Official OverGraph Discussion

Official discussion thread for OverGraph. Please do not post any spoilers or big hints.

2 Likes

This HARD

2 Likes

yep, indeed.

5 system owns and 4 user owns. most happened exactly an hour ago.
i guess i missed the big reveal because I cant use dischord.
Anyway - i cant get any query to work. I want to know if instro__ection is turned off
Has anyone gotten instro__ection to work ?

Yeah, after I had that I felt like a dog who finally caught a car, I had no idea where to go with it. Its definitely possible, I think its easier if you stop using b__p and use the web

1 Like

Anyway - i cant get any query to work. I want to know if instro__ection is turned off
Has anyone gotten instro__ection to work ?

Worked for me. Just tested it couple of minutes ago. I used g******map.

1 Like

I was beginning to wonder if b__p was interfering more than it was helping thanks !

1 Like

sweet - i will check that out thanks !

That was so hard lmaoo

Concur

1 Like

I managed to log in to the p****l, but I can’t find any way forward.

Any nudge for moving forward after discovering we can query stuff ?

If you find Some Share it :walking_man: , I i’m searching too

I may have found something but got stuck again lol

i’m learning the Query thing , i find some good big of how to pen test it but same got stuck :melting_face: :rofl:

  • Some good page *

I have to say, this is really hard, I’m only onto root now, it’s something to do with reverse eng.

Foothold:

  • reading the title of the machine, it’s about some kind of graph, this is the graph first invented by facebook
  • but the exploit i used had little to do with this graph
  • enum to get the subdomains
  • once on the subdomain, usual enum cannot discover any more paths, because it’s a SPA
  • however, you can download the client source and search for paths
  • once you know the paths, you should try to create an account, I know 2fa…, but you can bypass, right? needle it
  • once you have an account, discover a field where you can store something persistent, but malicious
  • biscuit is not the only place for storing session info, right? what else can store session info in a browser?
  • you can modify your browser’s place to promote your self to see more, but you need more privilege to do things, seeing more is not enough
  • this part takes a lot of time, you know you are not alone on the web, but how to “borrow” someone else’s browser?
  • experiment in your browser first, then, kindly “ask” the other person to do the same
  • if everything goes right, you should have the session info of the other user, of course with a lot of trial and error
  • now, you are someone else, you have privilege to do more on the thing you were able to see previously
  • you need to supply something, maybe something malicious?
  • what is a popular malicious thing for the file type accepted? how is the server storing it and saving it? don’t tell me it will be first converted somehow!!! (locating the right kind of exploit is the key here)
  • if everything goes well, you should be able to read files from the target now
  • read, read, read, read for trust, once you trust someone, you don’t check one’s password, right?

Root (still in progress)

  • remember checking all the web pages from before, some of the pages were not linked, one of them will hint you where to go next
  • you see a process that’s run as root, it’s not a conventional process
  • this process requires a password to be used
  • of course, you can take it offline and dig into the cells of it
  • once you dig into it cell by cell, you see why it’s asking for a password, either use your strong cell reading skill to reverse the logic, or (if you are like me) you can bang the ■■■■ out of it by throwing millions of similar craps to it until it surrenders
  • now you should be able to use this program
  • you may have discovered from reading the cells, the cells are not nicely aligned, there are bond to be overlaps
  • so far, I’m able to trigger the overlap, but cannot let the overlapped value be interpreted as a reference to my malicious stuff…
3 Likes

Root
firstly, i have to say, this part is really hard. reverse eng and exploit development is required.

Hints on app:

  • enum the file system, you’ll notice a unusual application running on a local port
  • copy this app to local for reverse eng
  • first step is to bypass auth, i have explained the logic before
  • second step is exploit dev

Hints on exploit dev:

  • one function is vulnerable with boundary checking
  • utilise this function to write to out of bound places
  • dynamic applications use GOT and PLT for referencing library functions
  • there are pointers to these library functions
  • some of the references can be overwritten
  • find some references to overwrite, so that these functions will behave differently
  • understand how the app address space is structured and how to exploit it effectively
  • the app is running in a specific way, some bytes need to be escaped for the exploit to work
1 Like