LoveTok | HackTheBox web challenge Writeup
When we visit the web challenge, we can see it like a love prediction website.
Clicking the red box “Nah, that doesn’t work for me” changes the date and time.
An intriguing aspect is the presence of a parameter called “format” within the URL.
I tried to modify the parameter value, but no changes occurred. I also experimented with SQL injection (SQLi) and cross-site scripting (XSS), but no results were observed. I searched for potential issues in the inspect element but found nothing noteworthy.
So, I started source code analysis ………
Upon inspecting the downloaded files, two files contain some juicy information: TimeController.php and TimeModel.php.
In the image above, the code snippet `isset($_GET[‘format’]) ? $_GET[‘format’] : ‘r’;` checks if the ‘format’ key has a value. If it is not assigned, ‘r’ will be the default value for the ‘format’. Subsequently, this value, denoted as $format, is passed as an argument to the TimeModel class.
In the TimeModel class, the $format value is provided as an argument in the constructor. It undergoes sanitization through the use of the addslashes() function. The addslashes() function essentially produces a string with backslashes preceding certain predefined characters, including the single quote (‘), double quote (“), backslash (\), and NULL.
Check Here to read more.
We won’t be able to perform an injection using those characters. Encoding the character with URL encoding is also not possible because $_GET[] decodes it before passing it to TimeModel().
Upon reviewing various sources, we can see the concept of a complex variable. While researching I found an article that explains how to bypass addslashes() using a complex variable. We can assign a variable using ${}.
Check here to read the article.
To verify its functionality, I experimented by inserting ${phpinfo()} to confirm if the PHP info banner could be retrieved. Successful test results confirmed that it indeed works!
payload: ${phpinfo()}
Next, I tried to the system(ls) command to enumerate the contents of the directory. It successfully functions and provides a listing of the contained directories.
payload: ${system(ls)}
I tried to list the contents of the root directory using the ‘ls /’ command, but it resulted in an empty page. This is because we did not use quotes like system(‘ls /’). But we cannot put quotes because there is the addslashes().
payload: ${system(ls /)}
How can we achieve this? 🤔🤔
Upon further research, I found a method involving the assignment of a variable followed by issuing a command to that variable. In this context, the $_GET[] parameter is employed.
The payload would take the form of ${system($_GET[a])}&a=ls. So, the portion susceptible to addslashes() sanitization is limited to ${system($_GET[a])}. We have the flexibility to insert any arbitrary command into the “a” variable.
Payload: ${system($_GET[a])}&a=ls /
We can see a file name beginning with “flag” as it might hold the flag. Explore the file to read the flag.
payload: ${system($_GET[a])}&a=cat /flagCycNH
Got a flag !!!!!!!!!!!!!!