PumpkinGarden: Vulnhub Walkthrough
Today we are going to solve another CTF challenge known as mission Pumpkin and credit for making this VM machine goes to Jayanth which is designed for people who are beginners in the penetration testing field. The mission of this CTF is to gain access to PumpkinGarden_key file stored in the root account. So, let’s proceed towards solve this Mission Pumpkin.
You can download this VM from vulnhub.com: https://www.vulnhub.com/entry/mission-pumpkin-v10-pumpkingarden,321/
Security Level: Beginner
Penetration Methodology:
Scanning
- Nmap
Enumeration
- Anonymous FTP login
- Web Directory Search
Exploiting
- SSH connect
Privilege Escalation
Scanning
Let’s start with our first step which is scanning, for which we will use Nmap tool to check open ports states.
nmap -p- -A 192.168.0.14
Here as we can see that port 21 for FTP is open and anonymous user can login ftp. Moreover, we can also observe that http is service in running on port 1515 and open ssh service is running on port 3535. Now we will move towards our next step which is enumeration.
Enumeration
First, we will try to connect through ftp with anonymous as username and password. Here we have found note.txt then we will transfer this file in our system
ls get note.txt cat note.txt
Now as we had seen that Apache service was running on port 1515. So, we will open that in our browser where we have not found anything interesting.
Now we will use dirb for web directory enumeration and we will found the /img directory there.
dirb http://192.168.0.14:1515/
Inside the image directory; we got a file named hidden_secrets.
When we opened that file, we got our next clue which was a secret key.
This key is encrypted in base64 so first we will decode it to get the clue.
echo c2NhcmVjcm93IDogNVFuQCR5 | base64 -d
Now we are assuming that these can be the usernames:scarecrow and passwords:5Qn@$y.
Exploiting
Now we will try to connect through ssh with help of credential found above. after login as scarecrow here we have found file note.txt and after opening this we will get another clue which is password. So further we will check the list of users in etc/passwd file.
We got the list of users, now we will switch to goblin user and enter the password key Y0n$M4sv3D1t and we are successful login by doing so.
ssh scarecrow@192.168.0.14 -p3535 ls tail /etc/passwd su goblin
In goblin user, we found another note file which contains a link of exploit db for exploiting as shown in the image at the bottom.
Now we will click on the link which is provided there and downloaded the bash file which holds the method to gain access of root.
cat 38362.sh
So, as we run the commands which we have got we will get the root access and we are logged in as root. We have got pumpkeygarden_key here which reflects that we have solved this CTF successfully.
Author: Geet Madan is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information Security. Contact here
Great write up, i took a similar but not exact route because for some reason i can’t ssh into the box…..however after finding the link i could locate the webpage with the .sh file to open what i think is a backdoor into root…..can you pkease help?