1. Web Security Academy
  2. Insecure deserialization
  3. Exploiting
  4. Lab

Lab: Using PHAR deserialization to deploy a custom gadget chain

EXPERT

This lab does not explicitly use deserialization. However, if you combine PHAR deserialization with other advanced hacking techniques, you can still achieve remote code execution via a custom gadget chain.

To solve the lab, delete the morale.txt file from Carlos's home directory.

You can log in to your own account with the following credentials: wiener:peter

Try Burp Suite for Free

Find insecure deserialization vulnerabilities using Burp Suite

Try for free