Patents

Found a way to force patent to download something from my webserver. Now it’s about exploiting it :slight_smile:

There is a php version of the visible html page. I think it is the way in considering the comments in it.

6 users till now ? lol im gonna skip dis

Over 24 hours and no root… I think “Hard” was an understatement for this box.

I cant even get the first foothold!

We are on the same point I am looking for a small point of support too. this car is more than insane

Finally get a ping back, and I’m told it won’t help ;_;

I think it’s time to give some hints about the initial foothold.
As I could understand by talking to some of you on social channels, the “obvious” vulnerability everybody is talking about is correct, however you are all missing some important information to correctly exploit it.
Try to use a different wordlist to find something useful in the web app. Maybe some developer left traces of a changelog!

Type your comment> @gbyolo said:

I think it’s time to give some hints about the initial foothold.
As I could understand by talking to some of you on social channels, the “obvious” vulnerability everybody is talking about is correct, however you are all missing some important information to correctly exploit it.
Try to use a different wordlist to find something useful in the web app. Maybe some developer left traces of a changelog!

Miiiii! I can’t believe it!! My favorite hint! :slight_smile: (tribute to the webapp user)

So far, even harder than PlayerTwo or Rope. This machine is destroying me. Kudos @gbyolo for creating a nasty box. You’ve got me beat. Not sure about the “Hard” categorization though – this one is a doozy!

Don’t have user yet, but I think I know what I need to look at. Your hint helped me realize I wasn’t too far off track.

Edit: Gotta love when there’s one root blood and then magically 4 people root it straight after.

Coincidence-I-think-Not

Type your comment> @farbs said:

Don’t have user yet, but I think I know what I need to look at.

I know that feeling… not quite enough though in my case haha!
Insane box @gbyolo - nice find

Five people have rooted it now… That’s quite impressive given that for the first day only six had even got user.

Didn’t get that changelog from the developer, but managed to get some dependencies file pointing to some conversion utility… then… generated a pdf from a normal docx and checked what was the version of the thing to try to attack… got to some papers and blogs,… tried to embed this to that, upload that and nothing! keep failing every single step. aux what a box…
Any help will be appreciated.

pm please!

Type your comment> @gbyolo said:

I think it’s time to give some hints about the initial foothold.
As I could understand by talking to some of you on social channels, the “obvious” vulnerability everybody is talking about is correct, however you are all missing some important information to correctly exploit it.
Try to use a different wordlist to find something useful in the web app. Maybe some developer left traces of a changelog!

Well consider me truly bamboozled. After many hours of trying the obvious path I see this post, and spend quite a few more hours throwing different wordlists from seclists/dirb/dirbuster/wfuzz at the site. Full recursion, .log, .txt, .conf, .html, .php extensions and nothing. The only changelogs found were in /v***/s***/*/c***. They don’t seem to be useful.

Type your comment> @arale61 said:

Didn’t get that changelog from the developer, but managed to get some dependencies file pointing to some conversion utility… then… generated a pdf from a normal docx and checked what was the version of the thing to try to attack… got to some papers and blogs,… tried to embed this to that, upload that and nothing! keep failing every single step. aux what a box…
Any help will be appreciated.

pm please!

That’s exactly where I am XD I’m wondering if I should be looking at u*****.p and not c****.**p

Type your comment> @idomino said:

Type your comment> @arale61 said:

Didn’t get that changelog from the developer, but managed to get some dependencies file pointing to some conversion utility… then… generated a pdf from a normal docx and checked what was the version of the thing to try to attack… got to some papers and blogs,… tried to embed this to that, upload that and nothing! keep failing every single step. aux what a box…
Any help will be appreciated.

pm please!

That’s exactly where I am XD I’m wondering if I should be looking at u*****.p and not c****.**p

But the thing here for me is in the conversion process since is the only form of input i see we can try to ‘control’.
I’ve being messing around with different types of XXE and SSRF attacks but i didn’t get any response back from them…
I will retry again, from the beginning, starting again from XXE… let’s see what i can get this time different.

Hi all,

This will be my first difficult box.

I did have a little go a couple of days ago but this one looks like it needs some time.

Did anyone figure out what is listing on port 8888?

I’m not convinced that its the service nmap is reporting.

Is that changelog file really necessary to exploit the vuln? I find hard to believe that someone found it in the first 6 hours given that my scans would take days and are only looking for a very reduced extensions types (.lst, .md, .txt…) and with just 30 threads Im getting loads of I/O exception errors…

Regarding the vuln, I’ve been able to make the server get a file from my server but I dont think it will lead to a real vuln, unless that file is dropped in a folder or something. Trying to make the server load a local file thru file:/// and putting in the pdf doesnt seem to work too…

The wordlist is the key, tried tonnes until I got that one from SecLists.

Got the two changelogs, trying to figure out what’s going on, the i**l seems vulnerable and the s****y on that version also seems vulnerable. I hope I’m not drowning in a deep rabbit holes!

Finally got user. Really insane box. Mixed feelings at first, but really warmed up to it so far. Also don’t plan to respond to PM’s for a few days, so don’t exepect a quick answer if you want help!

Type your comment> @clubby789 said:

Finally got user. Really insane box. Mixed feelings at first, but really warmed up to it so far. Also don’t plan to respond to PM’s for a few days, so don’t exepect a quick answer if you want help!

Any hints on the initial foothold? driving me crazy!