Joshua Cruz

VulnHub - PumpkinGarden (1/3)

August 22, 2019

Quick Summary

PumpkinGarden is the first part of a Mission-Pumpkin series. The CTF series is a great introduction to the world of pentesting. This box is very linear based, in that it goes from one clue to the next.

PumpkinGarden Login

Starting up the vulnerable machine, we can see a creative introduction to the machine with the ip address associated with the box. login

No login is required to log into the machine, so we can dive right into actively doing reconnaissance on the machine.

Nmap

As like all the other vulnerable machines, we start with an nmap scan to see what ports are actively open.

nmap scan

Looking at the results we only see one port open. Port 21 is allowing Anonymous login. This is something to keep note of for when we want to ftp into the server. Along side that we can the nmap showing a note.txt file that is in the server.

Other than that, there is no other indication of any other open port. This feels unusual to me…

FTP / Note 1

Anywho, because this is the only port we actively see we then log into the server with the Anonymous login that nmap was happily able to provide us.

ftp

Because we ftp’d into the server, there is no way of reading the note.txt file, we instead use the ftp get command to copy the remote system file. After looking at the note.txt file, we don’t have any other information that is given to us. Other than a hint that jack can help us.

Nmap all ports

Heading back to actively doing reconnaissance, I decided to use nmap again to scan all ports on the server to see if anything comes up.

nmap all ports

And what do you know, we see a couple more open ports to show up. that we can access Apache and OpenSSH.

HTTP

Here, we finally access the web server.

http

Upon accessing the server, we get a bunch of hints…

“I found the route map to PumpkinGarden somewhere under the hood.”

This hint immediately tells me to check the source code of the current web page.

Source Code

Viewing the source code, we can see a comment that hints at the Pumpkin images.

source code

Seeing this hint, triggers me into using bruteforce direcotry techniques to see if there are any hidden folders and/or files.

Nikto

I’ve decided to use nikto to scan the Apache Web Server for misconfigured/outdated files and programs. It can also check for index files as well.

nikto

After the scan completed, we can see nikto found a hidden direcotry /img/.

Directory Listing

Inserting the /img/ file directory into the url, we can now see the server directory within the browser.

directory listing

As obvious as it is, we see a hidden_secret folder that we can easily access.

Hidden secret > Clue.txt

Within the fodler we can see a clue.txt file that looks like a base64 encode.

clue.txt

We need to decode this to see what we get from it.

Base64

We can easily decode using the terminal command:

*echo ________ base64 -d*

But I decided to use base64decode.org for the fun of it.

base64 decode

Here we get, what looks like a user and their password

FTP as Scarecrow

My first thought with the aquired user and password was to attempt to use it using ftp, just to see what would happen.

ftp scarecrow

Inputting those credentials we successfully log into the server as scarecrow

Note 2

Looking through the users profile we find a second note.txt file. And like before we use the ftp get command to copy the file onto our Kali machine.

note 2

Reading the information in the note.txt file we get another hit that the user goblin can get the key from the root user LordPumpkin

SSH as Goblin

Because we were provided with the user: goblin and the password Y0n$M4sy3D1t, we can change user while ssh into the server as scarecrow.

ftp goblin

And there we go, we ftp as scarecrow then switch user to goblin user the password that was given to use from note 2.

Note 3

Switching to the user goblin, we get out of the user scarecrow’s home directory and go into ours to see whats inside

note 3

Looking in our directory we can see that there is a third note.txt file, that again gives us another hint along with an exploit we can use to get LordPumpkin key.

Root Password

Entering the commands that exploit 38362.sh provides us, we enter it as the goblin user

passwd

This part got a bit tricky, but we ended up getting the key (root password) from LordPumpkin for the PumpkinGarden.