Moria: 1 Vulnhub’s VM Walkthrough

Page

Been awhile since I’ve updated my wordpress. Life is so busy with work and my part-time studies. Yucks.

This VM image can be downloaded from:
https://www.vulnhub.com/entry/moria-1,187/

This VM is more of a “CTF” kind of VM instead of a practical realistic VM.

I was stuck on a certain part and ended up Googling for some hints and found someone’s writeup. The reference will be provided.

Lets go!

Starting off with the usual enumeration scans.
netdiscover to discover the VM IP address and a nmap scan to discover the open ports.

enum1

The vsftpd running has some banner information which reveal a possible username “Balrog”. The SSH running does not contain any useful information.

I decided to let my ftp brute-force to run while looking at the web application.

enum2-1

Next nikto and dirb was used. It seems like this is just a “troll” web application and is not the valid attack vector.

It appears that the “index.php”(possibly) on the discovered /the_abyss/ directory will output random sentences while browsing to the page.

I compiled a list a possible usernames based on the random output sentence.

enum5

I tried to brute force against the FTP and SSH service with the compiled list but to no avail.

I decided to fireup tcpdump and check if there is any incoming connections and

enum6

At this part I thought of port knocking since the incoming connections from our target obviously shows port 77, 101, 108, 108, 111 and 110 in sequence, but to no avail again.

I decided to Google and found this writeup which completes the VM. I only took reference from the part where I was stuck.

http://blog.c0la.org/2017/03/24/moria-vulnhub-writeupwalkthrough/

This is the reason why I mentioned that this VM is more of a “CTF” style than a realistic challenge.

So basically the ports when converted to ascii from decimal gives Mellon. Wtf?

Logging in the FTP service with the username “Balrog” and password “Mellon” gives us a free browsing on the target file system.

enum7

I decided to look at /var/www/html where most of the web root directory is to figure out what was missing from my enumeration.

enum8

It seems that this page contains the username and password hashes of the users.
The method of hashing and the salt value can be obtained from “view page source”.

enum9

Compile the information gathered into a text file.

enum10

John the Ripper (JTR) was used next to crack the password. Since the method of hashing was provided it was quite simple to find the correct command syntax when using john.

enum11

The passwords of all the users was cracked within seconds.

enum12

The credentials obtain were used on the FTP and SSH service on our target. After trying the first few credentials a low privileged shell was achieved.

enum13

Post-enumeration for privilege escalate as follows…

enum14

Checking for possible sudo privilege and checking the kernel version of our target…

enum15

Looking at services that are listening locally…

enum16

After trying a few publicly known exploits against our target and to no avail I decided to refer to the g0tm1lk’s privilege escalation guide. (The VM does not have GCC installed)

This was the part that proved the saying “Old is Gold” 😀

enum18

Does this private key really belongs to the user “Ori”?

enum19

The moment it prompted me for a password proves that the private key that was lying in Ori’s directory does not belongs to him.. interesting. #

enum20

That’s it!

enum21

Stay safe people!
~9emin1

 

Advertisements