Hack the Moria: 1.1 (CTF Challenge)

Today I found a Vulnerable Lab based on the world of Lords of The Rings. So get on your Gandalf mode to solve this fun Vulnerable Lab Moria 1.2., we are going to download the VM Machine from here.

The credit for developing this VM machine is goes to Abatchy. It is a Boot2Root Lab.

Note: According to author you don’t need LOTR knowledge to hack this VM, but trust me, you need it.

Let’s Breach!!!

As always, Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.125 but you will have to find your own)

netdiscover

Use nmap command for port enumeration

nmap -sV 192.168.1.125

As you can see port 21 for ftp, port 22 for ssh and port 80 for http are open, so let’s explore port 80 through Browser.

 After Browsing I found this Image with label Gates of Moria. I decided to do a bit research on the text written in given below the image. After searching through some wiki pages, I found its translation “Say Friend and Enter” where Mellon means Friend.

So Friend or Mellon must be a password. Keeping that in mind let’s move forward. Here I decided to scan the target directory using dirb scan. Now open the terminal in Kali Linux and type the following command:

dirb http://192.168.1.125/

From scanning result I choose the highlighted directory for further enumeration.

http://192.168.1.125/w/

So I opened this directory in the Browser and found another directory inside it i.e h/

On opening it I got another directory and so on until it completes path /w/h/i/s/p/e/r. Here we find the last directory named the_abyss/ .

On opening the_abyss, I got some text as shown in image. Fundin:”That human will never save us!”

Tried to look at source code but nothing then again try to refresh the page and then found this above given text get changed into another the text, again refresh the page again text change into “Knock Knock”.

Firstly seemed weird but then I refreshed again and it changed again hence text were changing randomly when I refresh the web page.

So I decided to do a dirb scan but it gave no result, so I did an extension dirb scan as shown.

dirb http://192.168.1.125/w/h/i/s/p/e/r/the_abyss/ -X .txt .img .html

This dirb scanner scans for a particular extenstion which is specified like .txt or .img etc.

Aha! Found a file named random.txt.

So I opened it through the browser and found all the text that was coming on refreshing page in a single webpage as shown.

This text contains a lot of names like Balin, Oin, Ori, Fundin, Nain, Eru, Balrog, I noted them because they might be usernames or passwords.

Now I tried to connect with ftp port.

ftp 192.168.1.125

It greeted with Welcome Balrog

And I knew it must be the username because it was in the random.txt too but for password, I had tried multiple names which I found previously and then I remembered the text form the image, “Say friend and enter”. I entered Friend but login failed then tried with Mellow and got login successfully.

Therefore for FTP Login give following credential:

Username: Balrog

Password: Mellow

NOTE: - If you get an error, restart VM and also try multiple times with the above username and password.

After login, I tried pwd command and got the path to be /prision. I looked around it in hope of a flag but didn’t found any hint for flag. Then I found var folder and move inside inside.

Then I got to /var/www/html here I found this folder QlVraKW4fbIkXau9zkAPNGzviT3UKntl

When opened it in browser I found a table having two columns for Prisoner’s name and Passkey as shown in given image.

As always, I searched the source code for some hint. From View Source page I found the “salt” which can be used to decrypt the MD5 Password.

After trying different kinds of formats to decrypt above MD5 password I created a file with name and passkey and salt in this format 

Prisoner’s Name:Passkey$Salt

Name it whatever you want (Here I named it passwords and saved it on my kali Desktop).

Now we will run John The Ripper, Dynamic -6 on this file to decrypt it. By using this command in my kali terminal

john–form=dynamic_6 /root/Desktop/lol

These look like login credentials.

After trying all user credentials decrypted to login in ssh, I got success with

SSH Login

Username :Ori

Password :spanky

Now login into ssh using above credential

ssh Ori@192.168.1.125

Here we got the bash shell. Now I tried multiple commands in search of a flag in ls-al, I found a poem.txt file, which contains a poem. But it didn’t find any flag inside it.

Then I looked into.ssh/ directory And found know_hosts file, and id_rsa file which contained the private key and then open these file one by one,

Cat id_rsa

Copy the entire text found inside id_rsa in a text file and save as id_rsa.

Now open another file known_host with cat command, here you will find host is “127.0.0.1”, let use these information for ssh login for root user.

Ssh -i id_rsa root@127.0.0.1

I got the ROOT.

But let’s finish it properly.  So I tried ls -la scan to get a flag. And I found a flag.txt inside flag.txt I got the Final Message “All that is gold does not glitter”.

It was an adventurous and learning experience and I would like to thank Abatchy for creating such a fun VM Lab