[VulnHub] Pumpkin Raising Walkthrough
A walkthrough for the Pumpkin Raising virtual machine, available from VulnHub.
Difficulty level: Easy
Aim: obtain 4 pumpkin 'seedID' flags and the flag.txt file in /root
Author: Jayanth
Download: https://www.vulnhub.com/entry/mission-pumpkin-v10-pumpkinraising,324/
PumpkinRaising is Level 2 of 3 machines in the Mission Pumpkin series.
Information Gathering
The target IP address is provided by the VM, so no need to discover this manually.
Target: 192.168.56.101
Scanning
We start with the usual nmap scan to determine open ports and services.
nmap -A -vv -p- 192.168.56.101
From this we can see the following ports and services:
- port 22/tcp - SSH - (OpenSSH 6.6.1p1)
- port 80/tcp - HTTP - (Apache)
Enumeration
Opening a browser and accessing the HTTP server shows the homepage:
The homepage indicates a possible username of 'jack', but we need to dig deeper. Viewing the page source shows a Base64-encoded comment:
When decoded, we see a friendly reminder that this is Level 2 of Mission-Pumpkin!
echo 'VGhpcyBpcyBqdXN0IHRvIHJlbWFpbmQgeW91IHRoYXQgaXQncyBMZXZlbCAyIG9mIE1pc3Npb24tUHVtcGtpbiEgOyk=' | base64 -d
The page source also shows a hyperlink that points to 'pumpkin.html':
When viewing this page we see the following:
By viewing the page source (once again) we find a Base32-encoded comment near the top and, at the very bottom, a comment containing a long hexadecimal string:
Once decoded, the Base32 value provides a link to a .pcap file: /scripts/spy.pcap which can be saved by accessing this URL directly, or using wget:
echo 'F5ZWG4TJOB2HGL3TOB4S44DDMFYA====' | base32 -d
wget http://192.168.56.101/scripts/spy.pcap
PCAP files contain captures of packet data from a network and are typically associated with WireShark. Opening this file in WireShark will allow analysis of the packet data.
Once opened, right-clicking on the first packet and selecting 'Follow' > 'TCP Stream' will show the contents of this stream, which returns our first seed:
(For info, the individual packet containing the SeedID is packet #10).
Following the TCP stream for packet #21 also shows the following exchange:
Seed: Jack-Be-Little ID: 50609
So, let's now take a look at the hexadecimal string that we found. This can be easily decoded using the xxd tool within Kali (or via websites such as: https://www.rapidtables.com/convert/number/hex-to-ascii.html)
echo '59 61 79 21 20 41 70 70 72 65 63 69 61 74 65 20 79 6f 75 72 20 70 61 74 69 65 6e 63 65 20 3a 29 0a 41 6c 6c 20 74 68 69 6e 67 73 20 61 72 65 20 64 69 66 66 69 63 75 6c 74 20 62 65 66 6f 72 65 20 74 68 65 79 20 62 65 63 6f 6d 65 20 65 61 73 79 2e 0a 41 63 6f 72 6e 20 50 75 6d 70 6b 69 6e 20 53 65 65 64 73 20 49 44 3a 20 39 36 34 35 34 0a 0a 44 6f 2c 20 72 65 6d 65 6d 62 65 72 20 74 6f 20 69 6e 66 6f 72 6d 20 4a 61 63 6b 20 74 6f 20 70 6c 61 6e 74 20 61 6c 6c 20 34 20 73 65 65 64 73 20 69 6e 20 74 68 65 20 73 61 6d 65 20 6f 72 64 65 72 2e' | xxd -r -p
This gives us the second seed in this challenge:
Seed: Acorn ID: 96454
Returning to the nmap scan shows that the robots.txt file contains 23 disallowed entries. This file can be viewed in the browser and/or downloaded using wget:
wget http://192.168.56.101/robots.txt
Visiting each link shows that the following directories and files are accessible:
/underconstruction.html
/hidden/note.txt
/seeds/seed.txt.gpg
The quick-win in the above list could be /hidden/note.txt so we'll take a look at that first in our browser and also download it using wget should we need to refer back to it at a later stage:
wget http://192.168.56.101/hidden/note.txt
The note contains credentials for 3 users: 'Robert', 'Mark' and 'goblin'. Unfortunately, none of these are valid when attempting to connect via SSH.
