Toxic | HTB Web Challenge
Web
In the given source code we can spot that it is vulnerable to deserialization
PageModel
have magic method __destruct()
to exploite Deserialization
payload=
The flag name is random so we need to find a way around
we can find the path of /etc/nginx/nginx.conf
in Dockerfile
Reading this file we get the path to access log /var/log/nginx/access.log
In access log we see that User-agent is printed
We can try injecting php code:
and it works 🥲 Let's get flag
Flag: HTB{P0i5on_1n_Cyb3r_W4rF4R3?!}
:octocat: Happy Hacking :octocat:
Last updated
Was this helpful?