PumpkinRaising : Vulnhub Walkthrough
PumpkinRaising is another CTF challenge from the series of Mission-Pumpkin v1.0 created by keeping beginners in mind and all credit for this VM goes to Jayanth. This level is all about identifying 4 pumpkin seeds (4 Flags – Seed ID’s) and gain access to root and capture the final Flag.txt file.
You can download it from here: https://www.vulnhub.com/entry/mission-pumpkin-v10-pumpkinraising,324/
Level: Beginner to Intermediate
- Abusing HTTP services
- Ssh Login
- Abusing Sudo right
Let’s start with network scanning as the IP of this VM is 192.168.0.11. So, initializing this VM by scanning open port and running services over those port with the help nmap.
nmap -A 192.168.0.11
From its scan result, I found port 22 for ssh and 80 for http are available, moreover it gave some hint for /robot.txt file that disallows 23 entities.
So first we navigate to a web browser and explore the VM IP and welcome by following web page. Read the following message:
“To raise Pumpkins, we need to collect seeds in the first step. Remember Jack? He is the only expert we have in raising healthy Pumpkins. It’s time to get in search of pumpkin seeds”
From this message, we can assume for “Jack” which could be a username.
Further, I explored /robot.txt file suggested in nmap scan and found some list of interesting directories, files and paths. Apart from all entries, I found a few interesting entries such as: /hidden/notes.txt, /underconstruction.html and /seeds/seed.txt.gpg. so, we have explored each entry one-by-one.
The hidden note.txt showed certain data which may be needed to login credentials subsequently.
http://192.168.0.11/hidden/notes.txt Robert: C@43r0VqG2= Mark: Qn@F5zMg4T goblin: 79675-06172-65206-17765
when I checked the source code of the homepage and here, I found a link for pumpkin.html
On exploring source code of http://192.168.0.11/pumpkin.html, I found a base32 encoded string.
With the help of online base32 decoder, we have decoded the string and note the path /scripts/spy.pcap that could be a hint for seed’s id.
To identify what is inside the spy.pcap file, I simply downloaded the file in our local machine and used Wireshark to read the network packet.
Here I found the first seed: 50609 from inside the tcp steam as shown in the below image.
Again, we come back to pumkin.html page and I found the decimal string on scrolling same file.
On decoding decimal string, we found one more seed:96454
As you know we have enumerated /robots.txt and from inside that, we found another important file /underconstrution.html as shown below. So, we have explored the source code of the web page and noted hint for an image.
Now, we have explored the below URL and found a picture for pumpkin which I have downloaded in my local machine.
After downloading the pumpkin image, I check for hidden data with help of stegosuite. This image was password protected image and if you remembered we had enumerated “Mark: Qn@F5zMg4T” secret keys from inside /hidden/notes.txt
I used the key: Qn@F5zMg4T for extracting the hidden file “decorative.txt” from inside the stegno image.
So, when I opened this file, it gave me another PUMP-Ke-Mon Pumpkin seed: 86568
Further, I downloaded the .gpg file as the link /seeds/seed.txt.gpg which was mention in the robot.txt file.
wget http://192.168.0.11/seeds.txt.gpg gpg -d seeds.txt.gpg
So, when I tried to open the file, I noticed that it requires the passphrase to decrypt the encrypted data which I don’t know. Here I tried to use above enumerated keys but could not able to decrypt it. After so many attempts, I successfully decrypted the file by entering SEEDWATERSUNLIGH which was mentioned in the home page of website in the 2nd image.
On decrypting I obtained following text file as shown below and it was a Morse encoded text which used in telecommunication that encodes text characters as standardized sequences of two different signal durations called dots and dashes.
To decrypt the Morse text I have used cyberchef which is an online decrypting tool. On decrypting the text, I found another BIGMAXPUMPKIN seed 69507
As it was declared by the author that in this VM we need to find 4 SEED’s ID and a root flag. Hence, we have collected all 4 seed’s id but for getting root flag, we need to compromise the VM.
When I didn’t get any vulnerability to compromised it, I tried to access ssh by the combination of all 4 seed found in this VM and used this as a password for user jack.
- SEED ID: 69507
- SEED ID: 50609
- SEED ID: 96454
- SEED ID: 86568
ssh email@example.com SSH login Password: 69507506099645486568
Yuppie!! We got the shell access but for obtaining root flag we need to escalate the privilege from low privilege shell to high. Therefore, I check for sudo rights for user jack and found jack can run strace with sudo rights.
Hmmm! We can abuse the sudo permission set for strace program. Hence type following and obtain the root flag.
sudo strace -o/dev/null /bin/bash cd /root ls cat flag.txt
Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here