CTF-Writeups/HackTheBox/Toxic.md
2021-08-20 17:50:30 +05:00

4.3 KiB

HackTheBox-Toxic

We are given an archive to download which inlcudes source code of web page

Looking at the web page we have no interaction with the page

So the next thing is to actually look at the source code which is given and that we extracted earlier

We have this index.php file which is using preg_match to find directory Model and in that it's going to grab a file which is passed trough $name parameter and then it's including that file using include

Here an object is being made for the class name PageModel , if we look for other files we'll do see a file named PageModel.php which has the following contents

It has public variable name called $file which will hold a file name to be included which will be called through magic function named __destruct which call it's self when the script reaches it's end basically it destorys the object.

Coming back to index.php , that object is going to access the public variable file which will assign a string to it /www/index.html meaning that this variable now holds the index.html file which is going to be called in include function of the class meaning that this file will be displayed on the browser but we don't know yet how it's going to be passed.

Next a php session cookie is being set by encoding the variable's value to base64 and seriliazing it , time()+60*60*24 just tells when the cookie is going to be expired and according this it will expire in 60 hours ,60 minutes and 24 seconds and / is telling the location for the cookie

This part is important as now $cookie variable is going to hold decoded value meaning the serilized object and then it's going to be unserilized meaning that the proper file name will be passed into the destruct function

As you can see we have our serilized object so let's break down this

O - This tells us that this is an object, 9 - This is telling us that this object is of PageModel class having the lenght of 9 chracters

1 - This tells us that there's only one object

s - This tells us that it's a string , 4 with four chracters and then again it tells us about the file name with it's absolute path that it's 15 characters long and it's a string value

So now I thought of if I could make php file having this content in it <?php system($_GET['cmd']);?> so then I could call that file name through changing the filename in cookie and decoding it back to base64 so it would be loaded through __destruct function but there's no interaction on the web page to upload files so this won't work like that

Now we can pass a file name into the cookie by replacing /www/index.html with the file name but we don't know a file that we can view so I'll go with /etc/passwd file which holds information for users on the linux system , for that we need to get the length for the file name

It's 11 characters so we'll do it like this

Now just replace the base64 encoded string in cookie field and we'll get /etc/passwd file to be loaded on the browser

https://i.imgur.com/82bPzNN.png

Notice earlier in the archive file we had config folder

We have nginx.conf file meaning that proably this is being hosted through nginx and from the config file we can see that it is !

We can try to poison nginx's access log file /var/log/nginx/access.log

And boom

Now it's left to poison them by adding php code un User-Agent

We can see the randomly generated file name for the flag so we can just use cat to get the contents