Vulnhub - PumpkinFestival writeup
In this level (Level 3) it is time for Pumpkin Festival, the goal is to reach root and access PumpkinFestival_Ticket and collect PumpkinTokens on the way.
We have FTP on port 21 and it’s allows Anonymous login. So let’s just start with it.
I got a token on the FTP server.
PumpkinToken : 2d6dbbae84d724409606eddd9dd71265
We got one token. Let’s move on to HTTP
oh man….Again these beautifully designed websites :)
So the page says that we can use
PumpkinToken to get to our pumpkins.
In the source of that page I found another token
PumpkinToken : 45d9ee7239bc6b0bb21d3f8e1c5faa52.
Actually it’s not in the source, it just the text for token is of same color as of website’s.
We can see it on the page if we select all(
From nmap scan we know that there was a
robots.txt present. Let’s look into all those pages.
/users/ were forbidden.
/wordpress/ was giving
/store/track.txt I found a note for tracking something
Hey Jack! Thanks for choosing our local store. Hope you like the services. Tracking code : 2542 8231 6783 486 -Regards firstname.lastname@example.org
I continued to look around the website but got nothing. I even tried to download the
cat.gif and extract something out of it but got nothing.
Then it clicked to me there’s a
wordpress path on which we got
404 and in the
track.txt we notice the email as
email@example.com so what if we edit out
/etc/hosts and add the following line to it:
Well if we do that and try to visit
pumpkins.local we get the damn wordpress website 😈😈😈😈
We got another token
PumpkinToken : 06c3eb12ef2389e2752335beccfb2080
Now we can just use
wpscan to see if we find anything on this blog.
wpscan I got two users:
and found quite a few vulnerabilities
But all the vulnerabilities either need some kind of authentication or are useless to us.
After waiting for almost 3 days I was able to talk with the author and he gave me a hint. He said I need to focus on the FTP now.
This time we need to focus on something we found in the very starting i.e
Jack took all the efforts on raising your pumpkins with the help of Harry.
I totatlly forgot about the name
Harry we can find the password harry by bruteforce.
I ran hydra with:
➜ hydra -l harry -e nsr -P passwords.txt ftp://192.168.1.109
-l: For the specific username
-e: it take
n: null password
s: login as passwd
r: reverse the word used
-P: password list.
-e we only needed
This time we got another directory named
get the token and then I continued with the
NO thing and finally I got another file name
cat the 4th token
PumpkinToken : f9c5053d01e0dfc30066476ab0f0564c
cat the content of
data.txt I got the output which looked like a binary but if we focus on the starting numbers they’ll tell a different story
I recognized this to be a
tar file because of that
note: Read List_of_file_signatures
I know this because I’ve done lot of these kind of challenges in
jeopardy style CTF.
Now we’ve got a file named
jack which contains the
hex type values.
I used cyberchef to decode that hex and it turned out it was a private key for
We can now just login into jack’s account.
Note: Remember to
chmod 600 the
I ran the enumeration script and found some user and SUIDs
If we run the
token SUID it will print out another token for us
PumpkinToken : 8d66ef0055b43d80c34917ec6c75f706
I think this is it from here.
Since I got nothing with
jack account I decided to start HTTP again.
I started to enumerate the HTTP website but this time with some some file extensions
➜ gobuster -e -w CTFs/lists/directory-list-2.3-medium.txt -u http://pumpkins.local/ -x html,xml,php
readme.html file I found a hash.
This is a base62 encoded strings (again thanks to CTFs :-)
morse & jack : Ug0t!TrIpyJ
This looks like password for both the
jack. Let’s try them on wordpress login i.e
After loggin into the wordpress I got a dashboard but there wasn’t any theme editor so we can’t get the reverse shell for
I used the password to check
jack sudo right after login into the SSH
It says jack can run
/home/jack/pumpkin/alohomora since this file doesn’t exists we can just make it and with some shell in it and run it as sudo to get the shell.
$ mkdir pumpkins $ echo "#!/bin/bash\n/bin/sh" > pumpkins/alohomora $ sudo ./pumpkins/alohomora
This will give you the root shell and then just get the flag.
Thanks for reading, Feedback is always appreciated.
Follow me @0xmzfr for more “Writeups”.