Toxic Web Challenge Walkthrough |HackTheBox

Introduction

Hi I’m Ajith ,We are going to complete the Toxic – Web challenge in the hack the box, It’s very easy challenge.

Connecting to the Toxic

First, We want connect the VPN to the hack box and start the instance to get the IP address and copy the paste IP address into the browser. It will show the Dart Frog interface page and download the file in HackTheBox.

Nmap Scan

Now, we want to scan the IP address to see what services and servers are running under it. Finally we found the ngnix running in the webserver

Analyzing File

We downloaded the toxic file and analysed it. The cookie is encrypted using base64 in the index.php file that was located.

Decrypted cookie

We took encrypted cookie in the website and try to decrypt the cookie finally we found some information in the encrypted cookie is size is 15 location file is /www/index.html

0:9:"PageModel":1:{s:4:"file";s:15:"/www/index.html";}

Changing cookie and header

We modify the cookie value, encrypt it, and then post it in the PHPSESSID value.

0:9:"PageModel":1:{s:4:"file";s:15:"/var/log/nginx/access.log";}

Modifying the cookie and the header to direct forward to a website that uses a Burpsuite.

User-Agent: <?php system('ls -l/');?>

Finally we found to the flag file.

Found the flag

Now, We modify the header to open the flag file using the cat command and forward to the website using the burpsuite

User-Agent: <?php system('cat /flag_32q6G');?>

Finally, We found the flag in the website

Another Approach

We use another method to complete the challenge to find the flag. It was very simple, using python code to complete the challenge

This was the output of this challenge

Conclusion

A pretty easy challenge, Just a file Injection and we have found the flag. Out of 10, I would rate 2 out of 10