Mission-Pumpkin v1.0: PumpkinFestival Vulnhub Walkthrough
PumpkinFestival is another CTF challenge from the series of Mission-Pumpkin v1.0 created by keeping beginners in mind and all credit for this VM goes to Jayanth. This level is all about collecting 10 pumpkin tokens gain the root access to collect the PumpkinFestival_Ticket.
You can download it from HERE
Level: Beginner to Intermediate
- Privilege Escalation
- Exploiting Sudo rights
Let’s start off with the scanning process. This target VM took the IP address of 192.168.1.101 automatically from our local wifi network.
Then, as usual, we used our favourite tool Nmap for port scanning. We found that port 21, 80 is open and ssh is running on port 6880.
nmap -p- -A 192.168.1.101
Anonymous login is enabled on the ftp. So we tried to login using anonymous: anonymous.
Upon successful login we traversed through different directories and found our first token 2d6dbbae84d724409606eddd9dd71265 inside token.txt file.
ftp 192.168.1.101 cd secret get token.txt bye cat token.txt
Port 80 is open on the target system, we opened the IP address in our browser we didn’t get aby token but got a word named Alohomera! Which might be useful later on.
We checked for the page source of the page and got our second token 45d9ee7239bc6b0bb21d3f8e1c5faa52.
In the page source only we also found one username Harry which we will use in the later stage.
In the nmap scan earlier we have got few directories, we tried to access each one of them one by one.
From the /store/track.txt we found one username admin and a domain name pumpkin.local.
We mapped the domain name with the target machine’s IP address in the /etc/hosts file.
After that, we accessed the pumpkin.local from the browser it came out to be another WordPress site and got one more flag 06c3eb12ef2389e2752335beccfb2080.
There is one more directory which we got from the Nmap scan named /tokens.
We couldn’t find anything inside this directory using different directory brute-forcing tool but we were still curious that there must be something inside this directory. So we did a number of hit and trials and finally got our fourth token 2c0e11d2200e2604587c331f02a7ebea in token.txt.
Since we have a WordPress site running under pumpkins.local domain name, we tried wpscan and got a file named readme.html.
wpscan --url http://pumpkins.local -e at -e ap -e u
We also got two usernames admin & morse for the WordPress site which we will use to access the admin login of the site later on.
After accessing the URL pumpkins.local/readme.html we got some code.
We tried to crack it online and it was a base62 code which gave us a password Ug0t!TrIpyJ for user morse & jack.
As we have got the password for the morse, we logged in to the wp-admin and got our 5th token 7139e925fd43618653e51f820bc6201b
Since we have one more wp-admin user named admin and if you remember we also have got a keyword earlier named Alohomera! we tried this as our password to login into a WordPress site and were successfully able to do so and eventually got our 6th token f2e00edc353309b40e1aed18e18ab2c4
It’s always a good practice to use multiple tools for bruteforcing to get more reliable and add on results. We used DirBuster to bruteforce the URL http://pumpkin.local and got one more directory named license.txt Accessing the same directory in the browser gave us one more token 5ff346114d634a015ce413e1bc3d8d71
Accessing the same directory in the browser gave us one more token 5ff346114d634a015ce413e1bc3d8d71
We have a total of four users admin, morse, jack & harry with passwords only for only three.
So we tried to get the password of harry by bruteforcing using hydra. We got a password yrrah.
hydra -L user.txt -P /usr/share/wordlists/rockyou.txt 192.168.1.101 ftp -e nsr
We logged into ftp of the target machine using these credentials and found the 8th token ba9fa9abf2be9373b7cbd9a6457f374e
ftp 192.168.1.101 ls get token.txt bye cat token.txt
In the above screenshot you can see that there is a directory named /Donotopen , we went inside this directory and found another directory named /NO and after a lot of traversing we finally found the file name token.txt. We downloaded the file into our system and got the 9th token 8d66ef0055b43d80c34917ec6c75f706
cd Donotopen ls cd NO cd NOO cd NOOO cd NOOOO get token.txt bye cat token.txt
It’s time to get the 10th token. Let’s HUNT!
From the above screen you might have seen there is one more directory /NOOOOO and after some traversing found a file data.txt. We downloaded the file into our kali and found some random codes inside.
cd NOOOOOO bye get data.txt
We checked for the file type and it is tar file. We untar the file and got another file data.
That file also came out to be a zip file and after unzipping we got a file key and after untaring that, we finally got a file named jack which had hexdump inside.
file data.txt tar vxf data.txt tar xjf data tar vxf key cat jack
Then we used xxd to covert and patch the hexdump into binary.
We got an ssh private key.
xxd -r -p jack
As we have got an ssh key, what we did is we used this key to ssh login the target machine on port 6808 with user jack.
After successful login we found our final and 10th token 8d66ef0055b43d80c34917ec6c75f706
chmod 600 sshkey ssh [email protected] -i sshkey -p 6880 file token ./token sudo -l
From the above screenshot, we can see jack has sudoer permission for alohomora file.
Now to get the root shell and then finally get the PumpkinFestival_Ticket we will exploit the sudoer permissions of the jack.
We checked for the pumpkins directory but couldn’t find any, so we created a directory named pumpkins and then using echo command we created a file named alohomora with /bin/bash copied in it.
We then gave it execution permissions and tried to execute the file as sudoer and we successfully got the root shell and eventually the PumpkinFestival_Ticket which completes our challenge.
mkdir pumpkins echo "/bin/sh" > /home/jack/pumpkins/alohomora chmod 777 /home/jack/pumkins/alohomora id cd /root ls cat PumpkinFestival_Ticket
Author: Auqib Wani is a Certified Ethical Hacker, Penetration Tester and a Tech Enthusiast with more than 5 years of experience in the field of Network & Cyber Security. Contact Here