VulnHub - PumpkinGarden (1/3)
PumpkinGarden is the first part of a Mission-Pumpkin series. The CTF series is a great introduction to the world of pentesting. This box is very linear based, in that it goes from one clue to the next.
Starting up the vulnerable machine, we can see a creative introduction to the machine with the ip address associated with the box.
No login is required to log into the machine, so we can dive right into actively doing reconnaissance on the machine.
As like all the other vulnerable machines, we start with an nmap scan to see what ports are actively open.
Looking at the results we only see one port open. Port 21 is allowing Anonymous login. This is something to keep note of for when we want to ftp into the server. Along side that we can the nmap showing a note.txt file that is in the server.
Other than that, there is no other indication of any other open port. This feels unusual to me…
FTP / Note 1
Anywho, because this is the only port we actively see we then log into the server with the Anonymous login that nmap was happily able to provide us.
Because we ftp’d into the server, there is no way of reading the note.txt file, we instead use the ftp get command to copy the remote system file. After looking at the note.txt file, we don’t have any other information that is given to us. Other than a hint that jack can help us.
Nmap all ports
Heading back to actively doing reconnaissance, I decided to use nmap again to scan all ports on the server to see if anything comes up.
And what do you know, we see a couple more open ports to show up. that we can access Apache and OpenSSH.
Here, we finally access the web server.
Upon accessing the server, we get a bunch of hints…
“I found the route map to PumpkinGarden somewhere under the hood.”
This hint immediately tells me to check the source code of the current web page.
Viewing the source code, we can see a comment that hints at the Pumpkin images.
Seeing this hint, triggers me into using bruteforce direcotry techniques to see if there are any hidden folders and/or files.
I’ve decided to use nikto to scan the Apache Web Server for misconfigured/outdated files and programs. It can also check for index files as well.
After the scan completed, we can see nikto found a hidden direcotry /img/.
Inserting the /img/ file directory into the url, we can now see the server directory within the browser.
As obvious as it is, we see a hidden_secret folder that we can easily access.
Hidden secret > Clue.txt
Within the fodler we can see a clue.txt file that looks like a base64 encode.
We need to decode this to see what we get from it.
We can easily decode using the terminal command:
|*echo ________||base64 -d*|
But I decided to use base64decode.org for the fun of it.
Here we get, what looks like a user and their password
FTP as Scarecrow
My first thought with the aquired user and password was to attempt to use it using ftp, just to see what would happen.
Inputting those credentials we successfully log into the server as scarecrow
Looking through the users profile we find a second note.txt file. And like before we use the ftp get command to copy the file onto our Kali machine.
Reading the information in the note.txt file we get another hit that the user goblin can get the key from the root user LordPumpkin
SSH as Goblin
Because we were provided with the user: goblin and the password Y0n$M4sy3D1t, we can change user while ssh into the server as scarecrow.
And there we go, we ftp as scarecrow then switch user to goblin user the password that was given to use from note 2.
Switching to the user goblin, we get out of the user scarecrow’s home directory and go into ours to see whats inside
Looking in our directory we can see that there is a third note.txt file, that again gives us another hint along with an exploit we can use to get LordPumpkin key.
Entering the commands that exploit 38362.sh provides us, we enter it as the goblin user
This part got a bit tricky, but we ended up getting the key (root password) from LordPumpkin for the PumpkinGarden.