is it possible to circunvent the checking of w***/d**.x** to load an o** instead of a docx? if so pm pls!
Finally been able to load an o** file into the converter and it seems like it doesnt use a vulnerable uv, or doesnt use uv at all. In my vm with the --unsafe-quiet-update flag I was getting good results dumping my /etc /passwd. Time to check more xx* ss** but it doesnt look good, I think i entered in a big rabbit hole.
L****e is version 6.0.7 so not vulnerable to webservices and their only vulns are the ones based on py lo that are not gonna work in headless mode.
Looks like I need to go back enumerating web files in order to find that changelog with neccesary info to exploit. Hope the initial hype is over and now I can finish the scans this time in the free server…
The wordlist is the key, tried tonnes until I got that one from SecLists.
Got the two changelogs, trying to figure out what’s going on, the i**l seems vulnerable and the s****y on that version also seems vulnerable. I hope I’m not drowning in a deep rabbit holes!
TWO? Oh my… I 've found only one! Gotta enumerate again
Could someone recommend article or method how to properly put malicious stuff in docx for this machine? I have no expiriense in this field, for now i could not understand how it works just by looking deeper in docx.
Hi, finally got user.
For the initial step, you really need to find the changelog… There’s one file on one of the paths of the website that is the key for the corresponding attack… That changelog give’s you the correct ‘configuration’ for the docx. If you’re not able to do that into the docx, maybe you can find one that already has it on the inet, modify it and done. But this is not the end of the road for access the box. You will need to do more steps to get in.
I felt the part of ‘configuring’ the docx harder than the attack itself (for that you’ll find plenty of examples on the wild, good documented) and i wanted to explain it here for the ppl like me that are struggling with it.
So, first, as the creator said, find that changelog, read it and go for the next step.
Feel free to mark this response as spoiler, was not my intention, but i wanted to give this explanation to help others that were in the same position than me.
The wordlist is the key, tried tonnes until I got that one from SecLists.
Got the two changelogs, trying to figure out what’s going on, the i**l seems vulnerable and the s****y on that version also seems vulnerable. I hope I’m not drowning in a deep rabbit holes!
Hi
Did you have to try the lists on multiple paths and not just the root path?
I’ve tried many lists from the seclist repo but none seem to find the changelog file.
There is one list from that repo called sy… but this seems to obvious?