congratulations @mprox
He did not even let anyone else get a user before he gets the root fb, what a champ
yea this box seems a little hard for 30 pts
Yeah, this box has waay to many steps for 30 pts, I feel. But I really liked it. Some clever techniques throughout, and very interesting presentation… but I don’t want to spoil anything right now. Good luck people, I’ll get some sleep!
Im Lolled, the thing I ignored the most turned out to be useful
I’ve had a lot of comments on “Blind Watchmaker”… some people got the hint, but many thought it was just misdirection. It was just a concealed way to talk about the slow technique that many already found.
The “blind watchmaker” has a brother… the “blind sign painter”. The watchmaker really takes his time, so he works pretty slowly. Maybe ask his brother, if you can find him
Type your comment> @mprox said:
I’ve had a lot of comments on “Blind Watchmaker”… some people got the hint, but many thought it was just misdirection. It was just a concealed way to talk about the slow technique that many already found.
The “blind watchmaker” has a brother… the “blind sign painter”. The watchmaker really takes his time, so he works pretty slowly. Maybe ask his brother, if you can find him
sorry, i don’t get the hint 
i’m also on NSF, i’d really like to hear your feedback.
thanks, and 'grats for the double blood
nested has a meaning 
And u can get lfi with it 
@guly said:
sorry, i don’t get the hint
Nevermind. That’s exactly the reason i’ve stopped looking at forum even when exhausted all ideas. People come here to see some constructive and useful information. Messages like rooted, nice box, learned alot or it lagz so much... just annoying, but misleading or ambiguous hints only slows down your progress, which i believe even worse than fat trolling.
Seriously, i’ve rooted this box and that “watchmacker” and “sign painter” tales make no sense to me. I don’t even get what phase it should apply to (initial, user, root)?
Anyhow, about getting user:
Pretty standard box, generic enumerations should be enought. It’s not a guessbox at all.
I assume alot of people would blindly leak everything they can, and then don’t know what to do with it. Better try to understand how exactly it’s implemented, that should give new ideas and vectors of attack.
privesc:
Pay attention to things you have access to after you pop a shell and as was already noticed
@Malone5923 said:
they got hacked recently.
keep that in mind.
Yeah
Type your comment> @lolwut said:
Seriously, i’ve rooted this box and that “watchmacker” and “sign painter” tales make no sense to me. I don’t even get what phase it should apply to (initial, user, root)?
I got the hint, havn’t had a chance to look yet, but I understand what he is trying to say. If the first method found is painfully slow, there may be another…
Yeah, sounds like @0PT1MUS got it. @lolwut it might make sense if you’re at the right step - it’s pretty difficult to be more precise without outright giving it away
I can’t get the blind watchmaker to work. Don’t know what I’m doing wrong. Can someone give me a nudge?
Anyhow, about getting user:
Pretty standard box, generic enumerations should be enought. It’s not a guessbox at all.
I assume alot of people would blindly leak everything they can, and then don’t know what to do with it. Better try to understand how exactly it’s implemented, that should give new ideas and vectors of attack.
Comments like this make me laugh. It’s totally normal in the real world for boxes to have multiple index documents, files named as hashes, etc, right? As it turns out, the useful vulnerability isn’t super weird, but in general the box is not very real world.
@deviate said:
Comments like this make me laugh. It’s totally normal in the real world for boxes to have multiple index documents, files named as hashes, etc, right? As it turns out, the useful vulnerability isn’t super weird, but in general the box is not very real world.
Missing index for web servers is not rare in the real world, especially when there’s multiple frontend-backend proxying. In case of this box i think it’s not indended but most likely has been forgotten by box creator. Doubt that this is even a matter of discuss, cause it literally takes half a second to overcome.
I agree that those kind of filenames are pure made-up, but since you don’t need to “guess” them it doesn’t make absolutely no difference. It’s not that kind of box where you dirbusting 50M+ dictionary to find rabbit hole or some esoteric language b-■■■■.
Type your comment> @lolwut said:
@deviate said:
Comments like this make me laugh. It’s totally normal in the real world for boxes to have multiple index documents, files named as hashes, etc, right? As it turns out, the useful vulnerability isn’t super weird, but in general the box is not very real world.Missing index for web servers is not rare in the real world, especially when there’s multiple frontend-backend proxying. In case of this box i think it’s not indended but most likely has been forgotten by box creator. Doubt that this is even a matter of discuss, cause it literally takes half a second to overcome.
I agree that those kind of filenames are pure made-up, but since you don’t need to “guess” them it doesn’t make absolutely no difference. It’s not that kind of box where you dirbusting 50M+ dictionary to find rabbit hole or some esoteric language b-■■■■.
box author here: i can say that there are two index and a missing one, and all are intended and there like that for a reason
happy to discuss on discord/mattermost as soon as the box will get enough root
im wondering what is the point to unlead people. sigh. use common tools for the entry.
after all night fighting this ■■■■ thing. I switch to EU VIP vpn and it works and page loads. Unreal. Ok… Now I can move fwd. Cute hahhahaahahah.
is the md5 a troll ?