Official Bookworm Discussion

system · May 27, 2023, 3:00pm

Official discussion thread for Bookworm. Please do not post any spoilers or big hints.

Paradise_R · May 27, 2023, 4:47pm

So in the end this is what everything was about, the final enemy

I wish the best for everyone, I’ll be with you

otter · May 27, 2023, 5:36pm

army12bc · May 27, 2023, 5:38pm

Just when I have gotten 8% away from Pro rank…sadge

geb · May 27, 2023, 7:50pm

where are the ebooks ?

samfisher91 · May 27, 2023, 8:32pm

thats clearly gonna be pain in da a$$ … last box for the season xD

MagicBytes · May 27, 2023, 9:05pm

Good luck everyone, I could not find anything yet.

OldTimeyCoder · May 28, 2023, 12:02am

At the very least one of your assumptions about a field looks wrong

wwb167 · May 28, 2023, 12:15am

you mean the password field?

OldTimeyCoder · May 28, 2023, 12:29am

I’m a bit wary about the rules of giving too much information, but I will say you might want to investigate further on some of your assumptions. I haven’t solved it so I don’t know if it’ll actually help, but some things you said aren’t fully true.

philldav1 · May 28, 2023, 12:32am

Spent about 4 hours but still nothing…

P.S. cookie?

lim8en1 · May 28, 2023, 7:38am

Finally pwned the last seasonal machine. I thought it would be much harder, this one is closer to hard difficulty machines.
Most of the times you can guess what is expected to do the only problem may be with implementing it the right way.
Some hints:

User: record all interactions with the web app. make others do what you can not. Look for some interesting parameters, experiment with them. After that getting user is easy, just need to enumerate common stuffs.
Root: move things around (I think there was a machine like that already xD)

Anyway, the machine was good, made me code some nice stuff for the user part, the only problem is that one part of the way is very slow.

lim8en1 · May 28, 2023, 7:51am

no need to poke the cookie. better focus on the notes

philldav1 · May 28, 2023, 10:44am

I found that notes can reflect X** palyoad, but…

Most · May 28, 2023, 12:01pm

Summary

can i pm about something ? (last part for user).

Got it nvm.

Lander4K · May 28, 2023, 4:08pm

Could you help me? My Discord is: L4nder#0001

HelloThere · May 28, 2023, 9:32pm

Great machine to end this season.

For user, once you find the initial vuln, use it to get a peak at what is “on the other side”. Read it, update your exploit and go further. Rinse and repeat.
For root, you’ll need to redirect, deflect, transform stuff to get what you need. There are plenty of ways to do so, not only one answer.

As always, I you feel like you are running out of ideas or knowledge, feel free to reach out

tec · May 30, 2023, 1:28am

i found the initial vuln, and could trigger it manually, but could not get any feedback from serverside. i did not find any report feature or similar on the site. am i missing something?

lim8en1 · May 30, 2023, 2:51am

Check out what was recently updated on the shop pages

tec · May 30, 2023, 4:25am

Finally understand the page.
Great hint. Thanks.