Fatty

I think unable to do this box without java spring developer knowledge.

Type your comment> @rholas said:

I think unable to do this box without java spring developer knowledge.

I’m planning to take advanced Java course in Udemy lol :wink:

anyone have problems with downloading the jar file?

Type your comment> @hackbarx said:

Got user! Fix the client, and get the server program. Audit code of server, you can see typical vulnerability in java, just exploit it.
Road to root, can’t figure next step, can anyone share some bints.

I have fixed the client. Do i need admin role to get the server code?

Taken user. A really great box, forced me to leave my comfort zone but didn’t leave me guessing (except for a few minutes).

Type your comment> @clubby789 said:

Taken user. A really great box, forced me to leave my comfort zone but didn’t leave me guessing (except for a few minutes).

Completely agree. A lot of work (especially for my rusty java skills), but so far, no CTF magic, just well chained vulnerabilities. If root is as good as user or better , it will be indeed one awesome box.

Getting this error in Java client Caused by: java.lang.SecurityException: SHA-256 digest error for b…xml | already change the settings but don’t seem to get it to work any help is appreciated!

Type your comment> @red0nyx said:

Getting this error in Java client Caused by: java.lang.SecurityException: SHA-256 digest error for b…xml | already change the settings but don’t seem to get it to work any help is appreciated!

you need to update the jar file

Type your comment> @zard said:

Type your comment> @red0nyx said:

Getting this error in Java client Caused by: java.lang.SecurityException: SHA-256 digest error for b…xml | already change the settings but don’t seem to get it to work any help is appreciated!

you need to update the jar file

Thank you! I though emacs do it automatically

Found the credentials , updated b****.**l file with needed info , updated jar archive , but when i run it , i get the following error
Exception in thread “AWT-EventQueue-0” java.lang.NoClassDefFoundError: javax/xml/bind/DatatypeConverter

Has anyone encountered the same issue ?

Thanks in advance

Type your comment> @TheBandit said:

Found the credentials , updated b****.**l file with needed info , updated jar archive , but when i run it , i get the following error
Exception in thread “AWT-EventQueue-0” java.lang.NoClassDefFoundError: javax/xml/bind/DatatypeConverter

Has anyone encountered the same issue ?

Thanks in advance

You need j***8

Type your comment> @onurshin said:

Type your comment> @TheBandit said:

Found the credentials , updated b****.**l file with needed info , updated jar archive , but when i run it , i get the following error
Exception in thread “AWT-EventQueue-0” java.lang.NoClassDefFoundError: javax/xml/bind/DatatypeConverter

Has anyone encountered the same issue ?

Thanks in advance

You need j***8

Thanks

Spoiler Removed

Honestly a really excellent box. A great time, enjoyed battling against root for 3 days.

  • Foothold: Try and break what you have. Almost everything is checked
  • User: Read what you have, a word will stand out if you’ve been doing this for a while
  • Root: Watch carefully, and join the dots. Don’t stare at one part too hard

I get spring compile errors when trying to javac Conn*.ja** from the source directory. Any help is appreciated.

Finally rooted. Thanks @qtc for this wonderful box, learned a lot especially at root part.

Three days of extreme fun and frustration. Root was simple yet tricky. Overall the experience came out on the positive side of things. Thanks @qtc

If you stuck with root think about that: how would you update some random file if you can control only specific one?

I got user, but hit a wall on root. Anyone mind chatting about the privesc?

It is necessary to carry out logic by monitoring the server.