Boot2Root: @abatchy’s Moria challenge

I stumbled across a post from reddit about a new Boot2Root. I decided to give it a go (about a day later than everyone else 😛 ) as I had never really attempted such a challenge before. Following is my write-up of such:

Initial Discovery

Upon downloading the image, I had to identify the machine in some manner as the developer noted the machine was configured to pull an IP address via DHCP. Nmap very quickly disclosed the machine was running at x.x.x.138, with the following open:

Not shown: 65529 closed ports PORT STATE SERVICE 20/tcp filtered ftp-data 21/tcp filtered ftp 22/tcp open ssh 80/tcp open http 989/tcp filtered ftps-data 990/tcp filtered ftps MAC Address: 08:00:27:76:8A:B3 (Oracle VirtualBox virtual NIC)

HTTP

So with the choice of FTP, SSH, and HTTP, I gave HTTP a go. Browsing to the web root, the following is shown:

If you are up to speed on your Lord of the Rings trivia, this is the Gate of Moria. I was not so a simple google search revealed such and then my foggy brain remembered Gandalf uttering some password for the gate to open in the series. Queue another google search and the word “Mellon”, elvish for “friend”, was spoken. Now what to do with this data?

Digging around, and using a nifty web directory discovery NSE script, I found an interesting folder with the directory listing enabled labeled “w”… then “h”… “i”… “s”, “p”, “e”, “r”, and finally, “the_abyss”.

nmap –script http-enum.nse [host] ... 80/tcp open http | http-enum: | /w/: Potentially interesting folder w/ directory listing |_ /icons/: Potentially interesting folder w/ directory listing

Quotes from I believe the LoTR books would print out on the screen, but not else was of use to me-yet. (I would later discover that if I kept refreshing, some of the potential guesses for usernames later on would be disclosed, more on that later)

FTP

I did not think I knew any users, and hydra killed the FTP and SSH service, so I assumed I’d have to rely on data given. The source of the web root provided nothing, nor did the names inscribed on the picture of the gate, nor did the red herring of /w/h/i/s/p/e/r/the_abyss. So I turned my sights on FTP. Anonymous login, perhaps?

Upon connecting to the FTP service, I was presented with a odd welcome banner, ” 220 Welcome Balrog!”. Maybe that’s the username I needed? Coupling “Balrog” with “Mellon” allowed access into the FTP site.

220 Welcome Balrog! Name (X.X.X.138:root): Balrog 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp>

But the directory I was in was empty except for a .bash_history I could not access nor read. The working directory was “/prison”. Maybe I could view other directories? Shortly after, I discovered I could view the root and numerous subdirectories.

ftp> pwd 257 "/prison" ftp> ls / 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. lrwxrwxrwx 1 0 0 7 Mar 11 21:34 bin -> usr/bin dr-xr-xr-x 4 0 0 4096 Mar 11 21:59 boot drwxr-xr-x 19 0 0 2960 Mar 21 19:30 dev drwxr-xr-x 97 0 0 8192 Mar 21 19:30 etc drwxr-x--- 4 0 1003 32 Mar 14 04:36 home ... drwxr-x--- 2 0 1001 27 Mar 14 03:59 prison ... drwxrwxrwt 12 0 0 4096 Mar 22 16:34 tmp drwxr-xr-x 13 0 0 155 Mar 11 21:34 usr drwxr-xr-x 21 0 0 4096 Mar 21 19:30 var 226 Directory send OK. ftp>

After much digging, I finally decided to try and revisit /var/www/html, just in case there was a hidden directory, file, or the like in the web root. Sure enough, a directory named with a long random string of chars appeared in the web root. Browsing to such provided a table of hashes and users.

ftp> cd /var/www/html 250 Directory successfully changed. ftp> ls -al 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 4 0 0 89 Mar 14 03:48 . drwxr-xr-x 4 0 0 33 Nov 14 18:05 .. drwxr-xr-x 2 0 0 23 Mar 12 20:38 QlVraKW4fbIkXau9zkAPNGzviT3UKntl -r-------- 1 48 48 85 Mar 12 19:55 index.php -r-------- 1 48 48 161595 Mar 11 23:12 moria.jpg drwxr-xr-x 3 0 0 15 Mar 12 04:50 w 226 Directory send OK. ftp>

Viewing the source, I saw a commented out collection of 6 char hashes and a note of the hash algorithm used on the hashes in the table.

Hash cracking

And here is where I spent too much of my time. Unknown at the time to myself, that had I merely just used john-the-ripper with format dynamic_6 and the hash in the format of “username:hash$salt” I would have easily found the passwords from the hashes. But, I didn’t, so… after attempting to try and get hashcat or john to work with the hash format I had (username:$salt$hash), gave up and decided I would write my own md5 “cracker”. So using something similar to the python below (and on my github), eventually I cracked the hashes and was provided numerous potential logins.

#!/usr/bin/env python import hashlib import sys m=hashlib.md5() if len(sys.argv) < 3: print "

Usage:

# "+sys.argv[0]+" [hashfile] [wordlist]

" exit(1) lines = [] words = [] with open(sys.argv[1]) as file: for line in file: line = line.strip() #or someother preprocessing lines.append(line) with open(sys.argv[2]) as file: for line in file: line = line.strip() words.append(line) for l in lines: x=l.split("$") passX=x[2] salt=x[1] user=x[0].split(":")[0] for f in words: xray=str(hashlib.md5(f).hexdigest()) cmp=str(hashlib.md5(str(xray)+""+str(salt)).hexdigest()) if cmp == passX: print "[+] FOUND: "+user+" "+f+" "+cmp break

SSH

SSH, the final frontier. Now, I just had to cycle through until I found a set of credentials that worked. Eventually Ori:spanky led to a successful login. Once here, I spent about 15-20 minutes poking around, using unix-privesc-check, and other probing before I revisited the ls -al I ran upon first logging in.

I noticed the .ssh directory, and thought maybe there was a stored ssh key for another user. Upon printing out known_hosts, I figured I should give ssh root@127.0.0.1…

Success! And thus, flag.txt states:

Overall, this was a great challenge! Thanks to @abatchy!