Official Pollution Discussion

cz database spammed with records and I guess there is cron to restart some services to clear box state

Hello guyz any one online to ask a question ?

Finally PWNED after a tough time , any way can’t give a hint here cuz its really long way so feel free to dm about where you are stop and i will help ^___^

hello can anyone tell what’s wrong with my **E Payload, i was able to read /etc/hostname only if i try to read /etc/passwd payload is not working.

it seems only files with one line can be read

this is a rabbit hole, it’s far simple than crafting **E payload.

1 Like

Forreal? I was working on crafting the payload the whole time. Alright, back to the lab.

EDIT: Alright, you cleared it up really well below. Got it.
EDIT2: This box signup/signin functionality keeps breaking, and session cookies stop working too.
EDIT3: Stop bruteforcing, wtf, got me flushing the database just to keep this box alive.

i guess i was wrong you have to read files but remember you don’t need Full path :slight_smile:

Can somebody pls help me with the root flag? I used “Prototype Pollution to RCE - HackTricks” as reference and also got a admin toke for Message_send but everytime I only get

SyntaxError: Unexpected token c in JSON at position 92… Error back i have no
idea what I’m doing wrong. I never used this kind of vulnerability

1 Like

Hi sorry I have problem with machine pollution not get connection the mysql . I have the username and password that I got in config.php but not connect. some solution. I not writed very good in english.

I needed some hints and guidance along the way, but finally rooted. This was one of the best boxes I ever played; very very well thought out. Thanks @Tr1s0n !

1 Like