Log Poisoning

This post documents my process for solving the Toxic box on Hack The Box. This box is all about PHP insecure deserialization, exploiting LFI, and using log poisoning to achieve remote code execution. Synopsis PHP insecure deserialization to LFI that abuses log poisoning for RCE. Learning References: https://ianpeter.medium.com/exploiting-log-poisoning-through-lfi-and-serialization-in-php-e039e7b126ad The official writeup I wasn’t sure what to do at first, so I checked the writeup after struggling for a while. Challenge Analysis & Source Code Review The web page didn’t reveal much, but looking at the source code, you see: ...

Identifying the Local File Inclusion (LFI) Vulnerability While working on the skills assessment for the File Inclusion module, I first checked whether the target website was vulnerable to Local File Inclusion (LFI). The website had a query parameter called page in the URL, as shown below: http://<IP>/index.php?page=<page name> When I attempted to traverse directories using relative paths, like ../../../../etc/passwd, I encountered an error message: “Invalid input detected!”. Directory Enumeration with ffuf To explore available pages on the site, I used the ffuf tool to fuzz the directories: ...