Hacking, Walkthroughs

TWH-Moria | VulnHub Writeup – By Kyle Barnes

Our first write-up, how exciting. This machine was given to me as a challenge from a friend, so let’s get right into it. Note: This walkthrough was written after I rooted Moria, not during.

The first step for pretty much any challenge I’ve been presented with is to kick off an Nmap scan and look for j00cy services. The results of the scan showed there was a web server running on port 80, as well as FTP and SSH services running on ports 21 & 22 respectively.

Navigating to the web server with firefox, we’re presented with the Gates of Moria. I am not a LOTR fan (Sorry?) so I was already worried that my lack of lore knowledge was going to fuck me over. Thankfully, it did not.

With nothing of use on the page other than an image, and nada in the source; I fired up dirb and started enumerating.

With just the common wordlist, dirb found a index.php page (duh), as well as /cgi-bin/ (maybe some shellshocking involved?) and /w/. Navigating to /w/ led me down a long chain of directories — to w/h/i/s/p/e/r/the_abyss/.

On the page at the end of this chain was some text — Telchar to Thrain:“That human is slow, don’t give up yet” — Huh? After refreshing the page, I was presented with some new text — Nain:”Will the human get the message?”.

 

After some head-scratching and a few more refreshes, I was thrown a bone. A message I hadn’t seen before — “Knock knock”. Oh yay, my favourite. Port knocking! .___.

The narrative of the text told me the machine was knocking on my ports, not that I needed to knock on its own. Over to Wireshark…

Using Wireshark to capture traffic, which was a whole bunch of page refreshes, finally I’m given some information.

Okay, so — the machine knocks from port 1337 to a series of different ports on my Kali box. I wonder what those port numbers could mean…

 

Success! I think. What can we use Mellon69 for? Revisiting what services were running, I tried SSH first but to no avail. FTP it is.

 

Balrog was given as a username when we tried to connect, and Mellon69 let us in! We start off in an empty directory called /prison which scared me silly, thinking I’d have to break out of a restricted shell while using an FTP client. I did not. Changing directory to /, I began digging around. After looking in /var/www/html, I found a page which looked like a hash. Copying and pasting it to the end of the URL was the right move, and provided me with prisoner names and passkeys!

 

I feel like some LOTR knowledge might’ve helped me here since there was no Gandalf or Frodo — but I pushed on to crack the hashes. After checking the page source, I found some nice salts for each hash commented out at the bottom. I appended them to the hashes, stuck them in a file and let hashcat do it’s thing. However, hashcat was being an asshole. I used johntheripper instead.

 

Now! Time for SSH. After a whole lot of trial and error (really, about 20 minutes worth of bashing my head against my desk) I tried capitalizing the first letter of the user, and was let in using Ori:spanky. We’re presented with poem.txt.

 

I then used scripts like LinuxPrivChecker and LinEnum and did a lot of looking around. I kinda hit a brick wall here, so decided to look at other priv-esc blogs and the like. I always default back to g0tm1lk’s Privilege Escalationblog as it hasn’t failed me yet — and this machine was no different.

I should note that this was not a 10 minute process, I was trying different methods for about 2 hours before finding a clue.

Working my way through the blog mentioned above, I got to the private-key information section and promptly punched myself in the face. I found the id_rsa key for Ori and tried to SSH with it, however I was still asked for a password. This didn’t sit well with me. I thought maybe I had to change user to abatchy, the machines creator, and look for something else to escalate privileges — but it was far simpler.

Despite a concussion or two, this machine was great to take a crack at; and it was a nice reminder that the correct answer is not always the most complicated.

Thanks for reading my first write-up! I hope you enjoyed it. I should also reiterate that these screenshots were taken after I had rooted the box, and I repeated the process for the purpose of this walkthrough. Massive thanks to abatchy for this really fun VM!

You can find me on Twitter at xBBSec or @_KyleBarnes, or as remedy on HackTheBox and lurking on the NetSecFocus slack.

Please follow and like us:
Tagged , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.