MuzzyBox: 1 Walkthrough
Updated: May 25, 2020
In this article we are going to solve another boot2root challenge
We can download this machine from vulnhub.
walkthrough
First step is to find the IP address of the target machine,command used : netdiscover -i wlan0
Next step is to find the open ports using the command : nmap -A 192.168.43.221
As we can see that port 80 is open including other ports so we decided to browse HTTP service.
okay to solve this machine we have to read all the 3 flags.
Challenge 1 walkthrough
To solve this challenge we have two things
ii)http://192.168.43.221:9633/idcard.png
So we opened the second link and found an image with file name "idcard.png" we simply downloaded this image in our local system.
Now we decided to find some meta data using different tools but we failed in finding any hidden data or meta data in the image . So now we opened the URL
and here we found a website that allows us to upload the idcard image and get access to the library management system.
Here one thing is clear that we can upload only idcard.png file so we uploaded the downloaded idacrd image and we got a message.
Means we actually need to edit this image to get authorized and if we go back to the main page then hint of challenge 1 is : only "Principal" is "Authorized" this means that we need to edit the image by changing the position and access level to "Principal" and "Authorized".
We can use any online image editing tool to edit this idcard.png . You can download the image from my githhub profile ,link is given at the end of the article.
so now we again uploaded the edited image and yes this time we have our first flag that is a PIN for something.
This completes our challenge 1.
challenge 2 walkthough
To access the challenge 2 we go to the link as described :
Now if we go to right side then we can access the console using the PIN 123-456-789.
Now we have access to the python console and from here we can read any file and can also run OS commands .
So as described to complete this challenge we need to print the current working directory and we also have to read the flag.
now our next step is to find the current working directory and for that we used the module subprocess.
current working directory is : /home/webpy . command used :
import subprocess
cmd="pwd"
returned_output = subprocess.check_output(cmd)
returned_output
Now we have to read the flag so for that first of all we check the content of directory flag using the command : os.listdir('/home/webpy/flag') and afte that using a python code we are able to read the flag successfully.
This completed challenge 2.
challenge 3 walkthough
To access the challenge we visited the link :
http://192.168.43.221:15000/page?name=muzzy
now if we change it to name = any_input then it is reflecting back us the same thing .
so we searched on the internet about this thing and we found a link
https://medium.com/server-side-template-injection/server-side-template-injection-faf88d0c7f34
and after following the steps provided in this link we came to know that this is jinja2 server and again on the internet we found a tool on github to obtain a shell.
Now we have a shell and here we can read other files also as shown in the image below.
if we read the content carefully then we can see that we have found the credentials of user nsctf to connect to SSH using password iamnsce.
we have a stable shell and now we check for the user permission using the command : sudo -l but failed . we check for the SUID binaries again we failed in finding any sudo binary.
Now as described in the challenge we just have to read the final flag present in /root/Final_Final.txt .
And to achieve this goal I found only one way that is curl , means if we are able to connect to the targeted machine using curl and by listening on our local system then we can make a POST request to see the content of the final flag .
Reading the final flag
we got this error so we searched on the internet and found that we also need to open a post file,command used : nano haclabs , and in this file we paste our command and do not forget to start the listener on your local system on port 1234 in this case.
And this completes challenge3 and also this machine.
This was a very interesting machine and editing image was a very new and interesting part for me.
Links :
github link : https://github.com/YashSaxena75/updated_exploit
tool link : https://github.com/epinna/tplmap