Second Boot2Root Moria
Hello Folks!
Link to the box :- https://www.vulnhub.com/entry/moria-11,187/
Rating :- 8/10
Time :- 2-3 hours
Welcome to the second Boot2Root, as always we started the box and did a arp-scan -l followed by the nmap scan to see any open ports to poke at
So we found a port 80 open without further delay let's head into that and see what it got?
I checked the source page for some info and it came out clean so nothing there to look at, moving on the dirb scan
visited w/ and found a directory /h it's all connected to http://192.168.1.161/w/h/i/s/p/e/r/the_abyss/ just click the links and says Dain:"Is that human deaf? Why is it not listening?" maybe there's something in the image? some audio file? or something hidden in the gate on the main page? i just googled what the main quote on page said after failed stegno attempts, so after a bunch of googling i found a hint "Mellon", so tried SSH and nothing came up then i tried to FTP with Anonymous and Mellon but it said "Welcome Balrog" so i tried "Balrog:Mellon" once i am inside the FTP i went to cd /var/www/html and found this "QlVraKW4fblkXau9zkAPNGzviT3UKntl" let's visit the page and see what we get?
So this looked like some hashes and i did an Inspect element right away to see if there's something more i can use and actually to my surprise this habit paid off with MD5 salts this time
So now we have username password and salt after a little bit of googling i found i can use this as
the correct format is User:Hash$Salt it's dynamic 6 we are supposed to use found this after a while on google after executing this with the john commands I came up with this :-
so now we have a username and the password to try let's get at it then and Ori:Spanky let us SSH on the box and BOOM we are in.
So it basically tells you that Moria is connecting back to the local host but what for? let's find out ..
the moment we connect back to localhost we see we are logged in as root and popped the box and get the final flag!
Thanks to Abatchy for this awesome box!
Thank You!
Link to the box :- https://www.vulnhub.com/entry/moria-11,187/
Rating :- 8/10
Time :- 2-3 hours
Welcome to the second Boot2Root, as always we started the box and did a arp-scan -l followed by the nmap scan to see any open ports to poke at
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
root@localhost:~# arp-scan -l | |
Interface: wlan0, datalink type: EN10MB (Ethernet) | |
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/) | |
192.168.1.1 0c:d2:b5:64:6e:82 Binatone Telecommunication Pvt. Ltd | |
192.168.1.161 08:00:27:50:fc:90 CADMUS COMPUTER SYSTEMS | |
root@localhost:~# nmap -sV -O -A 192.168.1.161 | |
Starting Nmap 7.60 ( https://nmap.org ) at 2017-10-09 10:18 IST | |
Nmap scan report for Moria.lan (192.168.1.161) | |
Host is up (0.00038s latency). | |
Not shown: 997 closed ports | |
PORT STATE SERVICE VERSION | |
21/tcp open ftp vsftpd 2.0.8 or later | |
22/tcp open ssh OpenSSH 6.6.1 (protocol 2.0) | |
| ssh-hostkey: | |
| 2048 47:b5:ed:e3:f9:ad:96:88:c0:f2:83:23:7f:a3:d3:4f (RSA) | |
| 256 85:cd:a2:d8:bb:85:f6:0f:4e:ae:8c:aa:73:52:ec:63 (ECDSA) | |
|_ 256 b1:77:7e:08:b3:a0:84:f8:f4:5d:f9:8e:d5:85:b9:34 (EdDSA) | |
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16) | |
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16 | |
|_http-title: Gates of Moria | |
MAC Address: 08:00:27:50:FC:90 (Oracle VirtualBox virtual NIC) | |
Device type: general purpose | |
Running: Linux 3.X|4.X | |
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 | |
OS details: Linux 3.2 - 4.8 | |
Network Distance: 1 hop | |
TRACEROUTE | |
HOP RTT ADDRESS | |
1 0.38 ms Moria.lan (192.168.1.161) | |
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . | |
Nmap done: 1 IP address (1 host up) scanned in 19.92 seconds |
I checked the source page for some info and it came out clean so nothing there to look at, moving on the dirb scan
visited w/ and found a directory /h it's all connected to http://192.168.1.161/w/h/i/s/p/e/r/the_abyss/ just click the links and says Dain:"Is that human deaf? Why is it not listening?" maybe there's something in the image? some audio file? or something hidden in the gate on the main page? i just googled what the main quote on page said after failed stegno attempts, so after a bunch of googling i found a hint "Mellon", so tried SSH and nothing came up then i tried to FTP with Anonymous and Mellon but it said "Welcome Balrog" so i tried "Balrog:Mellon" once i am inside the FTP i went to cd /var/www/html and found this "QlVraKW4fblkXau9zkAPNGzviT3UKntl" let's visit the page and see what we get?
So this looked like some hashes and i did an Inspect element right away to see if there's something more i can use and actually to my surprise this habit paid off with MD5 salts this time
So now we have username password and salt after a little bit of googling i found i can use this as
the correct format is User:Hash$Salt it's dynamic 6 we are supposed to use found this after a while on google after executing this with the john commands I came up with this :-
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
root@localhost:~# john -format=dynamic_6 moria | |
Using default input encoding: UTF-8 | |
Loaded 9 password hashes with 9 different salts (dynamic_6 [md5(md5($p).$s) 128/128 AVX 4x3]) | |
Press 'q' or Ctrl-C to abort, almost any other key for status | |
rainbow (Oin) | |
flower (Balin) | |
fuckoff (Maeglin) | |
spanky (Ori) | |
abcdef (Dain) | |
warrior (Nain) | |
magic (Telchar) | |
darkness (Thrain) | |
hunter2 (Fundin) | |
9g 0:00:00:00 DONE 2/3 (2017-10-09 11:43) 15.51g/s 62700p/s 88768c/s 88768C/s PHOENIX..spider2 | |
Use the "--show" option to display all of the cracked passwords reliably | |
Session completed | |
root@localhost:~# |
So it basically tells you that Moria is connecting back to the local host but what for? let's find out ..
the moment we connect back to localhost we see we are logged in as root and popped the box and get the final flag!
Thanks to Abatchy for this awesome box!
Thank You!
amazing
ReplyDelete