Fatty

Finally rooted this beast! I enjoyed the journey of the development of a python client, java source code analysis, and root… holy cow, what an interesting one.

Thanks @qtc!

Would really appreciate if someone is able to give a little hint on root @.@ i have a hunch on what to do to exploit s**, but after trying multiple attacks/existing vulnerabilities on the t** file type, it didnt pay off, am i missing something?

Edit: rooted, thanks @applepyguy @daemonzone @Ranaivmi, to which without you three, this box would’ve killed me, and thanks especially to you @applepyguy

To others, root hints, the file is constantly overwritten. That’s all i can give, if it’s spoiler, do remove. Thanks @qtc for the box!

If anyone has a sec, I think I’ve gone down a major rabbit hole and could do with a sanity check. I know exactly what I need to do but am very likely overthinking - I’m at the stage just before finally getting a foothold for user. Thanks.

Type your comment> @corpnobbs said:

If anyone has a sec, I think I’ve gone down a major rabbit hole and could do with a sanity check. I know exactly what I need to do but am very likely overthinking - I’m at the stage just before finally getting a foothold for user. Thanks.

DM

Finally got root.

Firstly I’d like to thank @Zard and @Kukrimate for their help with this box. I’d still be stuck with this one without their help.

There are a lot of words that can be used to describe this box and I’ve used most of them over the last few weeks but tough would be the one I’d use, real tough. So far out of my comfort zone I’ll have to use a map to get back there. I’m still no Java expert but I know a lot more now than I did before so I guess the box did what it should.

To anyone attempting this box, don’t give up. This box is like a production machine, no CTF stuff to worry about.

just got root and collapses in a heap. Wow - what a box that was. Very inventive and realistic. Took a fair bit of hand holding at the end there but it was worth the effort. Thanks to the box makers.

FINALLY rooted. This box truly was insane. Thanks a ton to @zard, @corpnobbs, @sloth1985, and @daemonzone for the pushes.

I don’t consider this a spoiler, but if someone does feel free to report:
For those struggling with working with the initial client and don’t want to fuss with eclipse, JD-GUI can save the source code.

You can compile a single .java file with: javac -classpath <initial jar> <.java file>. Make sure you’re using the correct javac version…it’s separate from the java version so you’ll need to make sure both are the same.

You can recompile jars with jar cmf <manifest file> <new jar name> ./*

Working with eclipse was extremely frustrating for me, so that’s how I updated and recompiled things.

slow but steady here with some help.
I have sat back on this and gone and learned some basic Java so I know what is what.
found a JVM reverse engineering lab at tryhackme which definitely helped a little.

I am at that point that I have got the initial client working
I have also got the modified client working too and looking at a certain class file, I can see it is doing something to display something interesting however I must be doing something wrong for me to not be able to display information via my code (possibly my lack of java knowledge)

on that bombshell, can I ask for a little nudge please, obviously in a PM

Feel free to PM @idevilkz either here or on discord. Happy to help with the working with the java cilent on this, although I’m still struggling with that last nail in root.

…and rooted. Special thanks to @applepyguy for nudging me along and listening to lots of ideas that wouldn’t work!

Ended up spending too much time laser-focused on a particular strategy at the end that couldn’t work due to a hidden detail; I should have stepped back much earlier and rethought a key assumption.

User was super enjoyable but not too tough (I have some background in Java though), and I got to execute an attack I’d heard of but never done, which was nice.

Root was painfully enjoyable, and I now have a new technique to apply when the situation calls for it.

okay first of all, thanks to @frenata @blaudoom @marlasthemage for their continuous support and bearing with me whilst I continually pestered them. Not that I have finished but just got the user today.

For me, I had to start from scratch on this and had to get my basics in Java correct. I signed up for a Java course on udemy too to get my head around and it has helped me.

Getting to understand the basics of this machine took me nearly 4-5 days, to get NAT’ing working, took me 2 days alone but as its hands on, the experience is with me for life.

The machine itself should not be insane but if there is another word for extreme then this one is it.

I only have hard and insane Linux boxes left so had to start somewhere but If I knew this was mostly Java based, I wouldn’t have touched it but as I went in, I committed to it.

This doesn’t mean I will touch another similar machine again in future :slight_smile:

I have got user today finally and I am giving myself a little break before attempting the root but hopefully that should be easier than initial foothold and the user.

Also, I have made a backup of backup of backup of my notes for this as I won’t be able to solve it again tomorrow if notes disappear :slight_smile:

Conclusion so far: Java was hard to start with but once the basics are done then it becomes easier, still not that much easier but workable.

my advice would be don’t give up, I walked away from it and then thought a little, asked a lot from peeps here, read about Java and injections and it eventually worked out.

I’ve rooted it
Thanks @idevilkz, @frenata, @idomino and espesially @marlasthemage for hints when I was truing get user.
Thanks @qtc for interesting box. I improved my swear-word dictionary while was tuing to solve this box :slight_smile:

Anyone able to give me a few pointers on privilege escalation? I have managed to get user and I have an idea on the escalation, but I cannot get it to work.

Hey all. I’m not very good at Java. I managed to patch the jar file in order to work with use of jd-gui. I’m trying to recompile the program in CLI, yet it throws error when launching. Any solution for this?

It took me many many days to just figure out how to modify jar files …LOL
Now all errors are vanished and i can modify java file…Now i will have to look into that.
I had no experience with Such Java style box ever before.

Got user… Oh my god!

What a great box. Thanks @qtc for this! ^^

That box forced me out of my comfort zone completely…

For all those who are having trouble editing the jar … I highly recommend recaf+jd-eclipse. Having modified the jar with recaf, open it in the eclipse with JD-Eclipse and run it. This will run like a charm. Have no idea if this is the best approach, but it works for me. LOL

Got root \o/

Foothold: Firstly… setup your environment!

Recaf + JD-Eclipse will help you a lot along the journey. Start by understanding how that application works, how it communicates with a remote server. Did you notice that it just doesn’t connect? Investigate what happens “behind the scenes”. ByteCodeViewer/JD-GUI/JAD could help you here.

User: Having proceeded with the initial foothoold, pay attention to the operations related to the client and how they interact with the server. Maybe it would be necessary some kind of “patch” in the application? Or modify parameters on debug time? Think about it.

Proceed methodically, understanding each operation. Knowing what happens on the other side (server) can be particularly useful here.

Root: Here you are almost at the end of the journey …: D. It’s not that difficult … just open your eye to what is running on the machine (maybe, from time to time …).

EDIT:

Any spoilers in my comment? Please delete! It was not my intention! o/

I’m a Java développer and I really enjoyed to root this box.

Big thanks to the creator, very funny and realistic box!

Hey guys.

I started this box a quite weeks ago, yet I can’t get a strong foothold here.

I can login to the server using the client software just be re routing the connection using "simplep**“y”. But I came to know, I need to patch/debug the file to go further.

I’m not very good at Java. But i decide to do this box at any cost.

I tried eclipse, intellij and imported the jar file and then modified and then repacked. Unfortunately, it didn’t worked. No popup indeed.

I tried manually with jar tool. No improvement. If anyone guide me to an article which you referred while patching. It will be greatly appreciated.
Thanks.

Got Root ! Awesome box, even if I hate working on Ecl**se.

PM me for nudges :slight_smile:

took a long break after getting user to come back and finally got root. Really enjoyed the user path as it was very developer orientated. Root was a different story and a bit too ‘blind’ which was very frustrating.

respect to @HomeSen and @sloth1985 for nudges at the end!