Pumpkin Garden — Vulnhub
I'm going to change up things a little and attack a VM from Vulnhub. For this go around I decided on the Pumpkin Garden box. Let's jump on in!
As always, I'll need to discover what open ports and services it has with Nmap 10.0.2.15 -A -T4 -p-.
There are just a few to choose from. FTP on port 21 that allows for anonymous access, a webpage live on port 1515 and SSH is open on 3535. There's not much point in looking for exploits on the services straight away. Instead, I'm going to fire up Dirb to enumerate whatever subdomains the site has running.
Wow, that was quick. I didn't even have time to navigate away from Dirb before the results came back. It looks to have only one subdomain. I'll look more into that the deeper I go into the site.
I want to stay methodical in this approach, so I login to FTP to poke around.
There's only one file available and that's note.txt. There's no navigating away from this directory, so this looks to be a dead end.
Aw, it called me dear! That's sweet. But in a weird unsettling way. Like an aunt's friend who might be a little creepy.
Moving onto the webpage, it's just a simple little page with a cute picture and a clue to look "under the hood."
Viewing the source for the webpage proves to be extremely illuminating.
The source page is pushing me right along to the images subdomain. Don't mind if I do! Dirb already informed me of the /img subdomain and I can't contain my curiosity any longer!
Hidden_secret! Looks like that's the winner. Of course, I took a look at everything just to be sure. Inside the hidden_secret was an encoded string. At first glance it also looked like it could be a hashed string—though it isn't one that I was immediately familiar with.
This is where I get off the trail a little bit.
I built a custom install of John with more expansive format support.
Nothing.
I thought there may be something incorrect with the hash so I went and cooked up my own crypt16 hashes with the Python passlib library.
Still nothing.
Something seemed off on a few levels. I went back to re-read the crypt(C) entry on Wikipedia and found this:
"In detail, the user's password is truncated to eight characters, and those are coerced down to only 7-bits each; this forms the 56-bit DES key. That key is then used to encrypt an all-bits-zero block, and then the ciphertext is encrypted again with the same key, and so on for a total of 25 DES encryptions. A 12-bit salt is used to perturb the encryption algorithm, so standard DES implementations can't be used to implement crypt(). The salt and the final ciphertext are encoded into a printable string in a form of base64."
Maybe it's simpler than I think. Maybe it's just a base64 encoding.
Yeah, I was totally overcomplicating it.
The standard credential format that I've seen is "username:password". However, scarecrow's creds were written "username : password". This matters because when you encode "scarecrow : 5Qn@$y" in base64 you get c2NhcmVjcm93IDogNVFuQCR5. If you use the more common format without the spaces, "scarecrow:5Qn@$y" encodes to c2NhcmVjcm93OjVRbkAkeQ==. Those two equal signs at the end would have been a dead giveaway for base64 encoding. I'm not sure if the creator of this box did that on purpose or if it was accidental. Regardless, I made it through and continued on mission.
Now that I've got scarecrow's credentials, I log into SSH and catch another clue.
Yet more SSH creds! I log into SSH again, this time with feeling.
Looks easy, right? All I need to do is to go to this website and pick up the exploit and Bob's your uncle.
Okay. Here's a roadblock—a broken link. It seems like a ton of securityfocus.com's links are broken when it comes to the exploits themselves.
I type in that address to the search bar and randomly add some spaces to make it a search and not an address (I know, I'm doing it dirty).
I find my way to exploit-db's page for Tod Miller's sudoedit bash script.
While still logged in as goblin, I use wget to snag the raw text script from exploit-db.
Looking at the code I can see that it takes a command line argument of a file in the same directory that I have rw permissions on.
My next step is to make a random file with the command touch strange_thing (of course I know you shouldn't be touching strange things, that's why I named it that), execute the exploit. And then...
I go through the bash script and it looks pretty solid syntactically. I mess around for for a little bit trying to get it to work, but I'm not having any success stopping that unexpected EOF error.
It looks like I'll have to cheat a little. I know from my past experience when I was first learning the Linux CLI that if you copy and paste a bash script it's almost as though you're running it. It's cheating, but hey, I'm hacking. I'm supposed to be cheating.
I go back into Nano and select the most important part of the script:
And use my little cheat...
The Pumpkin Garden has been pwned! Now all I have to do is hop on over to root and grab the flag.
This box was simultaneously easy and frustrating. Ultimately it was my trip down the crypt16 rabbit hole that sucked so much of my time away. In the future I'll use more than one program to identify hashes. After I finished this box I went back and used Hash-Identifier.
Insult to injury! I might not have spent so much time messing around with crypt16 if I thought the initial hash ID was dubious. I did build a new John out of it though and I learned a ton about archaic encryption standards.
We never heard from Jack. I missed a clue somewhere. Obviously it wasn't totally important since I found my way there anyway. I love it when CTFs have multiple possibilities.
Until next time!
See You Space Cowboy...
