Patents

Got user.

Type your comment> @th3y said:

Finally got initial foothold. Looking for user now.

Any nudge on the famous changelog file?

at last got user, working on the root part now.

foothold is def p2w. I would have found the file long ago if I/O exceptions and user reboots doesnt were a thing.

Type your comment> @sysdd said:

Type your comment> @th3y said:

Finally got initial foothold. Looking for user now.

Any nudge on the famous changelog file?

Read point 4 to make an idea the limits of how weird can the filename be:

Then GL dont get disconnections that disturb the discovery process.

any hint real machine shell?

Could someone recommend article or method how to properly put malicious stuff in docx for this machine? I have no expiriense in this field, for now i could not understand how it works just by looking deeper in docx.

Hi, finally got user.
For the initial step, you really need to find the changelog… There’s one file on one of the paths of the website that is the key for the corresponding attack… That changelog give’s you the correct ‘configuration’ for the docx. If you’re not able to do that into the docx, maybe you can find one that already has it on the inet, modify it and done. But this is not the end of the road for access the box. You will need to do more steps to get in.
I felt the part of ‘configuring’ the docx harder than the attack itself (for that you’ll find plenty of examples on the wild, good documented) and i wanted to explain it here for the ppl like me that are struggling with it.
So, first, as the creator said, find that changelog, read it and go for the next step.
Feel free to mark this response as spoiler, was not my intention, but i wanted to give this explanation to help others that were in the same position than me.

Type your comment> @salt said:

The wordlist is the key, tried tonnes until I got that one from SecLists.

Got the two changelogs, trying to figure out what’s going on, the i**l seems vulnerable and the s****y on that version also seems vulnerable. I hope I’m not drowning in a deep rabbit holes!

Hi

Did you have to try the lists on multiple paths and not just the root path?

I’ve tried many lists from the seclist repo but none seem to find the changelog file.

There is one list from that repo called sy… but this seems to obvious?

A nudge would be appreciated.

Cheers

Finally got through the first part ( with some help) ! Now sleep and look at the next part tomorrow :slight_smile:

Super stumped on root…

rooted. Though machine. The foothold is unnecesary imho, there is much more fun after.

Hi all,

Still struggling with this one, I’ve been trying different word lists all day but still no changelog file.

I’m using dirb cli with many different word lists and logging the output to a file for grep later but never seems to find what I need.

I know it’s there somewhere but just can’t get it yet.

So I am in with www-data. Can’t get how to move from there… what a box!

Finally got user.
Let’s get this root!

Type your comment> @blink3r said:

Finally got user.
Let’s get this root!

It’s a doozy… If you want to work together, PM me. I could definitely use help. I found the hidden stuff with a nudge from @clubby789 and I’m looking through it now.

Finally popped that initial shell as well

On root while fuzzing something, just found a file named t** with t****e inside, but no idea what I did that made that… Any nudges are appreciated.

stuck on www-data…

Rooted! This one was pretty tough at every step, but I learned so much and, now that it is done, I can say I enjoyed it. I wouldn’t have said that during the experience. :wink:

For those considering taking up the challenge, here are some hints to guide you on your way and let you know what you are up against. This box is three roots for the price of one.

  • Initial: XXE
  • Initial shell: Poison (I struggled here for a while until I reset the box. If you aren’t getting what you think you should be, you might consider a reset.)
  • 1st root (user.txt): I *** with my little eye
  • 2nd root: RE/PWN (also took me a while because there are many paths that can be taken, but only one clear winner. Thanks to @v1p3r0u5 for the help here.)
  • 3rd root (root.txt): hop on and ride the whale to glory!

Thanks to @gbyolo for creating a nice, challenging machine. They are a pain to work through, but very rewarding to finish. I almost quit on this one many times, but I’m glad I didn’t.

Stuck on the way to root :frowning: