Pumpkin Garden Walkthrough

Pumpkin Garden is the first level of Mission-pumpkin v1.0 which can be found here. As mentioned by the author Mission-Pumpkin v1.0 is a beginner level CTF series, created by keeping beginners in mind. This CTF series is for people who have basic knowledge of hacking tools and techniques but struggling to apply known tools. I believe that machines in this series will encourage beginners to learn the concepts by solving problems. PumpkinGarden is Level 1 of series of 3 machines under Mission-Pumpkin v1.0. The end goal of this CTF is to gain access to PumpkinGarden_key file stored in the root account.

I downloaded provided virtual file and imported the same in the virtual box for the analysis. I used Kali Linux as attacker machine.

  • Attacker Machine: Kali Linux              192.168.0.107
  • Target Machine: Pumpkin Garden     192.168.0.100

As the first step, I ran a nmap [zenmap] scan to find open ports and associated services. Three TCP ports were detected as open. The FTP service detection also detected that anonymous access to the FTP service is enabled

  • FTP      21
  • HTTP  1515
  • SSH     3535

This slideshow requires JavaScript.

I tried to access the FTP folder through the browser [ftp://192.168.0.100] as anonymous authentication is enabled. There was a text file with a message.

ftp_message

I thought to run a Nikto scan against the HTTP service to find any lead. The scan identified /img as interesting, hence I browsed the path to find a folder named hidden_secret. I found another text file with an encoded string. After navigating to the folder and decoding a string resulted in a combination of two string which looks like a username: password combination.

This slideshow requires JavaScript.

In nmap scan, ssh service was also detected. I tried to connect to ssh using the decoded username and password. Damm!! It worked and I was logged in successfully to the target machine. I tried to list file and found another note asking to reach out to goblin with a secret key. I a tried to log in and it worked again. Now I am as a goblin on the shell. I performed listing files but permission was denied. I switched to the home directory and found another note mentioning to refer script file.

 

ssh_goblin.png
SSH Access of the target machine

 

Investigating the file in a text editor, it was found that we need to identify a file with write permission.

 

38362
Key Script

 

I ran this command find / -perm -o+w to identify a world-writable folder which threw a lot of folders. I went ahead with /var/tmp. I used wget to download the file and created a dummy file for the execution of the script. Since by default execution was not assigned to the file, I changed the permission and added execute permission. After executing the script, I was having the root shell.

This slideshow requires JavaScript.

 

I navigated to the home folder and found the key as an encoded string. Decoding the key flashed a message for which I was waiting since the initiating this exercise i.e. “Congratulations”.

I used nmap and nikto to help me to reach to the pumpkin key in addition to the secret script. I am still unsure of the clue received in FTP folder as I did not use anywhere in this exercise or was Jack the person who had hosted the HTTP service and gave away the ssh access?

ftp_message

Plagiarism Score: 7% Calculated from SmallSEOTools

 

Advertisement

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Website Powered by WordPress.com.

Up ↑

%d bloggers like this: