MuzzyBox: 1 Walkthrough

Updated: May 25

In this article we are going to solve another boot2root challenge

MuzzyBox: 1

We can download this machine from vulnhub.

walkthrough

First step is to find the IP address of the target machine,command used : netdiscover -i wlan0

Next step is to find the open ports using the command : nmap -A 192.168.43.221

As we can see that port 80 is open including other ports so we decided to browse HTTP service.

okay to solve this machine we have to read all the 3 flags.

Challenge 1 walkthrough

To solve this challenge we have two things

i)http://192.168.43.221:3000/

ii)http://192.168.43.221:9633/idcard.png

So we opened the second link and found an image with file name "idcard.png" we simply downloaded this image in our local system.

Now we decided to find some meta data using different tools but we failed in finding any hidden data or meta data in the image . So now we opened the URL

http://192.168.43.221:3000/

and here we found a website that allows us to upload the idcard image and get access to the library management system.

Here one thing is clear that we can upload only idcard.png file so we uploaded the downloaded idacrd image and we got a message.

Means we actually need to edit this image to get authorized and if we go back to the main page then hint of challenge 1 is : only "Principal" is "Authorized" this means that we need to edit the image by changing the position and access level to "Principal" and "Authorized".

We can use any online image editing tool to edit this idcard.png . You can download the image from my githhub profile ,link is given at the end of the article.

so now we again uploaded the edited image and yes this time we have our first flag that is a PIN for something.

This completes our challenge 1.

challenge 2 walkthough

To access the challenge 2 we go to the link as described :

http://192.168.43.221:8989

Now if we go to right side then we can access the console using the PIN 123-456-789.

Now we have access to the python console and from here we can read any file and can also run OS commands .

So as described to complete this challenge we need to print the current working directory and we also have to read the flag.

now our next step is to find the current working directory and for that we used the module subprocess.

current working directory is : /home/webpy . command used :

  • import subprocess

  • cmd="pwd"

  • returned_output = subprocess.check_output(cmd)

  • returned_output

Now we have to read the flag so for that first of all we check the content of directory flag using the command : os.listdir('/home/webpy/flag') and afte that using a python code we are able to read the flag successfully.

This completed challenge 2.

challenge 3 walkthough

To access the challenge we visited the link :

http://192.168.43.221:15000/page?name=muzzy

now if we change it to name = any_input then it is reflecting back us the same thing .

so we searched on the internet about this thing and we found a link

https://medium.com/server-side-template-injection/server-side-template-injection-faf88d0c7f34

and after following the steps provided in this link we came to know that this is jinja2 server and again on the internet we found a tool on github to obtain a shell.

Now we have a shell and here we can read other files also as shown in the image below.

if we read the content carefully then we can see that we have found the credentials of user nsctf to connect to SSH using password iamnsce.

we have a stable shell and now we check for the user permission using the command : sudo -l but failed . we check for the SUID binaries again we failed in finding any sudo binary.

Now as described in the challenge we just have to read the final flag present in /root/Final_Final.txt .

And to achieve this goal I found only one way that is curl , means if we are able to connect to the targeted machine using curl and by listening on our local system then we can make a POST request to see the content of the final flag .

Reading the final flag

we got this error so we searched on the internet and found that we also need to open a post file,command used : nano haclabs , and in this file we paste our command and do not forget to start the listener on your local system on port 1234 in this case.

And this completes challenge3 and also this machine.

This was a very interesting machine and editing image was a very new and interesting part for me.

Links :

Recent Posts

See All

Website change notice

As you all know that our website is providing walkthrough of different challenges from different platforms and without any advertisement but due to some funds issue we can't continue this website :( S

Subscribe to HacLabs newsletter

Get priority notification on the release of the latest articles.

  • YouTube
  • Twitter
  • Instagram
  • Linkedin

© 2020 by HacLabs.