LoveTok

LoveTok Hack The Box Web Challenge Writeup

Hello Everyone!

In this challenge we are presented with a website that shows you a timer and date that defines when we will find love ahah 😄🎉

They give us the files of the application and we will analyze every file so we can try to understand how the application works. From every file there are two that we want to focus more because they decide the behavior of the application endpoints.

This two files are: TimeController.php that defines a function that will gonna run when we do a GET request to the website(See index.php) and TimeModel.php that defines a model used in the TimeController.php.

Index.php

Since this is the unique endpoint-method we have we will explore it!

Before we proceed i notice something strange about how the flag is generated inside the file entrypoint.sh. As we can see below the name for the file that contains the flag will be generated randomly so before reading the contents of the file we need to know what is name so we can use it to read the files.

entrypoint.sh

TimeController.php

TimeController.php

As we can see, the endpoint expect to receive a parameter with the name "format" and then use it in the TimeModel construct. Then it will return the result of function getTime() of this Model to the user who made the request. If the "format" parameter is not specified then the character 'r' will be used in TimeModel construct.

TimeModel.php

TimeModel.php

Analyzing the getTime() function we notice a problematic function, eval(), that is receiving the "format" parameter added by the user to create a piece of code to be executed. It may be appear simple at first but if you look closely you can notice a function called addslashes that will sort of sanitize our input. What this function does, looking at the documentation is replacing the characters ", ' and \ with \", \' and \\ respectively.

This means that you cant just put commands like system("ls") because it will fail since it will replace the characters ". Doing a quick search we found a blog post explaining how to bypass this addslashes function and its quite simple. We can use the declaration of variables to run execute a function. For example:

var_dump(${phpinfo()}=123)

What this will do is run the phpinfo() function and then with the results of the function it will create a variable with that name. Then var_dump function will dump all the information about that specific variable, including the name that is the information returned by the function phpinfo() in this case.

The next step is to leverage this to run a function capable of list a certain directory to be able to see what is the name of the flag file and then run a php funtion to read the contents of the flag.

In this blog it explains how we can pass variables as arguments to the function running in vulnerable parameter using other parameters. To enumerate the directory we want i used the following payload:

http://<IP>:<PORT>/?format=var_dump(${system($_GET[1])}=123)&1=ls%20/

Then we use the same function with another command to read the file flag:

http://<IP>:<PORT>/?format=var_dump(${system($_GET[1])}=123)&1=cat%20/flagaSgB6

Another function we could use is readfile:

/?format=var_dump(${readfile($_GET[1])}=123)&1=/flagaSgB6