nmap -Pn -sV 192.168.88.44 -p-
I ran nmap scanning in order to find open ports. As a result of scan i found three different services such as ftp ssh http
Port 21: FTP
When i start digging a service, i search public exploits for services versions. Here, ı did it again but i can't found any known exploits. After all, ı made my general controls for ftp service. First, i checked anonymous connection and i made brute force with my little wordlist. But nothing shown up.
After these steps, i connected ftp port and i saw this banner. Since the Balrog is interesting word so i added it in my wordlist.
220 Welcome Balrog!
Port 22: SSH
I checked known exploits for ssh service and i did brute force but they didn't work either.
Port 80: HTTP
When I visit http service, i saw this picture. And i realised i found my entry point.
When i faced an image, first ı focus on steganography and i start digging image file with exiftool, binwalk and steghide tools. I tried these tools but result is failure again.
after, i focused content of image. Image is showing the Moria gate which is Dwarven city in Lord of the rings movie. And there is a riddle for opening the gate.
I found this part of movie. In movie, Frodo found answer for riddle. Answer was Mellon which is means Friend in Elvish. I added this and other releveant words to my wordlist.(Frodo, Gandalf etc.) After, i tried brute force again and failed.
And i used Nikto and Dirbuster for further recon. There was a clue after all these failures.
When i visited the page, a random message was showing. I collected all the unique words in the messages thanks to the following script. And i added whole words to my wordlist. I tried brute force again but ....!
root@frkn:~# GET http://192.168.88.44/w/h/i/s/p/e/r/the_abyss/ Balin: "Be quiet, the Balrog will hear you!"
url="http://192.168.88.44/w/h/i/s/p/e/r/the_abyss/" for i in $(seq 1 100); do GET $url; done > temp grep -o -E '\w+' temp | sort -u -f
The sake of practising, i wrote these python scripts for extracting words from given input and generating expanded wordlist. They capable of getting input from stdin and normal file.
url="http://192.168.88.44/w/h/i/s/p/e/r/the_abyss/" for i in $(seq 1 100); do GET $url; done | ./words.py | ./generate.py
It extracts unique words and discards stopwords like a, the etc.generate.py
It turns first character of word to capital letter for generating better wordlists. But it must be developed with new functions.
Enumeration is the key!
After all these failure attempts, i go back and started again. And i noticed meaning of random messages. Maybe port knocking was useful.
I started nmap scan for all ports. And i listened the traffic between Moria and my Kali with Wireshark. Normaly, closed ports sends RST-ACK packets against SYN packets. But there was SYN packets in traffic which is not belongs our open ports. I filtered these packets like below. And there was a other trace to follow.
ip.src == 192.168.88.44 and not (tcp.flags.reset == 1 and tcp.flags.ack == 1) and tcp
tcpdump -r moria.pcap -n 'tcp and src 192.168.88.44 and not (tcp & 4!=0 and tcp & 16!=0)'
Port 1337 was sending SYN packets to 77,101,108,108,111,110,54,57 ports with ordered way. I tried port knocking with these sequence but i failed again.
I played a lot with these numbers. And finally i looked Ascii characters. And yes, i found the key eventually. Mellon69
I added Mellon69 to my wordlist and started bruteforce again. After all these bruteforce i found the proper username. It was Balrog.
İFirst, i tried to connect to ssh for the quick access to shell. But it was didnt worked. Apparently i was should try another gate.
I gained access to Ftp with these credentials. After digging whole file system, ı found interesting directory in var/www/html. And i visited this page from my browser. There was a some usernames and their hashes.
When i analyse the page source, i realized that, salts and hash type was commented out.
6MAp84 bQkChe HnqeN4 e5ad5s g9Wxv7 HCCsxP cC5nTr h8spZR tb9AWe MD5(MD5(Password).Salt)
I combined usernames, hashes and salts. And i run john the ripper. JTH cracked hashes in a seconds.
And i tried brute force again with these credentials. Yes, i was found new credentials for ssh.Ori:spanky i had to privilige escalaiton now.
I use these scripts and sources when i enumerate linux hosts for privilege escalaiton.
First i checked kernel version for known exploits manualy. And i run other scripts. There was not a public exploit for this kernel. But i noticed that line.
./unix-privesc-check detailed | grep WARNING WARNING: Unencrypted Private SSH Key Found in /home/Ori/.ssh/id_rsa
There was a private ssh key in Ori's home folder. I tried this key for root and finally i gained root shell.