Book

olsv · February 22, 2020, 11:09pm

Title also suggests to read and learn, so looks like a hint

durante · February 22, 2020, 11:11pm

Type your comment> @olsv said:

@init5 said:

@olsv said:
Have anyone tried to mess with existing pdf files? One of them looks very interesting

Define interesting
Depends on the tool you use.

Something steganographic?

koussakhan · February 22, 2020, 11:20pm

Type your comment> @durante said:

Type your comment> @olsv said:

@init5 said:

@olsv said:
Have anyone tried to mess with existing pdf files? One of them looks very interesting

Define interesting
Depends on the tool you use.

Something steganographic?

Would be very ctf-y

olsv · February 22, 2020, 11:25pm

Type your comment> @durante said:

Type your comment> @olsv said:

@init5 said:

@olsv said:
Have anyone tried to mess with existing pdf files? One of them looks very interesting

Define interesting
Depends on the tool you use.

Something steganographic?

probably, some additional content there but most likely collateral damage from extraction. Trying to crack, but no luck so far.

m3dsec · February 23, 2020, 12:35am

Type your comment> @olsv said:

Have anyone tried to mess with existing pdf files? One of them looks very interesting

yes, im trying to inject the XMPmeta field, exactly the </x:xmpmeta> attribute

PapyrusTheGuru · February 23, 2020, 12:37am

Jeezzzz man! This box just went from 4/5 to a solid 8 in difficulty ■■■■. Hoping i get this as it would be my first medium/hard box!

NoWay1911 · February 23, 2020, 12:52am

Type your comment> @m3dsec said:

Type your comment> @olsv said:

Have anyone tried to mess with existing pdf files? One of them looks very interesting

yes, im trying to inject the XMPmeta field, exactly the </x:xmpmeta> attribute

from what I’ve seen with exiftool, looks like the files are just random ones from the internet… so anything in them has nothing to do with the box. I could be wrong though.

bertalting · February 23, 2020, 12:57am

Type your comment> @NoWay1911 said:

Type your comment> @m3dsec said:

(Quote)
from what I’ve seen with exiftool, looks like the files are just random ones from the internet… so anything in them has nothing to do with the box. I could be wrong though.

And what about your own pdf file which you have uploaded?

olsv · February 23, 2020, 1:08am

Type your comment> @bertalting said:

Type your comment> @NoWay1911 said:

Type your comment> @m3dsec said:

(Quote)
from what I’ve seen with exiftool, looks like the files are just random ones from the internet… so anything in them has nothing to do with the box. I could be wrong though.

And what about your own pdf file which you have uploaded?

looks like it simply takes whatever you feed it and stores with random id as pdf. /ad**/ex** suggests there is some processing, but some preconditions should probably be met.

olsv · February 23, 2020, 1:16am

did anyone managed to get to admin panel?

anonipossum · February 23, 2020, 1:58am

xct and someone else managed it. All I managed is a weird (benign) xss in my user profile, but I’m pretty sure that’s not the way forward. I have no clue how to make it a meanie.

Cptsticky · February 23, 2020, 1:59am

I am not expert but I just do not see any logic in this. Just a complex guessing game. Shrug. Pretty annoying. No offense to maker. Maybe the rest of the box is really cool and I will learn something but this part is… strange

babywyrm · February 23, 2020, 2:20am

Educated guessing is something that you’ll have to do in any pentest, especially against a target that is probably 94%-99% blackbox.
This thing is a legit beast and probably requires chaining together some obscure yet logical things that I’ve yet to get a twist on, but the overall story looks like it makes sense. It’s just a matter of making it work out. Trial and error. That’s life.

Thane121 · February 23, 2020, 2:25am

based on the endpoints hanging off of /admin, I am thinking this is either a client-side exploit or access to the admin panel is required. I could totally be wrong, but its what makes sense right now.

olsv · February 23, 2020, 2:25am

I might be overthinking it, but I see a pattern there. Title suggests Read and Learn, there is also header “If you have a Garden and a Library, you have everything you needed.” All provided PDFs are about flowers and one of them have “marker” words. Tried to build dictionaries out of them, but no luck.
One of them did work though, but that was a false alarm. Someone reset the box

alez · February 23, 2020, 3:06am

Found some pieces of software, one is git version, the other slighly outdated, not really sure if that would be important at this point.

ue4dai · February 23, 2020, 4:44am

Me: I sure have worked hard and would like to change careers to being a pentester some day.
Reality: Ha! F… you, buddy. Go eat paste.

anonipossum · February 23, 2020, 5:28am

I got some csrf working, but I don’t want to purchase a short domain. My ip is one digit too big

devx00 · February 23, 2020, 5:42am

Type your comment> @anonipossum said:

I got some csrf working, but I don’t want to purchase a short domain. My ip is one digit too big

purchasing a short domain wouldn’t help you anyways. the boxes are all sandboxed with no internet connectivity.

comradecereal · February 23, 2020, 5:58am

free domain names with .tk extention. Good for when you need to test something (Dot TK - Find a new FREE domain)