Ethereal

@opt1kz said:
Is the RCE a rabbit hole? I’ve spent hours on it and gotten nowhere, but can’t find any other attack surfaces.

This! It’s absolutely driving me nuts.
Can anyone confirm or deny it’s real?

You can run but you can’t write. What you can run seems to be limited, too.

@SingleCore said:
This! It’s absolutely driving me nuts.
Can anyone confirm or deny it’s real?

I DM’d someone who’s rooted it asking about this, and they confirmed that it’s the way in.

So… Yay…

Need someone who’s gotten a foothold via the RCE to DM me. I have a theory about a possible attack vector, but I’m stuck on a particular part.

Anyone know when the patch is supposed to be complete?

EDIT:
As of 1800 UTC it seems to be patched, if it is down on your server issue a reset and it will bring the box back up.

EDIT2:
jk, status check feature was lying (@ mods)

EDIT3:
annnnd we’re back

so i only Nmap not going to try it Yet!!

my be this weekend ill have go and as usualy forum is full spoiler lol!!!..

but lates what we can do this weekend!!

wish me luck ! :slight_smile: but i want to do the 20 pointer box that coming out first.

Edit: Never mind. Rooted.

I’ve been stuck on what I believe is the last step to user, j****. Created a new .l** and replaced the one on the box successfully, but I get nothing back. I know the arguments are correct because I tested them outside the file. Really need a sanity check on this one, it’s driving me nuts and wasting a lot of time.

EDIT: nvm got it. If you’re not getting anything, check for hanging processes…

@iven said:
for me, I got remote desktop access but the code on user.txt not working :angry:

This is a joke, right?
Im not sure you remote desktop access, i think you were on an html page.

pbox.exe…rabbit?

@cslatt05 said:
pbox.exe…rabbit?

No.

Darn, crZ=0fff4a12 page faults…it will be neat to find an emulator that works

EDIT: Solved the pbxx issue. Thanks to @devloop.

Hi ! Yes I was able to do it. Had to download some required component, unzip it and put files in bin directory to make them work.

Now I’m able to ping and check file existence but no more :stuck_out_tongue:

@cslatt05 said:
pbox.exe…rabbit?
you can get the password contents extremely easy…
Im just trying to figure out what to do with the contents…

EDIT: ncrack helped a lot with this

this box is hell, even when you know what to do. run from it.

I can ping myself from Ethereal. That’s all I have achieved up to now. Am I on the right track? Would some kind soul offer guidance towards RCE? No direct hints or spoilers. Thanks for your time!

I ended up getting the source code for pbox.exe and rewriting it into a password cracking tool because I can’t be arsed to repetitively type in passwords, especially with that extra two-second sleep (which feels more like two years…). It was an interesting exercise, but ultimately I was a little peeved when it told me the password…

@tty said:
I ended up getting the source code for pbox.exe and rewriting it into a password cracking tool because I can’t be arsed to repetitively type in passwords, especially with that extra two-second sleep (which feels more like two years…). It was an interesting exercise, but ultimately I was a little peeved when it told me the password…

hahaha. i find this hilarious because i did the exact same thing. I had a prototype set up to crack it using rock you, and used a copy of the file to see exactly how it operated on test runs… and for whatever reason right before i put the cracking program to work i tried to guess a few passwords. I got it right on my first try.

Really would appreciate some help with privesc tho. Ive been messing around with a .lnk file to no avail

It must be viewstate…but how to decode it