Browsing to /underconstruction.html shows a jack-o-lantern GIF and reviewing the page source (or selecting all the content on this page) reveals a message stating: "jackolantern dot GraphicsInterchangeFormat is under images":
This seems to be another clue, which hints at steganography being used. As per Wikipedia, steganography is the practice of concealing a file, message, image, or video within another file, message, image, or video. Therefore, we can visit this URL in the browser and save the image from there, or download using wget:
wget http://192.168.56.101/images/jackolantern.gif
Once downloaded, this file can be checked for hidden data using stegosuite. This tool does not come pre-installed with Kali Linux, but can be installed using the command:
sudo apt-get install stegosuite
After launching the stegosuite application the file can be opened and checked for any hidden data. However, this will require a password. Trying the passwords found in the /hidden/note.txt file seems a sensible option.
Entering the password for 'Mark' and selecting 'Extract' shows an embedded file 'decorative.txt' which is automatically been saved locally.
The contents of this file can then be viewed from our local terminal and it gives us our third seed, leaving just one to be found:
cat decorative.txt
Seed: Lil' Pump-Ke-Mon ID: 86568
Looking back at the list of accessible content from the 'robots.txt' file leaves one URL remaining - the link to the '/seeds/seed.txt.gpg' file.
First, we download this direct via the browser or by using wget:
wget http://192.168.56.101/seeds/seed.txt.gpg
This file can then be decrypted by running:
gpg -d seed.txt.gpg
When decrypting the file, we are prompted for a password:
This took some work, but after much trial and error I found the password to be the phrase used at the bottom of the initial homepage - SEEDWATERSUNLIGHT
After entering this password, the decrypted content is displayed:
At first, this appears to be a lot of meaningless lines, but on closer inspection is actually a message in morse code. 'Morse' is also referred to on the pumpkin.html page that was discovered earlier.
Google is our friend here, and searching for 'morse code decoder' returns a good website: https://morsecode.scphillips.com/translator.html
Entering the following code at the above URL will translate this and provide the fourth and final seed:
-.-- .. .--. .--. . . -.-.--
-.-- --- ..-
.- .-. .
--- -.
- .... .
.-. .. --. .... -
.--. .- - .... .-.-.- .-.-.- .-.-.-
-... .. --. -- .- -..- .--. ..- -- .--. -.- .. -.
... . . -.. ...
.. -.. ---...
-.... ----. ..... ----- --...
Seed: Big Max ID: 69507
(Note: if it is possible to decode morse code in Kali, then please let me know!)
Gaining Access
Our four seeds have now been found:
Seed | ID |
---|---|
Jack-Be-Little | 50609 |
Acorn | 96454 |
Lil' Pump-Ke-Mon | 86568 |
Big Max | 69507 |
All that remains is for us to capture the flag within the /root directory.
Revisiting the /hidden/note.txt file shows a user called 'goblin' with a password that looks like a combination of seedID's: 'goblin : 79675-06172-65206-17765'
Throughout this challenge we have seen a user called 'jack' referenced many times, looking for these seeds. We can therefore assume that the username to be used to gain access to the target is 'jack' and the password could be a combination of the four seedID's that we have found.
We could try to guess the order of the seedID's to be used as the password, but the answer is hiding in plain sight... hovering over the images on the homepage shows the correct order in which to use the seedID's to construct the password:
This give us the following sequence: 69507-50609-96454-86568
We can try logging on via SSH as 'jack' with this password:
ssh [email protected]
Password: 69507-50609-96454-86568
Unfortunately this does not work with the '-' seperating the seedID's (as shown in the password for the user 'goblin'). However, providing this as one long number will grant us access as 'jack':
ssh [email protected]
Password: 69507506099645486568
Privilege Escalation
Now we have a foothold on the box, we can run a basic command to see if any sudo privileges are available to us:
sudo -l
We can see that we have access to run the /usr/bin/strace command, which we can take advantage of to escalate our privileges.
Running this command will execute strace, redirect the trace output to /dev/null and run a bash shell as the root user:
sudo strace -o/dev/null /bin/bash
We are then able to switch to the /root directory and read the contents of flag.txt:
Please feel free to contact me via Twitter and thanks for reading.