Miller Security Research

My Twitter Feed:

I popped the PumpkinGarden! by Ben from 18 July 2019

This time I wanted to pop a box without cheating. I am not going to look up any answers at all. Let's do this! To start, I went back to VulnHub and got me a VM. I picked Mission-Pumpkin v1.0: Pumpkin Garden. The description states it is part one of a three VM series. So here we go. I start by doing a quick Zenmap of the network. The VM was given 192.168.1.105. I did an all ports scan on that IP. It came back as has having a 3 ports open. An FTP server on port 21 with anonymous logins enabled. A webserver on port 1515 and an SSH server running on port 3535.

I started with the FTP server. It had a note in it that said:



I think it is safe to assume that jack is a user we will encounter later. I wasn't able to login to the FTP server as that user though. Next I checked out the web server. It has a cutesy lil site on it. I checked out the code on the site. I noticed right away a comment in the code.



Clearly they want us to look at the images on the site to go forward. The code also reveals the images on the site are in an img/ directory. I look for these in webcode anyways because open web directories are my favorite source of pirated media. So I go to that. It has a good number of files and another directory that looks fairly juicy!



I downloaded all the images. I also look at the secret note. The secret note is nothing but a bunch of gibberish. Based on the note left in the website code I was sure these images where important. I have heard of steganography before. Steganography is were you hide a message in the data of am image. Then you can send that image in the clear without fear of adversaries knowing it has a message in it. It just looks like a cat.. or in this case a pumpkin. Kali doesn't have any steganography programs built in so I did a fast "apt install steghide stegosuite". That installed two tools Steghide and Stegosuite that are used to encode and decode steganographic messages. I fiddled with these for like an hour. I tried every picture with every combination of passwords I code think of. And I did this in both applications. Nothing yielded any results.

I started to look at the "clue.txt" text again. It was just garbage, but what if it was just encoded? I know with my work using Powershell that base64 is a really common encoding algorithm. So I googled a decoder, popped the text into it... and BAM! POO! POW! a set of credentials!!!



This set me in motion and the rest of the box only took about another 30 minutes. That set of creds let me SSH into the box as the scarecrow user. In that users home directory was a "note.txt" file.



That note then gave me the set of credentials needed to login as the "goblin" user. However, before I went I made sure that I couldn't run any commands as sudo and that I couldn't find any more interesting files. So I logged in as goblin and did a "sudo -l".



OH WOW! I can run any program except for /bin/su as root. You can tell this by the ! in front of /bin/su. There was also a note in the home folder. Checking that out give me the link to some exploit code that if ran as goblin would presumably escalate us up to root. However, since I can run anything as root I decided to revisit the technique I learned yesterday. I wasn't going to use their code at all. Instead I went about adding permissions to the sudoers file with tee. I checked to make sure that the box had tee on it. It does. Perfect. I simply add ALL ALL ALL permissions to my boy goblin. Do a fast "sudo -l" it states I have full permissions. So I "sudo su" up to root. Bingo Bango! Box popped!





I did my first box without looking up and answer! I feel accomplished.

All content on this site strictly represent my personal views and opinions; none of it represents the opinions of my employers or clients. Also all code is free for anyone to use. I found some of it, borrowed some, took a line here and there, so I think its only fair that other people can do the same with mine.