Today we are going to solve another CTF challenge known as mission Pumpkin and credit for making this VM machine goes to Jayanth which is designed for people who are beginners in hacking field. The mission of this CTF is to gain access to PumpkinGarden_keyfile stored in the root account. So, let’s proceed towards solve this Mission Pumpkin.
You can download this VM from vulnhub.com: https://www.vulnhub.com/entry/mission-pumpkin-v10-pumpkingarden,321/
Security Level: Beginner
Penetration Methodology:
Scanning
· Nmap
Enumeration
· Credential Harvesting
· Web Directory search
Exploiting
SSH connect
Privilege Escalation
Scanning
Let’s start with our first step which is scanning, for which we will use Nmap tool to check open ports states.
nmap -p- -A 192.168.0.14
Here as we can see that port 21 for FTP is open and anonymous user can login ftp. Moreover, we can also observe that http is service in running on port 1515 and open ssh service is running on port 3535. Now we will move towards our next step which is enumeration.
Enumeration
First, we will try to connect through ftp with anonymous as username and password. Here we have found note.txt then we will transfer this file in our system
ls
get note.txt
cat note.txt
Now as we had seen that apache service was running on port 1515. So, we will open that in our browser where we have not found anything interesting.
Now we will use dirb for web directory enumeration and we will found the image directory there.
dirb http://192.168.0.14:1515/
Inside the image directory; we got a file named hidden_secrets. When we opened that file, we got our next clue which was a secret key.
This key is encrypted in base64 so first we will decode it to get the clue.
echo c2NhcmVjcm93IDogNVFuQCR5 | base64 -d
Now we are assuming that that these can be the usernames:scarecrow and passwords:5Qn@$y.
Exploiting
Now we will try to connect though ssh with .Here we have found file note.txt and after opening this we will get another clue which is password; so will check the list of users in etc/passwd file and we got the user now we will switch to goblin user entering the password key and we are successful in doing so and here also we got our next clue which will help us in finding the key of mission pumpkin.
ssh scarecrow@192.168.0.14 -p3535
ls
tail /etc/passwd
su goblin
In goblin user we found an another note file which contains a link of expoloit db for exploiting as shown in the image at the bottom.
Now we will click on the link which is provided there and download the bash file which holds the method to gain access of root.
cat 38362.sh
So, as we run the commands which we have got we will get the root access and we are logged in as root. We have got pumpkeygarden_key here which reflects that we have solved this CTF successfully.
