Official ScreenCrack Discussion

Official discussion thread for ScreenCrack. Please do not post any spoilers or big hints.

2 Likes

wtf is that challenge

1 Like

That was really fun and interesting! Loved it

Any hints on how to solve it?

1 Like

As with all web challenges, follow the user input all the way through the code. Understand the functions that interact with that input. Are any vulnerable? Think about what things you could do with the input you control, what kind of bypasses are available to you, can you make the app do anything the developer hadn’t considered?

more specific hints: what other services are running? Maybe you can interact with it. Remember, HTTP isn’t the only protocol that exists.
Also, make sure to look at every file, maybe there is one that contains a record of someones failed attempt at doing what it is you want to do

2 Likes

Any hints please? I’ll tell you what I found out so far: I noticed the redis server running and i found out you can issue commands to redis even through curl using gopher:// as a schema. However what I’m stuck on is the filter_var on 127.0.0.1; I tried every possible bypass I could find, but if something bypasses the filter, it crashes on curl and viceversa. Can anyone give me a nudge?

Did you check all bypasses as well as public domains which might resolve to 127.0.0.1?

I’ve bypassed the filter but i can’t find a working gopher payload. Is it the right path?

Yep, it is the right path. Try to analyze the data (as well as the data structure) - use the docker instance to look into it.

Thanks for the help, I managed to get execution on the redis instance, but when I can’t achieve RCE since I get the error can't set protected config. Is there anything else to try on redis since there are no keyspaces?

check the source code what redis is used for. you should easily find a function that dangerously uses redis keys…

There are keyspaces. It is just a matter of time because they will be regularly cleared.

I couldn’t find anything beside Laravel queues and apparently those are known to be vulnerable, but I don’t know how to queue jobs to exploit the deserialization RCE. Any further tip?

pop a key modify it push it back. ez.