Patents

Got root! It really hard and very interesting box. One of the best box I’ve completed. Big thanks @gbyolo!
P.S. Why does this box have such a low rating!?

@pinnn said:


P.S. Why does this box have such a low rating!?

I have no idea. So far, I really like this machine, even though I still haven’t managed to root it.
Currently, my exploit works locally, but for remote I need yet another info leak, since I don’t get a vital gadget from libc. Unfortunately, I can’t use the same technique for leaking the other lib’s information :frowning:
But maybe I’ll just take another exploitation approach that doesn’t require r14 :wink:

.

Using several different techniques, I can pop shells on my local service, but can’t seem to get anything run, when attacking the “real” service :confused:
Anyone willing to to push me in the right direction via PM?

Rooted.
For who tries this machine as “first hard machine”: go away, try other machines first.

  • user: hints in the forum are enough.
  • pwn: For the binary you have the source code and 2 versions of the binary(yes, 2 versions: one is easier to read :slight_smile: ), use all you have. I suggest to use ghidra which is very powerful in this situation where you have a lot of original function signatures. After exploit it locally go to use one_gadget.
  • end: linux standard enumeration is sufficient.

It is a fu**ing odyssey full of very hard steps.

Finally rooted. Awesome machine, even with all the frustration and head-desk moments it caused in between :smiley:

One hint I should have remembered more often: If something doesn’t work, though it theoretically should, try resetting the machine. Should it still not work afterwards, try to find another way to achieve the same goal.

Just got user, as mentioned above from @homesen if you feel that it doesn’t work but it should, give it a reset.

If someone needs a hint or assistance for user i’m always happy to do so. For root my quest starts now :slight_smile:

And rooted, a small frustration at least on my end the exploit is not reliable so i kind have to bruteforce the entry and be quick about it.

Overall nice experience if it was more solid and did not require few restarts to work as intended it was going to be much better.

Can someone PM me and explain what I’m supposed to get out of the ‘special’ file on the webserver? i bruted for hours and finally found something that seems like the “you were definitely meant to find this”, but I’m stumped with interpreting why its useful.

*Edit: Figured it and and got user.txt. Eventually, onto root!

Stuck looking for the l**s****r binary.

Edit: Found it.

Can someone give me a nudge on RE please? I think I know what I have to exploit, but can’t fully figure out…

I can PM what I’ve found so far and where my thinking is headed…

Finally rooted.

Had a really frustrating experience with this box, but learnt a lot through the many hints and nudges along the way. Thanks @dinosn @doxxos and @applepyguy for helping me!

Spoiler Removed

@fr0ster said:

All that I found doesn’t work with LibreOffice

I don’t think you need to target LibreOffice here.

Type your comment> @TazWake said:

@fr0ster said:

(Quote)
I don’t think you need to target LibreOffice here.

Thanks.
I found way to request file on my server from target, but while stuck here :slight_smile:
I’m looking for next step in all directions :slight_smile:

Would appreciate any tip on DM for foothold … I think I know where to put the exploit as I can crash php before to conversion in libre but none of the exploit techniques for that vuln seems to work.

I can read some files, but stuck on reverse shell :frowning:
I always get timeout when try use XXE with reverse shell.
If somebody aim me to right way I’ll be grateful.

Type your comment> @fr0ster said:

I can read some files, but stuck on reverse shell :frowning:
I always get timeout when try use XXE with reverse shell.
If somebody aim me to right way I’ll be grateful.

That xxe wouldn’t be too useful other than reading a file

Spoiler Removed

I solve problem with timeout but I start get code 200 without any connect to me