Vulnhub - Pumpkin Festival

Vulnhub 4 minutes read (About 649 words)

Today, we are going to pwn Pumpkin Festival from Vulnhub.

Nmap

Starting off with the nmap using nmap -sV -sC -A -p- -T5 192.168.43.17 reveals that we have FTP, HTTP and SSH at 6880.

Tokens

From the first discovery I found that flag are named as token and that is our challenge i.e. finding all tokens.

First

First one was at the botttom of the HTML page can be viewed upon inspection of the page.

Second

With the result of nmap scan we seen that anaonymous login is open. Using the package ftp we logged into the machine and in the directory named secret we found a file named token.txt having the second token.

PumpkinToken : 2d6dbbae84d724409606eddd9dd71265

Third

This one requires bruteforcing the FTP service in order to get token, as we have inspected HTTP client for first we saw that there is a user named harry. On the basis of that assumption, using hydra -l harry -P rockyou.txt 192.168.43.17 ftp -t 60, it will take some time so don’t get impatient.

Password of user harry:-

Logging in with user harry shows that we have a token.txt and a directory named Donotopen. Get the token and start changing directories.

PumpkinToken : ba9fa9abf2be9373b7cbd9a6457f374e

Forth

While logged in FTP, and chanaging bunch NO named nested directories, we get another token and a data.txt.

PumpkinToken : f9c5053d01e0dfc30066476ab0f0564c

That data.txt was a tar file which can be confirmed using file data.txt.

Extracting it gives a hex encoded OpenSSL Private Key.

Fifth

Checking robots.txt on a HTTP we get see a /tarck/track.txt, going to that webpage we see:-

Hey Jack!

Thanks for choosing our local store. Hope you like the services.
Tracking code : 2542 8231 6783 486

-Regards
admin@pumpkins.local

admin@pumpkins.local seems interesting, editing the hosts file we add pumpkia.local. After this, we get a wordpress temed website. Using wpscan doesn’t give any interesting results. So, using dirb we see a lot of pages which can be seen at any normal wordpress website.

Going to readme.html it shows a base?? encoded data, using CyberChef and trying multiple bases we can see it’s a base64 data which decodes to credentails.

WordPress

Semantic Personal Publishing Platform

-- This content is removed because of security purposes --

K82v0SuvV1En350M0uxiXVRTmBrQIJQN78s

morse & jack : Ug0t!TrIpyJ

So, logging into the wordpress with as morse we see that there is a flag in biographical info.

PumpkinToken : 7139e925fd43618653e51f820bc6201b

Sixth

Now, so we had a OpenSSL private key, we can use it to get into the machine via SSH as jack with ssh -i key jack@192.168.43.17 -p 6880 we get into the system.

In the home directory we can see a ELF named token, running it we can get our seventh token.

PumpkinToken : 8d66ef0055b43d80c34917ec6c75f706

Root

Using wordpress credentials for jack we can use sudo. Using sudo -l we can see that creating a file within /home/jack/pumpkin/alohomora we can execute any binary. From our previous encounter of privilege escalation we are going to create a binary named alohooa.

1
2
3
4
5
6
7
8
9
10

jack@pumpkin:~/pumpkins$ echo "/bin/sh" > alohomora
jack@pumpkin:~/pumpkins$ chmod +x alohomora
jack@pumpkin:~/pumpkins$ sudo ./alohomora
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami; id; cd root; cat *.txt
root
uid=0(root) gid=0(root) groups=0(root)

Hence, checking the root directory we can see a great art of pumpkin.

Thanks

Thanks to @mzfr and Andre for helping me out.

#nmap, ctf, vulnhub
ROP- Basic Exploit Creation Introduction to ROP
Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×