Official Laser Discussion

@lebutter said:

I just got to read that documentation around g**C, i know nothing about that. Can i reasonnably think I’ll get somewhere ?

Definitely! You’re on the right track. I suggest having another read of the Usage section of the decrypted file and then searching for a certain Python module (g*****-****s) that will help you generate some code to use.

Yes that’s what i did yesterday evening, it was easier than i thought. Still no user in sight though lol

@lebutter said:

Yes that’s what i did yesterday evening, it was easier than i thought. Still no user in sight though lol

Then I’m not sure how much this will help but if you’ve defined the service correctly using p****f you’re almost there. You just need to write some code to interact with the gC server. The main components are a channel (for the connection), a stub (to call the specific method) and content to pass to that method, the form the content should be in is hinted at in the document.

It’s difficult to explain without giving too much away, you’re welcome to PM me for a bit more of a nudge.

Thanks amigo, I think i got that to work, i stopped for the day after getting the client/server talk to work, foudn out the format to use etc… I’ll carry one with the next stages tonight, good to know the user flag shouldn’t be too far after that !

Finally completed it, i think that’s my first insane box, what a marathon box, it never ends…

What’s really hard is that at 2 points it requires a bit of guessing, so you may be doing the right thing, it’s easy to stop if no positive outcome appears… while you’re actually doing the right thing and just missing a bit of random trial and error.

Rooted…
…but with an enormous load of help from a friend who’s definitely way better skilled than me.
I thought it would have been a good thing to try teaming up in order to learn better.
I’m not sure that it was a success, because i do not have understood all the passages, especially the g**c part, where I’ve got almost totally lost, and i just followd him on the thing.
Root was different. Here I got a grip on the path almost immediately, but i totally missed the “reflective” part.
I would like to say that i’ve learnt a lot, but it’s not completely true. I trailed a lot and I still have to understand too many things.

This was such a great box! Thanks @MrR3boot & @R4J! User was very long, very fun, but in my comfort zone. Did remind me of travel, which was great, as I also really liked that box!
Getting root was less involved, but outside my comfort zone, so it took me some time and a helpful nudge from @nathantemplar! Thanks!
If someone wants a small nudge or a sanity check, feel free to send me a pm!

Thanks for the feedback and Good work!

How one supposed to proceed with “blind” part of the journey?

My dream to send picture of my ■■■■ on my neighbour printer will finally come true !

Ok I need a hint here.

I’ve discovered the g*** client and the a***** s*** on p*** 8**3

I’ve found the vulnerability with velo**** and someone tipped me to use go**** to perform the POST request on stag*** coll******.

So I have a python script sending the g***** request (this one take so much time…) then the RCE request and sometime it works but most of the time it doesn’t…

I think that I’m missing something here and the time it worked was because I’ve used another user path but i can’t figure out what I’ve forgotten…

If someone can DM me to provide some help that would be great :slight_smile:

Thanks in advance

Type your comment> @kenokeefe said:

Ok I need a hint here.

I’ve discovered the g*** client and the a***** s*** on p*** 8**3

I’ve found the vulnerability with velo**** and someone tipped me to use go**** to perform the POST request on stag*** coll******.

So I have a python script sending the g***** request (this one take so much time…) then the RCE request and sometime it works but most of the time it doesn’t…

I think that I’m missing something here and the time it worked was because I’ve used another user path but i can’t figure out what I’ve forgotten…

If someone can DM me to provide some help that would be great :slight_smile:

Thanks in advance

you can DM me if you still need help

Finally rooted !

Thank you @ArtemisFY for your help.

Foothold is very interesting, I’ve learnt a lot of things but ■■■■ I’ve hated that g***** request…

Root is kinda straightforward if you know how to look (it’s my first reflex when I’ve got a shell) and have already use s**** in the past.

My first insane box, kinda proud of myself

So, I managed to get some data, and then some more.
I managed to generate a “definition” and the according code from it. But whenever I try to send out simple stuff, I get back different exception responses from the box (with neither really making any sense). Any chance I could get a sanity on my definition from someone who already solved it?

I have my script, but I am struggling to enumerate things blindly. How are you supposed to move further if you can’t see anything you are doing?

past user and on the way to root thanks to some very patient help from @TazWake and @ElVi7MaJoR. this box definitely deserves its Insane rating :slight_smile:

User was a nightmare
If someone is blocked with velo**** on the GET request on stag*** you might need to check that the header has as first character a space

Root too was quite a pain and hard to find.

If someone need hints feel free to dm me

rooted. what a great box. took me a long time from start to finish, but I learned a lot along the way. I really like these multi-step boxes where each thing you unlock leads to the next. thanks @Xelinion for the advice on the root stage - your encouragement helped a lot.

thanks @MrR3boot and @R4J for the box!

Wow, not sure how much time i’ve spent on laser, time well spent, researching and learning a lot. With more or less effort and pain, i have overcome all steps by myself.
But now, i’m stuck, i think i’m in the right path… but i’m starting to doubt it.

I’m able to read the document, i’ve made a client to call service through g*** and i get response from server.

I get some errors during my tests that points me (“M**K” and “p****e” referenced in exceptions) towards the posible attack vector.

I’ve created some classes trying to get rev shell after the server unp****e them… but all i can get is a recurrent “Module is disabled” exception… and i’m not able to bypass it and no clue to continue… i think i need some help with that ¿any nudges?

Even stucked and without finished it, laser is already one of my favourite boxes in htb. Thanks @MrR3boot and @R4j for this nice work!

Type your comment> @rulzgz said:

Wow, not sure how much time i’ve spent on laser, time well spent, researching and learning a lot. With more or less effort and pain, i have overcome all steps by myself.
But now, i’m stuck, i think i’m in the right path… but i’m starting to doubt it.

I’m able to read the document, i’ve made a client to call service through g*** and i get response from server.

I get some errors during my tests that points me (“M**K” and “p****e” referenced in exceptions) towards the posible attack vector.

I’ve created some classes trying to get rev shell after the server unp****e them… but all i can get is a recurrent “Module is disabled” exception… and i’m not able to bypass it and no clue to continue… i think i need some help with that ¿any nudges?

Even stucked and without finished it, laser is already one of my favourite boxes in htb. Thanks @MrR3boot and @R4j for this nice work!

Oops, forget it. I found an alternative!