Today, we are going to pwn Pumpkin Festival from Vulnhub.
Starting off with the nmap using
nmap -sV -sC -A -p- -T5 192.168.43.17 reveals that we have FTP, HTTP and SSH at 6880.
From the first discovery I found that flag are named as token and that is our challenge i.e. finding all tokens.
First one was at the botttom of the HTML page can be viewed upon inspection of the page.
With the result of nmap scan we seen that anaonymous login is open. Using the package
ftp we logged into the machine and in the directory named secret we found a file named
token.txt having the second token.
PumpkinToken : 2d6dbbae84d724409606eddd9dd71265
This one requires bruteforcing the FTP service in order to get token, as we have inspected HTTP client for first we saw that there is a user named harry. On the basis of that assumption, using
hydra -l harry -P rockyou.txt 192.168.43.17 ftp -t 60, it will take some time so don’t get impatient.
Password of user harry:-
Logging in with user harry shows that we have a
token.txt and a directory named
Donotopen. Get the token and start changing directories.
PumpkinToken : ba9fa9abf2be9373b7cbd9a6457f374e
While logged in FTP, and chanaging bunch NO named nested directories, we get another token and a
PumpkinToken : f9c5053d01e0dfc30066476ab0f0564c
data.txt was a tar file which can be confirmed using
Extracting it gives a hex encoded OpenSSL Private Key.
robots.txt on a HTTP we get see a
/tarck/track.txt, going to that webpage we see:-
Thanks for choosing our local store. Hope you like the services.
Tracking code : 2542 8231 6783 486
firstname.lastname@example.org seems interesting, editing the hosts file we add
pumpkia.local. After this, we get a wordpress temed website. Using wpscan doesn’t give any interesting results. So, using dirb we see a lot of pages which can be seen at any normal wordpress website.
readme.html it shows a base?? encoded data, using CyberChef and trying multiple bases we can see it’s a base64 data which decodes to credentails.
Semantic Personal Publishing Platform
-- This content is removed because of security purposes --
morse & jack : Ug0t!TrIpyJ
So, logging into the wordpress with as morse we see that there is a flag in biographical info.
PumpkinToken : 7139e925fd43618653e51f820bc6201b
Now, so we had a OpenSSL private key, we can use it to get into the machine via SSH as jack with
ssh -i key email@example.com -p 6880 we get into the system.
In the home directory we can see a ELF named token, running it we can get our seventh token.
PumpkinToken : 8d66ef0055b43d80c34917ec6c75f706
Using wordpress credentials for jack we can use sudo. Using
sudo -l we can see that creating a file within
/home/jack/pumpkin/alohomora we can execute any binary. From our previous encounter of privilege escalation we are going to create a binary named alohooa.
jack@pumpkin:~/pumpkins$ echo "/bin/sh" > alohomora jack@pumpkin:~/pumpkins$ chmod +x alohomora jack@pumpkin:~/pumpkins$ sudo ./alohomora # id uid=0(root) gid=0(root) groups=0(root) # whoami; id; cd root; cat *.txt root uid=0(root) gid=0(root) groups=0(root)
Hence, checking the root directory we can see a great art of pumpkin.