1. Pumpkin Garden.
2. Pumpkin Raising.
3. Pumpkin Festival.
Starting with the first level of the series that is Pumpkin Garden.
As usual starting with netdiscover tool to get the IP of the machine so without wasting my time I jumped into terminal and entered the command .
# netdiscover -i vboxnet0
What next after getting the IP of a machine, knowing about all the services running on the machine with their respective port number to go further.
# nmap -v -p- -A -sT 192.168.56.10
Nmap scan report for 192.168.56.10
Host is up (0.00043s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 88 Jun 13 2019 note.txt
| FTP server status:
| Connected to 192.168.56.1
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status
1515/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.7 (Ubuntu)
3535/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| 1024 d8:8d:e7:48:3a:3c:91:0e:3f:43:ea:a3:05:d8:89:e2 (DSA)
| 2048 f0:41:8f:e0:40:e3:c0:3a:1f:4d:4f:93:e6:63:24:9e (RSA)
| 256 fa:87:57:1b:a2:ba:92:76:0c:e7:85:e7:f5:3d:54:b1 (ECDSA)
|_ 256 fa:e8:42:5a:88:91:b4:4b:eb:e4:c3:74:2e:23:a5:45 (ED25519)
MAC Address: 08:00:27:20:A9:84 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 0.076 days (since Tue Jan 26 15:03:02 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=254 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
HOP RTT ADDRESS
1 0.43 ms 192.168.56.10
Here I got three services running on the VM. Here I got anonymous login allowed into FTP service that is on port no. 21. Another thing is that http service is running with Apache httpd 2.4.7 but on a different port that is on 1515 and SSH service on port no. 3535. Moved on to enumerate further.
As FTP is allowed for anonymous login so heading forward with FTP.
$ ftp 192.168.56.10
Connected to 192.168.56.10.
220 Welcome to Pumpkin's FTP service.
Name (192.168.56.10:s4t0sh): anonymous
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 88 Jun 13 2019 note.txt
226 Directory send OK.
ftp> get note.txt
local: note.txt remote: note.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note.txt (88 bytes).
226 Transfer complete.
88 bytes received in 0.04 secs (2.2501 kB/s)
Here I got a note.txt named file with a some clue.
$ cat note.txt
Looking for route map to PumpkinGarden? I think jack can help you find it.
Nothing interesting just a name may be this is username.
It’s something like a hint but I can’t get it what the author wants to say through this. moving ahead I used “Nikto” for more.
└─$ nikto -h http://192.168.56.10:1515
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
And that’s good here I got a directory named “/img” and got into it, here I found a file named clue.txt in “/img/hidden_secret/”.
After decoding this hash I have the password for the user “scarecrow” that is “5Qn@$y” that helped me to log in to ssh.
scarecrow : 5Qn@$y
└─$ ssh firstname.lastname@example.org -p 3535
Welcome to Mission-Pumpkin
All remote connections to this machine are monitored and recorded
Last login: Thu Jun 13 00:35:51 2019 from 192.168.1.106
Here I found a file named “note.txt” having a message having the password for another user that is “goblin” and the password is “Y0n$M4sy3D1t” which is not encrypted. So not wasting much time I used to log in with that user.
scarecrow@Pumpkin:/home$ su goblin
And here a file named “note” is placed in the home directory of the user. The file is filled with a message that says about some key and a backyard that helped me to get into it.
goblin@Pumpkin:~$ cat note
Hello Friend! I heard that you are looking for PumpkinGarden key.
But Key to the garden will be with LordPumpkin(ROOT user), don't worry, I know where LordPumpkin had placed the Key.
You can reach there through my backyard.
Here is the key to my backyard
Lol, when I opened the link their is nothing I got working but the link give an error page so I tried something different, so moving ahead with more recon I got one more thing that is with the command “sudo -l”.
goblin@Pumpkin:~$ sudo -l
Matching Defaults entries for goblin on Pumpkin:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser goblin may run the following commands on Pumpkin:
(root) ALL, !/bin/su
So here the user “goblin” has the rights to run commands as root with the help of “sudo” so I changed the password of root user and get logged into it.
uid=0(root) gid=0(root) groups=0(root)
Hurray, here I’m as a root user.
The author placed a final flag in the home directory of the root user. Here it is:-
root@Pumpkin:~# cat PumpkinGarden_Key
After decrypting it got a message that says “congratulations!”
Hope you enjoyed it. Walk-through of next level that is “ Pumpkin Raising” is on its way.