Official Noter Discussion

M3rlin · June 8, 2022, 5:38am

No worries at all @wayl0n . Quick related question - which language are you using in that file (hint)

lurto · June 9, 2022, 3:28pm

I was using ti**** attacks for finding a user, I was using the burp suite extension but was getting diffrent results between burp suite and firefox for users I know exist. Is there something specific I need to use in teh extension or something else ?

wayl0n · June 9, 2022, 4:23pm

hi,

not sure what other people did but i used a for loop and curl to hit a part of the site that a user with valid credentials would be able to see. if it returned something good then i knew that user was valid

wayl0n · June 10, 2022, 4:52pm

hi @M3rlin,

b00m! finally!

Thanks for your hints and also ganoes on Matrix. You guys bumped me in the right direction without revealing too much.

Cheers,

wayl0n

0x4A45 · June 11, 2022, 12:14pm

As this problem may be related to this box, I stumbled on some weird detail, that I’d like to share

I have noticed that the base64 command line tool has some kind of different output than e.g. Burp or online tools like cryptii or cyberchef for the (seemingly) same input.

Burp, Cryptii and Cyberchef translate “This is a test” (without quotes) to:
VGhpcyBpcyBhIHRlc3Q=

However:

echo "This is a test" | base64
VGhpcyBpcyBhIHRlc3QK

The problem is, that echo adds a trailing newline, which will also get encoded to base64.
So, if you stumble on the same problem, just use:

echo -n "This is a test"  | base64
VGhpcyBpcyBhIHRlc3Q=

-n omits the trailing newline.

Hope this helps anyone.

Greetings
netzbuerger

riboyster · June 15, 2022, 11:15pm

Anybody willing to provide a nudge on finding the secret key? Been working on this all day and finally feel like I’m progressing…kinda.
Thank in advance!

riboyster · June 16, 2022, 7:44am

if you’re still on this:

hydra http-post-form

q90 · June 16, 2022, 11:53am

Others have probably tried to find secrets for the same kind of thing before - maybe you just need to narrow your searches.
Secret for what kind of thing, exactly? (I don’t expect a reply)

nonattribution · June 16, 2022, 8:53pm

I thought the same thing until after i did the brute force.
When I saw how it was possible to find out without brute force i felt like an idiot - because it is obvious in hindsight.

riboyster · June 17, 2022, 2:18am

I’ve made it a bit further. Now struggling with the reverse engineering…I’m not sure if my syntax is correct or not. The exploit is easy enough to find on the internet. No matter what I try, I either get server error 500 or the ‘except Exeption as e’ fuction is called. Anyone able to help?

riboyster · June 17, 2022, 2:20am

hellllp! I’m where you were with the file converter. Nothing but errors!

nonattribution · June 17, 2022, 4:07am

OK
I spent all afternoon trying to use what seemed obvious.
but @rocksxebec had a couple hints that made me realize that i had another option. ( thanks ! )

So now i finally realized what the other func/route did - yay.

christall · June 17, 2022, 2:31pm

I am also stuck trying to get the R***** C*** ******* to work. I found the vulnerability in the ** - * * -*** package and know how to access the page on which the converter is located, but I can’t get anything to work, just errors all the time. Any nudge would be greatly appreciated.

nonattribution · June 17, 2022, 6:03pm

I created like 20 different versions of a payload for that package and i could get no joy.
i finally gave up on fighting the 500s and then re-read this forum.
at that point a @rocksxebec comment finally seeped in
I then went back and looked at the source code for the app again and realized i had totally blew off the fact that the ‘converter’ is called in more than one place.
looking at the source i realized i had wasted time trying to outsmart the f-ing filter/formatting bit. I hope that helps…

JacobE · June 18, 2022, 12:20am

EDIT: Haha, nevermind. It appears that something wasn’t working as expected Got root. If someone wants help with this box, send me a DM. Only the tiniest of hints ofcourse.

Hey people!

Could someone give me a tiny nudge on the privesc?

I found the goods in the backup source code and the fact you can use them on M*S**. However, I am kinda stuck there. Found a backup script like some have said, but this does not appear to run.

I must be missing something obvious

christall · June 19, 2022, 2:31pm

Hey, when trying to do the privesc through m**** using the r*****_udf2 exploit I get the following error and can’t seem to fix it.
Can’t open shared library ‘r*****_udf2.**’ (errno: 11, cannot open shared object file: No such file or directory)

Can someone help?

JacobE · June 19, 2022, 3:40pm

I had the same problem. Revert the box and try again. Try to follow the online articles exactly.

christall · June 19, 2022, 3:42pm

Did that twice already, I suspect something about my paths is off, I just don’t know what…

JacobE · June 19, 2022, 3:44pm

Did you locate the PL**IN P*TH from the article and use that?

christall · June 19, 2022, 3:56pm

Found it, cheers.