DONT USE $
try *
kinda off-topic but:
im facing a problem with TLPMAP
when i start enumerating with ātlpmapā it shows me an error " Exiting: āboolā object has no attribute āreplaceā ". can anyone help me out to solve this error?
as said before itās an XXE. You can find out where to put the XXE by enumerating the system with for instance pspy64 and move from there
1 Like
This was a fun box, I learned a number of things from it, especially privesc to root.
Hi guys, I have a question about PE and Iāll be happy if you can assist me. I have rev shell and I am trying to do the part with PSPY, but unfortunately I cannot execute it. I have meterpreter session and when I type āexecue -f pspy64ā I get āProcess started *****ā and then when I do āpsā I donāt see the process and just nothing happens. I tried dropping to shell and from shell I get āpermission deniedā . I donāt think its because I am not root. Any ideas will be super helpful
Regards,
Iliyan
This was a great box, in my opinion it should have been a medium with the privesc but it was still lots for fun. My hint for root is to have some of your favorite coffee.
I know which coffee you are talking about, but still have no idea where to begin. User was easy, but root is diff. Maybe its because the machine fits for Medium thats why I donāt know how to approachā¦
not sure if this is a spoiler but you control the logs that the app reads. See if you can put something in the logs that makes the app read your image. See if you can put something in your image that makes it read your file. See if you can put something in your file that makes the app read (and output) the flag or the ssh private key
Rootedā¦ Whewā¦ I donāt like Java. The drink tho yeahā¦
It comes from the Twig plugin, you should remove it from core/check.py in the plugins variable (for more information, see the issue in the repo )
Got a route to root figured out, but in order to do so, I need to figure out how to manipulate a path and Iām stuck there. Can someone give me a nudge in the right direction?
rooted. this was a fun box. Iād say PE was not easy.
1 Like
This box was funishā¦ fun, but punishing :-). For an Easy box I did not find the foothold or root to be especially easy.
For root I got to relearn a lesson from Capt. Jack Sparrow, āThe only rules are what a man can do and what a man canāt do.ā I put my thinking into a box and it took way to look to realize the box was of my own making and not RedPandaās.
Should the output XML file be visible on filesystem after contaminating the log file with specific URI pointing to specific image with specific EXIF data in it ? or is sth that may be blocking it ? what should be triggering creation of XML file ? is it App.java ? did anyone have problem with PE at that point ?
Anyone willing to give me a nudge? Iāve got the search function presenting 49 but now Iām stuck.
can somebody dm me about PE?
Nice Hint! I understood what happens in the box two days ago. But I was stuck at manipulating the log file. I tried to create the log entry via HTTP request. I overlooked the file permission and my group permission. Succeeded the attack now and obtained root.txt 
Iām anticipating modifying a .jar file for privesc. Am I on the right path?
Do you mind DMing me? Iām having the toughest time getting those hints to work. I just canāt do absolutely anything to exif data in the s*****/img folder. I can write to log, but deffinitely canāt add an image to said folder nor change anything related to the items in it.
Shootā¦ i donāt even think you can do that because youre not the owner nor in the group. Definitely had thought about that myself