20.10 Lab: Using PHAR deserialization to deploy a custom gadget chain

This lab does not explicitly use deserialization. However, if you combine PHAR deserialization with other advanced hacking techniques, you can still achieve remote code execution via a custom gadget chain. To solve the lab, delete the morale.txt file from Carlos’s home directory. You can log in to your own account using the following credentials: wiener:peter | Karthikeyan Nagaraj

Karthikeyan Nagaraj
3 min readAug 11, 2024

Description

LABNot solved

This lab does not explicitly use deserialization. However, if you combine PHAR deserialization with other advanced hacking techniques, you can still achieve remote code execution via a custom gadget chain.

To solve the lab, delete the morale.txt file from Carlos's home directory.

You can log in to your own account using the following credentials: wiener:peter

Solution

  1. Observe that the website has a feature for uploading your own avatar, which only accepts JPG images. Upload a valid JPG as your avatar.
  2. After uploading the image navigate to Target then cgi-bin. There you can see a request, and send that to the repeater. Notice that it is loaded using GET /cgi-bin/avatar.php?avatar=wiener.
  3. In Burp Repeater, request GET /cgi-bin to find an index that shows a Blog.php and CustomTemplate.php file. Obtain the source code by requesting the files using the .php~ backup extension.
  4. Study the source code and identify the gadget chain involving the Blog->desc and CustomTemplate->lockFilePath attributes.
  5. Notice that the file_exists() filesystem method is called on the lockFilePath attribute.
  6. Now, we need to create a payload-embedded jpg file to perform an operation to delete the morale.txt file.
  7. To do that, download the files in the below repository. (in.jpg ,php.ini and phar_jpg_polyglot.php)

6. After downloading the above files, type the following command: Make sure you have an in.jpg file php.ini and phar_jpg_polyglot.php in the current directory,

php -c php.ini phar_jpg_polyglot.php

7. It will generate a file called out.jpg, and upload that file as an avatar.

8. In the second step we have sent /cgi-bin/avatar.php request to Burp Repeater, now modify the request line to deserialize your malicious avatar using a phar:// stream as follows:

GET /cgi-bin/avatar.php?avatar=phar://wiener

9. Send the request to solve the lab.

--

--

Karthikeyan Nagaraj

Security Researcher | Bug Hunter | Web Pentester | CTF Player | TryHackme Top 1% | AI Researcher | Blockchain Developer