VulnHub PumkinGarden CTF Walkthrough

5 min readDec 28, 2021

The goal of this CTF is to get access to the PumpkinGarden machine and then gain access to the PumpkinGarden_key file stored in the root account. After importing both Kali Linux and PumpkinGarden virtual machines into our hypervisor and running them, we do some basic reconnaissance.

Reconnaissance

The virtual machine has provided us with its ip address which we can use to find information about the machine. First, we ping the machine to see if it is still up and running.

The machine seems to be up and is responding to the icmp packets we pinged it with. We can now find more data about the machine using reconnaissance tools like nmap.

Using command:

nmap -Pn -p [-4000] 10.0.2.15

Here in the command –p [-4000] flag selects ports to be scanned. Here we will be scanning all ports till port number 4000 on the target 10.0.2.15

This has provided us with the name of active ports and services running on the machine. Following this, we now know that the machine has an active ftp port with anonymous login enabled. Using this we can now ftp into the machine using an ‘anonymous’ login.

Exploitation

We use the Anonymous login to get into the machine and find a file named note.txt.

The note.txt had the following data:

“Hello Dear!
Looking for route map to PumpkinGarden? I think jack can help you find it.”

We will for now keep this information and look for how we can use it later on. Let’s try checking the other ports and how we can access more information from them.

Other open ports in the system were tcp port 1515 and tcp port 3535 running services iforprotocol and ms-la.

Checking the address http://10.0.2.15:1515 in our browser, we found a website.

Here the same ‘route map’ is mentioned from the ftp ‘note.txt’. So we check the page source and see if there is anything of value present.

In the source code, we found a commented line that mentions the ‘route map’ can be found through the pumpkin image.

After checking and not finding any information in the images present on the site themselves, we move to check the /img/ directory. Opening http://10.0.2.15:1515/img/ we found a ‘hidden secret folder’

And inside the folder, we found a clue.txt file.

The clue.txt file had a string that seems to be base64 encrypted data which reads:

“c2NhcmVjcm93IDogNVFuQCR5”

We then decrypted the contents of ‘clue.txt’ and found the login and password to the machine.

“scarecrow : 5Qn@$y”

Now using these credentials we can ssh into the machine, but since the default ssh port isn’t active, we will try to ssh into port 3535.

Now we have access to the machine. Where we found the ‘note.txt’ file, which has the data:

“Oops!!! I just forgot; keys to the garden are with LordPumpkin(ROOT user)! Reach out to goblin and share this “Y0n$M4sy3D1t” to secretly get keys from LordPumpkin.”

This seems to be hinting that the keys are in the goblin account, and the string “Y0n$M4sy3D1t” can be its password.

We get access to goblin’s account! It has a note.txt with the following data:

“Hello Friend! I heard that you are looking for PumpkinGarden key.
But Key to the garden will be with LordPumpkin(ROOT user), don’t worry, I know where LordPumpkin had placed the Key.
You can reach there through my backyard.
Here is the key to my backyard
https://www.securityfocus.com/data/vulnerabilities/exploits/38362.sh”

Here we have been provided with a link to an exploit that seems to be the method we can use for privilege escalation within the system. After searching through the specifics of the exploit, I found an exploit matching what we need.

“(Tod Miller’s) Sudo/SudoEdit 1.6.9p21/1.7.2p4 — Local Privilege Escalation”.

We now import the exploit into our machine using wget and then modify it with run permissions using chmod. Errors were introduced into the script due to the special character which was removed using the ‘sed’ command.