For the attacking machine, I will be using Kali 2017.1 running on Virtual Box. For the victim machine, I will be using Virtual Box. I tried to run on VMware Fusion on MacOS, but for some reason, it was getting an IP assigned. I used a bridged network to make it work. Once booted, this is what the victim machine will look like:
We start the attack by finding the IP of the victim machine by using the netdiscover command: $ netdiscover and we find the IP to be 192.168.0.111. Now that we know our target IP, let’s start by scanning the ports and try to get more information about it:
The scan shows us that the following ports are open:
Port 21 – Running FTP Port 22 – Running OpenSSH Port 80 – Running Apache server
Let’s head over to the browser to see if we find something useful:
Looking at the web page and the source code, I do not find anything interesting. Let’s fire up dirbuster and see what the mysterious artifacts hidden behind the gate are:
I see that /w/h/… is building up to something, let’s see to what: After reaching http://192.168.0.111/w/h/i/s/p/e/r/the_abyss/, this is what I see:
I accidentally refreshed the page and saw that the text had changed:
Logically speaking, these could be a list of users on the machine, but what about their password? After spending a lot of time here, I decided to move on to the FTP server.
Seeing this, we know that the username is Balrog, but what about the password? The search brought me to this page, http://tolkiengateway.net/wiki/Doors_of_Durin where I thought of brushing up my LOTR trivia when suddenly I realized the phrase “Say friend and enter.” I tried friend as the password, but it did not work. Next, I tried Friend followed by FRIEND, but none of them worked. After looking at the above page, I thought of trying Mellon, which is a friend in Dwarven. So I tried mellon, but even that did not work. Next, I tried Mellon, and it worked, and I was in:
Now that I was in, I thought of first checking out the web application running and see if there’s anything I might’ve missed. Note: Run the command pass to turn on passive mode and use command dir to list rather than ls. So, I went to /var/www/html and found this:
Opening that in the browser turned out this:
And after looking at the source code, it made me happy!
Time for some cracking! Before that, I organized data a bit:
To crack them, I used john dynamic format with the following command: $ john -form=dynamic_6 crack_input.txt and within seconds I had my answer:
Next, I tried to SSH with the details I just got and was able to get in using Ori’s credentials:
As soon as I logged in, I saw a file called poem.txt, and this is what it said:
Since this made no sense to me, I tried to see if anything more was available for Ori:
Oh well, we can ssh from within! Let’s see where that gets us: $ ssh -i id_rsa root@127.0.0.1
And voila! We are root!
