Official dynstr Discussion

Official discussion thread for dynstr. Please do not post any spoilers or big hints.

Just checking im not being un-needlessly dumb, I don’t need to make my own DUC for this, right?

Type your comment> @Gravzy said:

Just checking im not being un-needlessly dumb, I don’t need to make my own DUC for this, right?

Nevermind I’m overengineering.

any hints → i GOT ‘nochg ip’. what next i tried Injc re*ord but failed

was able to set sbd***n but now stuck?

i think the problem is that there are not much documentations on the vulnerability, and we can only read through the documentations on the api to try to figure out whats there to be done. Its seriously a super hard box for medium.

read documentation → rce. but stucked . any nudge

I managed to in&&ct my H&&t na/e

But stuck and don’t really know what to do next!
Any hint is appreciated

Maybe Ds hij**kig?

i am stuck, i think that to get user or wwdata i need to go on /ni*/udt*? but i try so much forms to join but always get bdut*, any hints?

Got shell :coffee:

can someone nudge me on how to set up the *** so i can go and *** into the box as *******? sorry if there’s any spoiler in this comment. been googling for the correct setup but still a no go now.

any hint for foothold? ive been bruteforcing subdomains but got nothing

Type your comment> @jlpung said:

i think the problem is that there are not much documentations on the vulnerability, and we can only read through the documentations on the api to try to figure out whats there to be done. Its seriously a super hard box for medium.

finally rooted! EDIT!

@esmyl yup got it finally! hahas

Can anybody give me a nudge? been stuck for a few hours already

Type your comment> @bgokjh said:

Can anybody give me a nudge? been stuck for a few hours already

Same here. Got a CVE… but there is very little info on the same. A nudge on foothold will be much appreciated.

great box! rootet it, if anyone need a hint, just let me know!

Spoiler Removed

To the 5 people who insta-pm’d asking for foothold hints… I would typically wait until it was out of release-arena… but - you are given most of what you need on the web-page, treat the REST as you would pen-testing any other API, don’t overthink it.