Didn’t get that changelog from the developer, but managed to get some dependencies file pointing to some conversion utility… then… generated a pdf from a normal docx and checked what was the version of the thing to try to attack… got to some papers and blogs,… tried to embed this to that, upload that and nothing! keep failing every single step. aux what a box…
Any help will be appreciated.
pm please!
That’s exactly where I am XD I’m wondering if I should be looking at u*****.p and not c****.**p
Didn’t get that changelog from the developer, but managed to get some dependencies file pointing to some conversion utility… then… generated a pdf from a normal docx and checked what was the version of the thing to try to attack… got to some papers and blogs,… tried to embed this to that, upload that and nothing! keep failing every single step. aux what a box…
Any help will be appreciated.
pm please!
That’s exactly where I am XD I’m wondering if I should be looking at u*****.p and not c****.**p
But the thing here for me is in the conversion process since is the only form of input i see we can try to ‘control’.
I’ve being messing around with different types of XXE and SSRF attacks but i didn’t get any response back from them…
I will retry again, from the beginning, starting again from XXE… let’s see what i can get this time different.
Is that changelog file really necessary to exploit the vuln? I find hard to believe that someone found it in the first 6 hours given that my scans would take days and are only looking for a very reduced extensions types (.lst, .md, .txt…) and with just 30 threads Im getting loads of I/O exception errors…
Regarding the vuln, I’ve been able to make the server get a file from my server but I dont think it will lead to a real vuln, unless that file is dropped in a folder or something. Trying to make the server load a local file thru file:/// and putting in the pdf doesnt seem to work too…
The wordlist is the key, tried tonnes until I got that one from SecLists.
Got the two changelogs, trying to figure out what’s going on, the i**l seems vulnerable and the s****y on that version also seems vulnerable. I hope I’m not drowning in a deep rabbit holes!
Finally got user. Really insane box. Mixed feelings at first, but really warmed up to it so far. Also don’t plan to respond to PM’s for a few days, so don’t exepect a quick answer if you want help!
Finally got user. Really insane box. Mixed feelings at first, but really warmed up to it so far. Also don’t plan to respond to PM’s for a few days, so don’t exepect a quick answer if you want help!
Any hints on the initial foothold? driving me crazy!
is it possible to circunvent the checking of w***/d**.x** to load an o** instead of a docx? if so pm pls!
Finally been able to load an o** file into the converter and it seems like it doesnt use a vulnerable uv, or doesnt use uv at all. In my vm with the --unsafe-quiet-update flag I was getting good results dumping my /etc /passwd. Time to check more xx* ss** but it doesnt look good, I think i entered in a big rabbit hole.
L****e is version 6.0.7 so not vulnerable to webservices and their only vulns are the ones based on py lo that are not gonna work in headless mode.
Looks like I need to go back enumerating web files in order to find that changelog with neccesary info to exploit. Hope the initial hype is over and now I can finish the scans this time in the free server…
The wordlist is the key, tried tonnes until I got that one from SecLists.
Got the two changelogs, trying to figure out what’s going on, the i**l seems vulnerable and the s****y on that version also seems vulnerable. I hope I’m not drowning in a deep rabbit holes!
TWO? Oh my… I 've found only one! Gotta enumerate again