 62700p/s 88768c/s 88768C/s PHOENIX..spider2
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@localhost:~#
view raw gistfile1.txt hosted with ❤ by GitHub
so now we have a username and the password to try let's get at it then and Ori:Spanky let us SSH on the box and BOOM we are in.
So it basically tells you that Moria is connecting back to the local host but what for? let's find out ..
the moment we connect back to localhost we see we are logged in as root and popped the box and get the final flag!
Thanks to Abatchy for this awesome box!

Thank You!

Comments

Post a Comment

Popular Posts