LFI

Synopsis: # POV, a medium machine on HackTheBox, was vulnerable to Local File Inclusion (LFI) through the “cv download” option. This LFI allowed for the disclosure of the “web.config” file, which in turn exposed the validation key for ASP pages. By manipulating the __VIEWSTATE payload using the validation key, attackers achieved Remote Code Execution (RCE) on the machine. Further exploration within the “sfitz” user’s documents folder revealed a “connection.xml” file containing credentials for another user, “alaading.” After escalating privileges to “alaading,” the attacker discovered the “sedebugprivilege,” which was subsequently exploited to gain complete control over the host.

Synopsis: # The Agile HTB Linux machine hosted a password manager that was vulnerable to IDOR and LFI. An attacker could exploit the IDOR to obtain the user corum’s SSH password and exploit the LFI to disclose the source code and other confidential files. Upon landing on the host, an attacker could build a SSH local port forwarding to find a test web application. The test web application was not significantly different from the main application, but it was vulnerable to the same IDOR vulnerability. By exploiting this vulnerability, an attacker could find a pair of credentials for the user edwards. The user edwards was able to run sudoedit commands only as the user “dev_admin” on two files. The host was also vulnerable to CVE-2023–22809, which could be exploited to add a reverse shell to the app/venv/bin/activate file and compromise the host.