Pumpkin Raising. by Ben from 20 July 2019
Well, I worked on Pumpkin Raising, part two of the three part VMs series I was working through, for about a day and a half. I got really far. But, I started to get frustrated. I had gotten 1 of the "seeds" already. I found it in a hidden .pcap file. I had a gpg file to crack or figure out the password for. I was sure it contained another seed. And I had gotten a .gif image that was hidden in the code of one of the web pages. I was positive that it had another seed in it as well. I found a bunch of secret messages and decoded them. One secret message contained a bunch of what look liked credentials. None of them worked.
So the gpg file. I tried every combination of credential, secrets, and words that I could think of. I couldn't get the damn thing to unlock. I worked on this for like.. I don't know.. an hour. I was going to start a bruteforcer on it but I didn't know if I wanted to wait the weeks it could take to find the answer. I failed to open the file.
Next the pictures. I was sure that one of the pictures had a stenographic message in it. Again, I tried every combination of password and word I could think of. I used steghide and stegosuite. I tried every bit of tect from the secret messages I had been finding. I tried alot. I worked on this for about 2 hours or so. I thought again about bruteforcing it. There isn't any programs to do that but I could whip up a python script to do it I'm sure. I failed to extract any hidden messages from the photos.
I never found the location of the 4th seed myself. And this one hurts the most! Out of them all, this failure was the biggest. I just straight up didn't find it.
So this morning, I impulsively and foolishly looked up a walkthrough. I... was... so... close... FUCK!!! Why did I do this? Ooook, So first the gpg file, the password was just a combination of big bold ass words from one of the webpages... I should have tried more things before I gave up. I mean they were three big BOLD ass words. It did have a seed in it as well. Lesson learned; don't be a quitter! The .gif file. It WAS stenographicly encoded and DID have a secret message hidden with stegosuite in it as well. I was completely on the right track with this one. I'm sure I even tried the key that eventually unlocks the message. I just didn't get it for some reason. I was closer on this one that the gpg file fore sure. Lesson learned; don't be a damned quitter! Then seed four.. You bastard. Seed four is one that I think I learned the most from. Seed four was literally just down at the bottom of the source of one of the pages. I had no excuse not to have seen it. If I had just scrolled down.. to the bottom.. I would have seen it clear as day. Clearly, this is a super simple troll. But, I have to admit it got me. Lesson learned; observe your surroundings you big stupid idiot, and don't be such a fucking quitter.
Well with those failures under my belt, and the cheating already having taken place, there is literally no reason to finish the damned thing. I bowed my head in disgrace. Turned the VM off. Right clicked it. Selected remove. It asked what I would like to remove. I selected all files.
Tone in next time to hear about part 3; Pumpkin Festival. Let's see if I can apply the lessons learned from part 2 and finish this series without needing to go find answers.