Official Attended Discussion

When you just climbed what you think is the highest obstacle there’s just another one. Your payload is worth nothing if you are not allowed to deliver it.

Would anyone help me with the “VictIM” message content please

@damnc said:

Could we change the name of this thing to “curve ball”? When I think something will work, it does not! Finally had an working exploit for the binary; but when I tried to actually use it, the client refuses it.

@f1rstr3am said:

When you just climbed what you think is the highest obstacle there’s just another one. Your payload is worth nothing if you are not allowed to deliver it.

Use some “legitimate” way to generate it. This part is something related to crypto.

Hi

I have sent mister Guly a few emails. But he does not want to review my exploit code XD.

Is there anyone who might help me in the right direction?

please DM

Type your comment> @Tr41lBl4iZ3r said:

Hi

I have sent mister Guly a few emails. But he does not want to review my exploit code XD.

Is there anyone who might help me in the right direction?

please DM

You can PM me

After a very, very, very long journey… done!

Foothold: Make sure you read all emails you receive (so, yeah, you need to receive emails :wink: ) and once you have a communication method working, you may need to automate it.

User: As usual, look around for clues. Not everything you can touch you can see, but it’s fine.

Root: The admin is security minded and their choice of OS is very important. You may need to learn how to live from that quite inhospitable land. GREAT LEARNING PROCESS.

That was… patience testing at a completley new level!

uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)

If I ever get the chance I will buy guly and freshness a beer and you have to teach me what kind of evil sorcerery you use for binaries. I can swear that a…s was possesed an had a life of it´s own. Black evil magic.

Great box!!!

@f1rstr3am said:

That was… patience testing at a completley new level!

IKR. Wondering why the “ping back” for foothold rarely works, while the other reply comes back in a somewhat timely manner. Got it working once and know the user, but now it failed for the last 20 (or so) attempts. I’m (additionally) monitoring with Wireshark, but nothing.

To quote a fellow malware analyst, here (though it was with regards to COM/MAPI):

It makes you want to throw furniture

:smiley:

Type your comment> @HomeSen said:

@f1rstr3am said:

That was… patience testing at a completley new level!

IKR. Wondering why the “ping back” for foothold rarely works, while the other reply comes back in a somewhat timely manner. Got it working once and know the user, but now it failed for the last 20 (or so) attempts. I’m (additionally) monitoring with Wireshark, but nothing.

To quote a fellow malware analyst, here (though it was with regards to COM/MAPI):

It makes you want to throw furniture

:smiley:

LOL, MAPI I used that as one of my first assignments as a consultant. I thought my code was the worst ever but the customer was all happy… :slight_smile:

@f1rstr3am said:

Type your comment> @HomeSen said:

@f1rstr3am said:

That was… patience testing at a completley new level!

IKR. Wondering why the “ping back” for foothold rarely works, while the other reply comes back in a somewhat timely manner. Got it working once and know the user, but now it failed for the last 20 (or so) attempts. I’m (additionally) monitoring with Wireshark, but nothing.

To quote a fellow malware analyst, here (though it was with regards to COM/MAPI):

It makes you want to throw furniture

:smiley:

LOL, MAPI I used that as one of my first assignments as a consultant. I thought my code was the worst ever but the customer was all happy… :slight_smile:

Hehe, yeah. Writing code against MAPI is already “fun”, but when you have to reverse-engineer it, it gets even worse.

It seems that I can send messages now, but I am not getting back any reply. Could somebody help me to investigate it?
Thank you.

Okay, I have managed to solve this, but I now have no idea how to get guly to read my messages…

Hi.

Can someone give me a nudge on root?

Thanks

Finally rooted this sucker. What a lot of work that was! Huge respect to @guly and @freshness for such a great box. Taught me a lot. Keep plugging away everyone - that hard work will pay off!

Hey guys… a little nudge please on foothold… Just started this box yesterday and have figured out the RCE path from guly’s response. I can successfully get a ping back but not a reverse shell… Anyone available to run a quick sanitization on my code? Thanks

Type your comment> @sicario1337 said:

Hey guys… a little nudge please on foothold… Just started this box yesterday and have figured out the RCE path from guly’s response. I can successfully get a ping back but not a reverse shell… Anyone available to run a quick sanitization on my code? Thanks

Yep PM me

Finally User is done… Much thanks @camk

I can execute commands now with g**y, could somebody pm me where the flag is located? Or should I look for another user to get the user flag?

Type your comment> @czuczi said:

I can execute commands now with g**y, could somebody pm me where the flag is located? Or should I look for another user to get the user flag?

you need to privesc to guly’s co-worker

Picking this box up again after a long break. I think I have the pieces I need to get to root - BF param, service to target, obscure port. Now trying to generate a file in a format the service will accept, with the content I need, and struggling to get something working well enough to trigger the BF. Can anyone give me a nudge towards the right technique?

One step further - I can generate a file in the right format to trigger the B_F. Now trying to come up with a useful R_P c___n with the very limited number of gadgets available.

Update: rooted. Man this box was hard, probably the hardest one I’ve done so far. Thanks @all and @sicario1337 for your help and encouragement along the way.

Awesome concept, thanks @guly and @freshness!