The box was rated as insane and required us to grab a client and information from an anonymous FTP server, modify the Java client to exploit lacking server side validation, exploit Java deserialization, and exploit and careless administrator who periodically pulls log archives from within docker containers and extracts them. All in all this box was quite entertaining but not necessarily insane. Rather it mostly was just time-consuming.
Now that Dream Diary: Chapter 1 has finally retired, here is my writeup for it. This problem along with Chapter 2 were perhaps the 2 heap challenges I solved over a year ago that helped me start to understand heap pwn, and also inspired me to develop Dream Diary: Chapter 3 down the road.
Cascade is a medium difficulty windows machine that requires a lot of enumeration. Credentials can be found in different places, and one set is decrypted by reversing an application. For the final privilege escalation we abuse an Active Directory feature using deleted objects.
Sauna is an easy difficulty Windows machine where we exploit weaknesses in an Active Directory environment.
In this post I’ll show you how to port the ret2csu technique on ARM binaries. This technique allows full ASLR bypass using ROP gadgets inside the binary only. We will see that it also turns out to be a very effective technique to easily chain ROP gadgets.
Forwardslash is a hard-rated box (medium difficulty imo) in which we exploit an LFI in the web server to get access to some sensitive info that lets us SSH in. In our initial SSH session we exploit a SUID binary to obtain once again read access to a file with credentials that we use to move laterally to another user. From there we have sudo rights to access an encrypted luks image file, so we only have to bruteforce the key to then gain root and complete the machine.
Player2 was a challenging but very fun box by MrR3boot and b14ckh34rt. The highlight of the box for me is the finale 2.29 heap pwn! In my opinion, if there were no unintended routes, this would have been by far the hardest box so far, but some of these alternative solutions were never patched.
