Patents

Found the file the author mentioned, but don’t see how this helps in finding the “injection point” for X**. Tried basically all the files inside D**X and also several different things I found for O*T files. But nothing want to connect back to me.
If anyone could give me a nudge, I’d really grateful :slight_smile:

The file loosely refers to where in a docx the X is enabled. Not all docx templates might have that location.

Just to chip in regarding the final step of the box (getting the root flag) - previous hints on here were very misleading to me, as neither whale-riding is required for that, nor a “second RE/PWN”, at least as of April 2020 - maybe they were unintended ways to get the flag earlier?

Either way, the other hints and tips were solid, thanks a lot @seekorswim @TazWake and @godylocks ! =)

Anyway, to actually get the root flag, you need to double-check the place where you usually find it - maybe it is indeed there, but something covers it. :wink:

Type your comment> @Konstant said:

Type your comment> @bhsec said:

is fuzzing only to find the re/U******s ? or also to find LFI ?
yeap

Can anyone help me with spy part?
EDIT: got it, thanks @TazWake!

now im stuck in the spy part :slight_smile:

I tried many wordlists, and got nothing except a LICENSE file.
How can i got the changelog file? PM some hints.
Thanks.

Type your comment> @todzhang said:

I tried many wordlists, and got nothing except a LICENSE file.
How can i got the changelog file? PM some hints.
Thanks.

Try more wordlists.

@todzhang said:
I tried many wordlists, and got nothing except a LICENSE file.
How can i got the changelog file? PM some hints.
Thanks.

Yeah its a real large one :smile:

Hi, I am stuck with X**. Tried many permutations adopted from different sources. Anybody would like to guide me? If yes, I will show what I have done so far. My discord: Ric0#7152

Type your comment> @Ric0 said:

Hi, I am stuck with X**. Tried many permutations adopted from different sources. Anybody would like to guide me? If yes, I will show what I have done so far. My discord: Ric0#7152

Thanks to @EvilT0r13 for pushing me on the right track.

Hi, I retrieved the user flag and now I want to exploit the L** thing, but where do I get the binary from?

Edit: Found it 5 minutes later; I had a typo in my find command.

Finally rooted this monster! That was the hardest box I’ve seen yet; took me about two weeks and a lot of coaching to get through this, but I learned so much! Really, it’s incredible. Almost nothing required to beat this thing was really in my book of tricks, so I had to dig around for a lot of things.
But when things finally work, the satisfaction is incredible!

Thanks for the box @gbyolo, this has been one ■■■■ of a ride!

Got root! It really hard and very interesting box. One of the best box I’ve completed. Big thanks @gbyolo!
P.S. Why does this box have such a low rating!?

@pinnn said:


P.S. Why does this box have such a low rating!?

I have no idea. So far, I really like this machine, even though I still haven’t managed to root it.
Currently, my exploit works locally, but for remote I need yet another info leak, since I don’t get a vital gadget from libc. Unfortunately, I can’t use the same technique for leaking the other lib’s information :frowning:
But maybe I’ll just take another exploitation approach that doesn’t require r14 :wink:

.

Using several different techniques, I can pop shells on my local service, but can’t seem to get anything run, when attacking the “real” service :confused:
Anyone willing to to push me in the right direction via PM?

Rooted.
For who tries this machine as “first hard machine”: go away, try other machines first.

  • user: hints in the forum are enough.
  • pwn: For the binary you have the source code and 2 versions of the binary(yes, 2 versions: one is easier to read :slight_smile: ), use all you have. I suggest to use ghidra which is very powerful in this situation where you have a lot of original function signatures. After exploit it locally go to use one_gadget.
  • end: linux standard enumeration is sufficient.

It is a fu**ing odyssey full of very hard steps.

Finally rooted. Awesome machine, even with all the frustration and head-desk moments it caused in between :smiley:

One hint I should have remembered more often: If something doesn’t work, though it theoretically should, try resetting the machine. Should it still not work afterwards, try to find another way to achieve the same goal.

Just got user, as mentioned above from @homesen if you feel that it doesn’t work but it should, give it a reset.

If someone needs a hint or assistance for user i’m always happy to do so. For root my quest starts now :slight_smile:

And rooted, a small frustration at least on my end the exploit is not reliable so i kind have to bruteforce the entry and be quick about it.

Overall nice experience if it was more solid and did not require few restarts to work as intended it was going to be much better.

Can someone PM me and explain what I’m supposed to get out of the ‘special’ file on the webserver? i bruted for hours and finally found something that seems like the “you were definitely meant to find this”, but I’m stumped with interpreting why its useful.

*Edit: Figured it and and got user.txt. Eventually, onto root!