: The application uses a base64-encoded cookie named PHPSESSID . This cookie contains a serialized PHP object that defines a file path (defaulting to /www/index.html ).
With the log poisoned, we can now pass commands to the server via a URL parameter. By navigating to http:// : /?cmd=cat /flag , the system() function we injected will execute the command and display the flag on the page. 💡 Key Takeaways toxic hack the box
We cannot read the flag directly because the www-data user might not have access. We need to pivot. Using the XXE, we read: : The application uses a base64-encoded cookie named
The upload form accepts and markdown files . Upon upload, the server generates a PDF report for download. This is the core functionality we must attack. By navigating to http:// : /
The initial foothold does not have a CVE number. It is a business logic flaw in how the app handles Markdown meta-data. This is the essence of the – finding zero-days in custom code.
The developer tried using escapeshellarg() , but the PDF library inside the generate_report binary has its own parser vulnerabilities.
