Official RedPanda Discussion

DONT USE $
try *

kinda off-topic but:
im facing a problem with TLPMAP

when i start enumerating with “tlpmap” it shows me an error " Exiting: ‘bool’ object has no attribute ‘replace’ ". can anyone help me out to solve this error?

as said before it’s an XXE. You can find out where to put the XXE by enumerating the system with for instance pspy64 and move from there

1 Like

This was a fun box, I learned a number of things from it, especially privesc to root.

Hi guys, I have a question about PE and I’ll be happy if you can assist me. I have rev shell and I am trying to do the part with PSPY, but unfortunately I cannot execute it. I have meterpreter session and when I type ‘execue -f pspy64’ I get “Process started *****” and then when I do “ps” I don’t see the process and just nothing happens. I tried dropping to shell and from shell I get “permission denied” . I don’t think its because I am not root. Any ideas will be super helpful

Regards,
Iliyan

This was a great box, in my opinion it should have been a medium with the privesc but it was still lots for fun. My hint for root is to have some of your favorite coffee.

I know which coffee you are talking about, but still have no idea where to begin. User was easy, but root is diff. Maybe its because the machine fits for Medium thats why I don’t know how to approach…

not sure if this is a spoiler but you control the logs that the app reads. See if you can put something in the logs that makes the app read your image. See if you can put something in your image that makes it read your file. See if you can put something in your file that makes the app read (and output) the flag or the ssh private key

Rooted… Whew… I don’t like Java. The drink tho yeah…

It comes from the Twig plugin, you should remove it from core/check.py in the plugins variable (for more information, see the issue in the repo )

Got a route to root figured out, but in order to do so, I need to figure out how to manipulate a path and I’m stuck there. Can someone give me a nudge in the right direction?

rooted. this was a fun box. I’d say PE was not easy.

1 Like

This box was funish… fun, but punishing :-). For an Easy box I did not find the foothold or root to be especially easy.

For root I got to relearn a lesson from Capt. Jack Sparrow, “The only rules are what a man can do and what a man can’t do.” I put my thinking into a box and it took way to look to realize the box was of my own making and not RedPanda’s.

Should the output XML file be visible on filesystem after contaminating the log file with specific URI pointing to specific image with specific EXIF data in it ? or is sth that may be blocking it ? what should be triggering creation of XML file ? is it App.java ? did anyone have problem with PE at that point ?

Anyone willing to give me a nudge? I’ve got the search function presenting 49 but now I’m stuck.

can somebody dm me about PE?

Nice Hint! I understood what happens in the box two days ago. But I was stuck at manipulating the log file. I tried to create the log entry via HTTP request. I overlooked the file permission and my group permission. Succeeded the attack now and obtained root.txt :slight_smile:

I’m anticipating modifying a .jar file for privesc. Am I on the right path?

Do you mind DMing me? I’m having the toughest time getting those hints to work. I just can’t do absolutely anything to exif data in the s*****/img folder. I can write to log, but deffinitely can’t add an image to said folder nor change anything related to the items in it.

Shoot… i don’t even think you can do that because youre not the owner nor in the group. Definitely had thought about that myself