Fatty

Has anyone anyone been able to download that file from the server without writing code?
If so i woulde love to hear how, Ive been struggling to get anything utilising socat and ssldump

This box is INSANE !!

can anyone assist with “not fully implemented” issue?
Please PM.

Got user though I spent a long time trying to bash my way through to a shell, which just gave me a headache.

No idea about root, I guess that the ‘join the dots’ hint is best understood once you have cracked it.

@bobd91 said:

Got user though I spent a long time trying to bash my way through to a shell, which just gave me a headache.

No idea about root, I guess that the ‘join the dots’ hint is best understood once you have cracked it.

Once you got user you must understand where you are, then do some usual enumeration and try to make hypothesis about what you found could do.

any help to download the fatty-S****r?

Got root!

I got to within touching distance fairly quickly but I just couldn’t quite see how it was going to work. In the end I needed a lot of help.

Thanks to @snuggles for confirming that I was going in the right direction and to @yb4Iym8f88 and @Driikolu for helping me see the last bit.

When i run the *.jar file it gives me " Connection Error" i have updated the XML with P**T and done require changes. pls guide me where i am doing wrong.

Type your comment> @Igotyou said:

When i run the *.jar file it gives me " Connection Error" i have updated the XML with P**T and done require changes. pls guide me where i am doing wrong.

Sounds like you may have done something that broke it. Feel free to message me if you need help. I got you :slight_smile:

Does anyone know article about getting proper tty, with some unusual methods? In this box it is pretty hard and, i hope, will be very useful in enum.

Type your comment> @yb4Iym8f88 said:

Finally got it. User part is ideal to feel what is the OSWE exam , and even a bit harder.
Thanx to @moszkva to root hint – stuck for weeks with it.

Pm you ? I have a few doubts

Got user a long time ago, got back on it now, but I still can’t see which direction to go for root. No uid binaries, only services running as root are hd and cd. The first doesnt look vulnerable, second does some wierd thing, but I cant see how I’d exploit it. Or am I looking at the wrong root and is it outside the current er con*? Small nudge would be appreciated.

Any nudges for getting user after the reverse shell? Looks like I need root within the container to get user, but unsure how to go about it.

edit: Derp, thanks @EvilT0r13 :slight_smile:

Fun fact about the box is that i was learning IPTABLES and used that to connect through the application without any source code modification. But even after logging into the client app i am lost.Any nudges would be awesome?

Type your comment> @offsecin said:

Fun fact about the box is that i was learning IPTABLES and used that to connect through the application without any source code modification. But even after logging into the client app i am lost.Any nudges would be awesome?

yeah, me too, used ssh to switch ports :wink:
But it didn’t save me from code modification at a later stage…

@daemonzone
I got to know what i have to do,just trying to replicate that.

This might have been the most fun I have had with a box. I do not work in infosec, but as an Java developer, so It was fun utilizing my skills here.

User: You dont always have to break stuff, Stuff can be built from blocks.

Root: Ever tried to check which java version you have with which java, those are some arrows to follow. Applies to other than java too.

thx @qtc

I’m very much enjoying this box.

However, I’m frustrated with my approach of modifying the *.jar. Maybe someone here can guide me into another direction.

Currently I’m using Recaf to decompile and modify the bytecode. With this approach I’m obviously very inflexible in introducing larger changes. When I want to edit the java code directly in Recaf I have some issues for most files. It won’t compile then.

I also tried to somehow transfer it into eclipse and build it from there, but no luck so far.

I’m at the point where I found the one implementation problem to find f****y_s*****.jar, but would need some more code changes to download it.

Thank you!

I was able to use J*-G** to open the file, then save all the sources out to a zipfile, open the zip, make mods, remove all things associated with checksums, re-archive as a zipfile/jar, and use java -jar newzip.jar

Maybe that will help you @BingoBaer ?

Type your comment> @BingoBaer said:

I’m very much enjoying this box.

However, I’m frustrated with my approach of modifying the *.jar. Maybe someone here can guide me into another direction.

Currently I’m using Recaf to decompile and modify the bytecode. With this approach I’m obviously very inflexible in introducing larger changes. When I want to edit the java code directly in Recaf I have some issues for most files. It won’t compile then.

I also tried to somehow transfer it into eclipse and build it from there, but no luck so far.

I’m at the point where I found the one implementation problem to find f****y_s*****.jar, but would need some more code changes to download it.

Thank you!

Look at the JAR file for what it was built with. Decompile the whole source and use the same “packager” for rebuilding :wink: