20.10 Lab: Using PHAR deserialization to deploy a custom gadget chain
This lab does not explicitly use deserialization. However, if you combine PHAR deserialization with other advanced hacking techniques, you can still achieve remote code execution via a custom gadget chain. To solve the lab, delete the morale.txt file from Carlos’s home directory. You can log in to your own account using the following credentials: wiener:peter | Karthikeyan Nagaraj
Description
LABNot solved
This lab does not explicitly use deserialization. However, if you combine PHAR
deserialization with other advanced hacking techniques, you can still achieve remote code execution via a custom gadget chain.
To solve the lab, delete the morale.txt
file from Carlos's home directory.
You can log in to your own account using the following credentials: wiener:peter
Solution
- Observe that the website has a feature for uploading your own avatar, which only accepts
JPG
images. Upload a validJPG
as your avatar. - After uploading the image navigate to Target then cgi-bin. There you can see a request, and send that to the repeater. Notice that it is loaded using
GET /cgi-bin/avatar.php?avatar=wiener
. - In Burp Repeater, request
GET /cgi-bin
to find an index that shows aBlog.php
andCustomTemplate.php
file. Obtain the source code by requesting the files using the.php~
backup extension. - Study the source code and identify the gadget chain involving the
Blog->desc
andCustomTemplate->lockFilePath
attributes. - Notice that the
file_exists()
filesystem method is called on thelockFilePath
attribute. - Now, we need to create a payload-embedded jpg file to perform an operation to delete the
morale.txt
file. - To do that, download the files in the below repository. (
in.jpg
,php.ini
andphar_jpg_polyglot.php
)
6. After downloading the above files, type the following command: Make sure you have an in.jpg
file php.ini
and phar_jpg_polyglot.php
in the current directory,
php -c php.ini phar_jpg_polyglot.php
7. It will generate a file called out.jpg, and upload that file as an avatar.
8. In the second step we have sent /cgi-bin/avatar.php
request to Burp Repeater, now modify the request line to deserialize your malicious avatar using a phar://
stream as follows:
GET /cgi-bin/avatar.php?avatar=phar://wiener
9. Send the request to solve the lab.
A YouTube Channel for Cybersecurity Lab’s Poc and Write-ups
Github for Resources:
Telegram Channel for Free Ethical Hacking Dumps
Thank you for Reading!
Happy Ethical Hacking ~
Author: Karthikeyan Nagaraj ~ Cyberw1ng