Vulnhub - Pumpkin Garden writeup
We’ve got three open port running FTP, SSH and http service. Since FTP allows
Anonymous login. I guess I’ll just start with that one.
The FTP server had only a file name
And that note contain a simple message:
The only new information we get from this is that there’s a guy named
jack. This can be used as a username in future.
When we visit the website at port
1515 we get a very appealing website
In the source of that page I found a comment saying
<!-- searching for the route map? Pumpkin images may help you find the way -->
This mean we might have to use some
stegano tools on the image to find our way to so called
I downloaded the gif and used all kind of tools on it but couldn’t find anything. I decided to just run gobuster while I was trying to find something in that gif.
I don’t think we were supposed to find anything in that
gif because as we can see there’s a path,
/img/ which had multiple images of pumpkin in it along with a folder named
In that folder there was file called
clue.txt and in tht file was a base64 encoded strings. Decoding that string gave some
scarecrow : 5Qn@$y
Using those credentials I was able to login into
scarecrow account via SSH.
We see there was a
note.txt file present in the
Y0n$M4sy3D1t can be the password for
I tried to
su into goblin account using the given password and it worked.
In the goblin’s home directory I found another note:
I downloaded exploit from the given URL and it exploits the sudo right.
We can get that file from our system to the machine using
As we can see in the code that the exploit expect an argument which is the path of the file that the current user can run as
sudo. So to find that we can just use the
sudo -l command.
I ran the exploit and got the root shell. Then I listed the flag.
Chances are that you might not find any file in the
goblin directory when you wget the exploit from your system to the machine. Or maybe when you run the exploit you might get error saying
file not found or something similar.
This is possible because there are some command running in the back:
Those lines means that in every 15 seconds the content of
/tmp will be wiped out. There are two way to bypass it:
1) Like you can see in my writeup I didn’t face that problem because I did everything within
75 sec i.e those 3 sleep commands gives us
75 sec in which everything stays where it’s put. In other word you’ll be lucky :)
2) Login with
scarecrow account, get the exploit in his home directory and then change the permission of that file by running
chmod 777 exploit.sh
This way goblin will also be able to run the file. Now go back to goblin’s account and execute the exploit.