Toxic Web Challenge Walkthrough |HackTheBox


Hi I’m Ajith ,We are going to complete the Toxic – Web challenge in the hack the box, It’s very easy challenge.

Connecting to the Toxic

First, We want connect the VPN to the hack box and start the instance to get the IP address and copy the paste IP address into the browser. It will show the Dart Frog interface page and download the file in HackTheBox.

Nmap Scan

Now, we want to scan the IP address to see what services and servers are running under it. Finally we found the ngnix running in the webserver

Analyzing File

We downloaded the toxic file and analysed it. The cookie is encrypted using base64 in the index.php file that was located.

Decrypted cookie

We took encrypted cookie in the website and try to decrypt the cookie finally we found some information in the encrypted cookie is size is 15 location file is /www/index.html


Changing cookie and header

We modify the cookie value, encrypt it, and then post it in the PHPSESSID value.


Modifying the cookie and the header to direct forward to a website that uses a Burpsuite.

User-Agent: <?php system('ls -l/');?>

Finally we found to the flag file.

Found the flag

Now, We modify the header to open the flag file using the cat command and forward to the website using the burpsuite

User-Agent: <?php system('cat /flag_32q6G');?>

Finally, We found the flag in the website

Another Approach

We use another method to complete the challenge to find the flag. It was very simple, using python code to complete the challenge

This was the output of this challenge


A pretty easy challenge, Just a file Injection and we have found the flag. Out of 10, I would rate 2 out of 10

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions or brave browser to block ads. Please support us by disabling these ads blocker.Our website is made possible by displaying Ads hope you whitelist our site. We use very minimal Ads in our site


Scroll to Top