Categories

Archives

CTF Challenges

PumpkinRaising : Vulnhub Walkthrough

PumpkinRaising is another CTF challenge from the series of Mission-Pumpkin v1.0 created by keeping beginners in mind and all credit for this VM goes to Jayanth. This level is all about identifying 4 pumpkin seeds (4 Flags – Seed ID’s) and gain access to root and capture the final Flag.txt file.

You can download it from here: https://www.vulnhub.com/entry/mission-pumpkin-v10-pumpkinraising,324/

Level: Beginner to Intermediate

Penetrating Methodologies

Scanning

  • Nmap

Enumeration

  • txt
  • Abusing HTTP services

Exploiting

  • Ssh Login

Privilege Escalation

  • Abusing Sudo right

Walkthrough

Scanning

Let’s start with network scanning as the IP of this VM is 192.168.0.11. So, initializing this VM by scanning open port and running services over those port with the help nmap.

nmap -A 192.168.0.11

From its scan result, I found port 22 for ssh and 80 for http are available, moreover it gave some hint for /robot.txt file that disallows 23 entities. 

Enumeration

So first we navigate to a web browser and explore the VM IP and welcome by following web page. Read the following message:

“To raise Pumpkins, we need to collect seeds in the first step. Remember Jack? He is the only expert we have in raising healthy Pumpkins. It’s time to get in search of pumpkin seeds”

From this message, we can assume for “Jack” which could be a username.

Further, I explored /robot.txt file suggested in nmap scan and found some list of interesting directories, files and paths. Apart from all entries, I found a few interesting entries such as: /hidden/notes.txt, /underconstruction.html and /seeds/seed.txt.gpg.  so, we have explored each entry one-by-one.

The hidden note.txt showed certain data which may be needed to login credentials subsequently.

http://192.168.0.11/hidden/notes.txt
Robert: C@43r0VqG2=
Mark: Qn@F5zMg4T
goblin: 79675-06172-65206-17765

when I checked the source code of the homepage and here, I found a link for pumpkin.html

On exploring source code of http://192.168.0.11/pumpkin.html, I found a base32 encoded string.

With the help of online base32 decoder, we have decoded the string and note the path /scripts/spy.pcap that could be a hint for seed’s id.

To identify what is inside the spy.pcap file, I simply downloaded the file in our local machine and used Wireshark to read the network packet.

Here I found the first seed: 50609 from inside the tcp steam as shown in the below image.

Again, we come back to pumkin.html page and I found the decimal string on scrolling same file.

On decoding decimal string, we found one more seed:96454

As you know we have enumerated /robots.txt and from inside that, we found another important file /underconstrution.html as shown below. So, we have explored the source code of the web page and noted hint for an image.

Now, we have explored the below URL and found a picture for pumpkin which I have downloaded in my local machine.

http://192.168.0.11/images/jackolantern.gif

After downloading the pumpkin image, I check for hidden data with help of stegosuite. This image was password protected image and if you remembered we had enumerated “Mark: Qn@F5zMg4T” secret keys from inside /hidden/notes.txt

I used the key: Qn@F5zMg4T for extracting the hidden file “decorative.txt” from inside the stegno image.

So, when I opened this file, it gave me another PUMP-Ke-Mon Pumpkin seed: 86568

Further, I downloaded the .gpg file as the link /seeds/seed.txt.gpg which was mention in the robot.txt file.

wget http://192.168.0.11/seeds.txt.gpg
gpg -d seeds.txt.gpg

So, when I tried to open the file, I noticed that it requires the passphrase to decrypt the encrypted data which I don’t know. Here I tried to use above enumerated keys but could not able to decrypt it. After so many attempts, I successfully decrypted the file by entering SEEDWATERSUNLIGH which was mentioned in the home page of website in the 2nd image.

 On decrypting I obtained following text file as shown below and it was a Morse encoded text which used in telecommunication that encodes text characters as standardized sequences of two different signal durations called dots and dashes.

To decrypt the Morse text I have used cyberchef which is an online decrypting tool. On decrypting the text, I found another BIGMAXPUMPKIN seed 69507

As it was declared by the author that in this VM we need to find 4 SEED’s ID and a root flag. Hence, we have collected all 4 seed’s id but for getting root flag, we need to compromise the VM.  

When I didn’t get any vulnerability to compromised it, I tried to access ssh by the combination of all 4 seed found in this VM and used this as a password for user jack.

  1. SEED ID: 69507  
  2. SEED ID: 50609
  3. SEED ID: 96454
  4. SEED ID: 86568
ssh jack@192.168.0.11
SSH login Password: 69507506099645486568

Yuppie!! We got the shell access but for obtaining root flag we need to escalate the privilege from low privilege shell to high. Therefore, I check for sudo rights for user jack and found jack can run strace with sudo rights.

 Hmmm! We can abuse the sudo permission set for strace program. Hence type following and obtain the root flag.

sudo strace -o/dev/null /bin/bash
cd /root
ls
cat flag.txt

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

One thought on “PumpkinRaising : Vulnhub Walkthrough

  1. Great write up, I found you after I could not unlock the .gpg file or find the final seed.

    I had tried all the image files with SegooSuite but none had displayed any hidden files.

    Did it only show up after inputting the password? even with the terminal version I only kept getting errors saying .gif was not supported.

    Any further explanation on that stego portion would be greatly appreciated!

Comments are closed.