Official Noter Discussion

Official discussion thread for Noter. Please do not post any spoilers or big hints.

1 Like

Hi folks. So I’ve found the X** vuln, and got the signing key for f**** but haven’t really been able to do anything with it. Any nudges will be greatly appreciated

I’m in the same situation here

2 Likes

This box keeps hanging on requests. Every few minutes, it stops responding. After a futile day, I give up. Will return eventually

I think it’s rate-limited on certain actions.

Is the app supposed to give a 500 when trying to use the “E***** to P**” function?

1 Like

I mean, obviously it’s not, but is this the expected behaviour of the box or is something broken?

Actually it is. Look closely at the all the e***** functions available. Maybe one is more useful than another

I found the right file type to use in that one function, but nothing i feed it seems so give me anything but the same error. Tried doing a re***** on my end which produces a different error, but does so no matter the location it seems. Kinda stuck here.

You’re on the right path with the file. You can do RCE that way, but you need to find a way to escape the checks the program puts on your file.

Finally rooted! Fun box. I just needed a break to wrap my head around the issues.

Foothold

  • What backend technology is running? How can we leverage that to read other user’s notes?
  • one of the pages you can access without any known credentials can help you find other users.

User

  • read the notes. Along with some more basic enum, you’ll be able to figure out how the app works
  • Leverage your knowledge of the app, to escape any checks and gain a shell

Root

  • This is straight up basic PrivEsc.

Hope these aren’t spoilers.

7 Likes

Okay so i found another user, and found a tool to forge something. But the forged thing just sends me to “Unauthorized …” Can i get any hints? I also used the --le**** flag

I’ve found the XSS too… But idk what to do with it next

I don’ think there is much to do with the XSS. I mean, there is no interaction between users and the cookies are HttpOnly… so, considering I’m still doing this box, I think we can say it’s an usless vulnerability.

So what are you gonna do next… ? Are you trying anything ?

At the moment I’m trying to follow this. I’m trying to understand how to read other notes (probably there is something in the other notes or maybe is just to discover other username) and I’m trying to find other users using the unauthenticated part. I realize how to find if a user exist or not but that don’t help me with the password. I tryed to bruteforce the password but look like there is a limitation on how much request you can do. Infact the bruteforce is soooo slow and that’s why I think this is not the right path…but I’m still searching :slight_smile:

If you create an account for yourself and login, you can trick the backend into thinking you are a different user, by modifying the identifier the backend is using. Finding a valid user requires some brute force, but it isn’t necessary to try and bruteforce the password.

Yeah I think I’m working on the right spot, but still didnt found how to modify the identifier. You mean the co****?

Yes. There is a tool that lets you decode and forge the specific type of co**** used by this backend

1 Like

Did you need to modify the tool in any way?
Because I think i used the right tool, but I needed to modify it, because the parts it was expecting were different.
Bad thing is … the part(h*****) that seems to be exploitable is not available.
And now I’m stuck, although I already got the right username for the login.