Toxic HTB Walkthrough
This post documents my process for solving the Toxic box on Hack The Box. This box is all about PHP insecure deserialization, exploiting LFI, and using log poisoning to achieve remote code execution. Synopsis PHP insecure deserialization to LFI that abuses log poisoning for RCE. Learning References: https://ianpeter.medium.com/exploiting-log-poisoning-through-lfi-and-serialization-in-php-e039e7b126ad The official writeup I wasn’t sure what to do at first, so I checked the writeup after struggling for a while. Challenge Analysis & Source Code Review The web page didn’t reveal much, but looking at the source code, you see: ...