Vulnhub - Pumpkin Festival

Today, we are going to pwn Pumpkin Festival from Vulnhub.


Starting off with the nmap using nmap -sV -sC -A -p- -T5 reveals that we have FTP, HTTP and SSH at 6880.


From the first discovery I found that flag are named as token and that is our challenge i.e. finding all tokens.


First one was at the botttom of the HTML page can be viewed upon inspection of the page.


With the result of nmap scan we seen that anaonymous login is open. Using the package ftp we logged into the machine and in the directory named secret we found a file named token.txt having the second token.

PumpkinToken : 2d6dbbae84d724409606eddd9dd71265


This one requires bruteforcing the FTP service in order to get token, as we have inspected HTTP client for first we saw that there is a user named harry. On the basis of that assumption, using hydra -l harry -P rockyou.txt ftp -t 60, it will take some time so don’t get impatient.

Password of user harry:-

Logging in with user harry shows that we have a token.txt and a directory named Donotopen. Get the token and start changing directories.

PumpkinToken : ba9fa9abf2be9373b7cbd9a6457f374e


While logged in FTP, and chanaging bunch NO named nested directories, we get another token and a data.txt.

PumpkinToken : f9c5053d01e0dfc30066476ab0f0564c

That data.txt was a tar file which can be confirmed using file data.txt.

Extracting it gives a hex encoded OpenSSL Private Key.


Checking robots.txt on a HTTP we get see a /tarck/track.txt, going to that webpage we see:-

Hey Jack!

Thanks for choosing our local store. Hope you like the services.
Tracking code : 2542 8231 6783 486


admin@pumpkins.local seems interesting, editing the hosts file we add pumpkia.local. After this, we get a wordpress temed website. Using wpscan doesn’t give any interesting results. So, using dirb we see a lot of pages which can be seen at any normal wordpress website.

Going to readme.html it shows a base?? encoded data, using CyberChef and trying multiple bases we can see it’s a base64 data which decodes to credentails.


Semantic Personal Publishing Platform

-- This content is removed because of security purposes --


morse & jack : Ug0t!TrIpyJ

So, logging into the wordpress with as morse we see that there is a flag in biographical info.

PumpkinToken : 7139e925fd43618653e51f820bc6201b


Now, so we had a OpenSSL private key, we can use it to get into the machine via SSH as jack with ssh -i key jack@ -p 6880 we get into the system.

In the home directory we can see a ELF named token, running it we can get our seventh token.

PumpkinToken : 8d66ef0055b43d80c34917ec6c75f706


Using wordpress credentials for jack we can use sudo. Using sudo -l we can see that creating a file within /home/jack/pumpkin/alohomora we can execute any binary. From our previous encounter of privilege escalation we are going to create a binary named alohooa.

jack@pumpkin:~/pumpkins$ echo "/bin/sh" > alohomora
jack@pumpkin:~/pumpkins$ chmod +x alohomora
jack@pumpkin:~/pumpkins$ sudo ./alohomora
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami; id; cd root; cat *.txt
uid=0(root) gid=0(root) groups=0(root)

Hence, checking the root directory we can see a great art of pumpkin.


Thanks to @mzfr and Andre for helping me out.

Author: D4mianwayne
Reprint policy: All articles in this blog are used except for special statements CC BY 4.0 reprint polocy. If reproduced, please indicate source D4mianwayne !