Official BroScience Discussion

Official discussion thread for BroScience. Please do not post any spoilers or big hints.

Rooted! Nice box with a good theme!

Challenging Medium box, but nothing you can’t handle.


Do you have some hints for root?

Having trouble finding the salt for the hashes, any hints would be appreciated! :DDD

edit typo error

Do you have some hints for root?

A couple hints:

  1. May seem obvious, but enumerate the filesystem. Consider areas where custom software and add-on applications typically might go.

  2. Think about how you can gain deeper visibility into in-flight filesystem operations and processes. You don’t have root, but that doesn’t mean you can’t get quite a lot of insight into what a machine is doing. You may consider some third party tools that help with this.

Once you nail 2, crafting the actual elevation of privilege becomes a much clearer exercise.

Feel free to DM if you’d like to bounce ideas.


Any hints for logging in? I already have access to the source code and already understood what I need to do once I log in, but I can’t login into other’s account nor brute force the activation code. I’m now brute forcing users’ passwords but I don’t think that’s the way.

Also stuck on the login page, any hint?

Very good machine, i liked it a lot… just a bit thougher than the regular medium box.
For anyone stuck feel free to drop me a PM


Think more about how you could reduce number of attempts when you brute force the activation code. Is it truly random or is there something that could reduce your surface area?

1 Like

Oh, I should’ve noticed that before. Got it, logged in. Thank you!


Rooted! user was challenging, but root was not too bad.

1 Like

That was a really fun one! Both user and root were both super satisfying to figure out.

A nice box.

FOOTHOLD : simple enum and look for params. You can display files from the box. Get the function code and activate your account. Something happening with theme changing. Check code.
USER : get hashes and get flag.
ROOT : something in the background. Something to execute.

Hope it’s not too much hints. :slight_smile:


OK I give up. I do not understand how to take advantage of this unserialize call.
I found the vuln that lets us grab files and i got most if not all of the php files.
I was able to generate enough activation codes to login for a little while.
But all i do when I create my own serialized UserPrefs is to screw up the layout of hte index page. i see no way to get it to “__wakeup” or “_destruct” or exec anything
What am i missing ?

Your magic method is in another castle. It’s a utilitarian castle, but it’s still got class.


Rooted. i’m not good in php hence chatGPT helped me a lot. few hints for those stuck:
Parameters are important. Read whatever you get carefully, to not to waste time looking for something to rub on your wounds.
root: way easier then user flag , lookout for what is already running.

1 Like

dm me

1 Like

Finally Rooted !!! :man_lifting_weights:

If you are stuck, write me a DM and I will be happy to help you. :grin:

1 Like

Wow that was a great box. Foothold was the hardest, but also the coolest. DM me if you need help


OK with some hints etc I slogged thru.
Thanks and cheers.
I sorta hate php - so that’s on me to get over.
I was about to write that I still need to figure out why one tactic worked and another did not.
But then I looked back at the web app code and I went to the official php manual page for a particular php function.
The tactic that worked jumped out at me from the php manual page.
So I understand better now and I am more at peace with the Brosci box.

g’nite all

1 Like