Posts: 32
Threads: 1
Joined: Aug 2024
SpaghettiModel.php
Contains a __get() magic method that calls a function stored in the $sauce property.
maybe we can use this?
Posts: 32
Threads: 1
Joined: Aug 2024
Here are hints if you stuck at creating the chain gadget
Object Chain Creation:
Use ArrayHelpers to manage a collection and set its callback to a function that can execute system commands.
Appending Commands:
Append a command that you want to execute to the ArrayHelpers instance.
Flavors Assignment:
Assign the ArrayHelpers instance to the flavors property of an IceCream object.
Invoke Behavior:
Make sure the IceCream object is invoked by passing it into another class.
Setting Sauce:
Use a Spaghetti object to hold the IceCream instance in its sauce property.
Pizza Class Usage:
Create a Pizza object and assign the Spaghetti instance to its size property.
Serialization:
Serialize the Pizza object and encode it to base64 for the payload.
Posts: 104
Threads: 8
Joined: Aug 2024
(Oct 12, 2024, 01:22 AM)olkn00b Wrote: Here are hints if you stuck at creating the chain gadget
Object Chain Creation:
Use ArrayHelpers to manage a collection and set its callback to a function that can execute system commands.
Appending Commands:
Append a command that you want to execute to the ArrayHelpers instance.
Flavors Assignment:
Assign the ArrayHelpers instance to the flavors property of an IceCream object.
Invoke Behavior:
Make sure the IceCream object is invoked by passing it into another class.
Setting Sauce:
Use a Spaghetti object to hold the IceCream instance in its sauce property.
Pizza Class Usage:
Create a Pizza object and assign the Spaghetti instance to its size property.
Serialization:
Serialize the Pizza object and encode it to base64 for the payload.
Thanks for Hints for chain creation.
in my case on the local machine , its working .
┌──(kali㉿kali)-[~/…/Challenges/web/popres/challenge]
└─$ php flag.php
[hide cost=2]TzoxMzoiSGVscGVyc1xQaXp6YSI6MTp7czo0OiJzaXplIjtPOjE3OiJIZWxwZXJzXFNwYWdoZXR0aSI6MTp7czo1OiJzYXVjZSI7TzoxNjoiSGVscGVyc1xJY2VDcmVhbSI6MTp7czo3OiJmbGF2b3JzIjtPOjIwOiJIZWxwZXJzXEFycmF5SGVscGVycyI6NDp7aTowO2k6MDtpOjE7YTowOnt9aToyO2E6MTp7czoxMToiACoAY29tbWFuZHMiO2E6MTp7aTowO3M6MTU6ImNhdCAuLi9mbGFnLnR4dCI7fX1pOjM7Tjt9fX19[/hide]
Array
(
[0] => HTB{f4k3_fl4g_f0r_t35t1ng}
)
where would be output be seen on d webpage. as if I am putting the POST request in burp and then
there is Redirection taking place to index.php
Posts: 1
Threads: 0
Joined: Jul 2024
Hi all, i've generated the following payload:
Tzo1OiJQaXp6YSI6Mzp7czo1OiJwcmljZSI7TjtzOjY6ImNoZWVzZSI7TjtzOjQ6InNpemUiO086OToiU3BhZ2hldHRpIjozOntzOjU6InNhdWNlIjtPOjg6IkljZUNyZWFtIjoyOntzOjc6ImZsYXZvcnMiO086MjA6IkhlbHBlcnNcQXJyYXlIZWxwZXJzIjo0OntpOjA7aTowO2k6MTthOjA6e31pOjI7YToxOntzOjg6ImNhbGxiYWNrIjtzOjI1OiJzeXN0ZW0oJ2NhdCAvKmZsYWcudHh0Jyk7Ijt9aTozO047fXM6NzoidG9wcGluZyI7Tjt9czo3OiJub29kbGVzIjtOO3M6NzoicG9ydGlvbiI7Tjt9fQ==
It does not work. What's wrong?
Thanks 
Posts: 44
Threads: 1
Joined: Oct 2023
(Oct 12, 2024, 01:22 AM)olkn00b Wrote: Here are hints if you stuck at creating the chain gadget
Object Chain Creation:
Use ArrayHelpers to manage a collection and set its callback to a function that can execute system commands.
Appending Commands:
Append a command that you want to execute to the ArrayHelpers instance.
Flavors Assignment:
Assign the ArrayHelpers instance to the flavors property of an IceCream object.
Invoke Behavior:
Make sure the IceCream object is invoked by passing it into another class.
Setting Sauce:
Use a Spaghetti object to hold the IceCream instance in its sauce property.
Pizza Class Usage:
Create a Pizza object and assign the Spaghetti instance to its size property.
Serialization:
Serialize the Pizza object and encode it to base64 for the payload.
Can you explain it more? It's slightly hard.
Posts: 32
Threads: 1
Joined: Aug 2024
(Oct 22, 2024, 03:50 PM)BFischer Wrote: (Oct 12, 2024, 01:22 AM)olkn00b Wrote: Here are hints if you stuck at creating the chain gadget
Object Chain Creation:
Use ArrayHelpers to manage a collection and set its callback to a function that can execute system commands.
Appending Commands:
Append a command that you want to execute to the ArrayHelpers instance.
Flavors Assignment:
Assign the ArrayHelpers instance to the flavors property of an IceCream object.
Invoke Behavior:
Make sure the IceCream object is invoked by passing it into another class.
Setting Sauce:
Use a Spaghetti object to hold the IceCream instance in its sauce property.
Pizza Class Usage:
Create a Pizza object and assign the Spaghetti instance to its size property.
Serialization:
Serialize the Pizza object and encode it to base64 for the payload.
Can you explain it more? It's slightly hard.
Have not solved it yet, that was hints from someone who has
going back to this now, yes it's slightly hard
This payload works locally when testing but I can't get it to work on the target, tried multiple commands (id & some rev shells)
Tzo1OiJQaXp6YSI6MTp7czo0OiJzaXplIjtPOjk6IlNwYWdoZXR0aSI6MTp7czo1OiJzYXVjZSI7Tzo4OiJJY2VDcmVhbSI6MTp7czo3OiJmbGF2b3JzIjthOjE6e2k6MDtPOjEyOiJBcnJheUhlbHBlcnMiOjI6e3M6NDoiZGF0YSI7YToxOntpOjA7czoxNToiY2F0IC9ldGMvcGFzc3dkIjt9czo4OiJjYWxsYmFjayI7czoxNToiZXhlY3V0ZV9jb21tYW5kIjt9fX19fQ==
Not sure what I am doing wrong here, they all work good locally as said above.
Hmm.
Posts: 44
Threads: 1
Joined: Oct 2023
(Oct 23, 2024, 02:43 AM)olkn00b Wrote: (Oct 22, 2024, 03:50 PM)BFischer Wrote: (Oct 12, 2024, 01:22 AM)olkn00b Wrote: Here are hints if you stuck at creating the chain gadget
Object Chain Creation:
Use ArrayHelpers to manage a collection and set its callback to a function that can execute system commands.
Appending Commands:
Append a command that you want to execute to the ArrayHelpers instance.
Flavors Assignment:
Assign the ArrayHelpers instance to the flavors property of an IceCream object.
Invoke Behavior:
Make sure the IceCream object is invoked by passing it into another class.
Setting Sauce:
Use a Spaghetti object to hold the IceCream instance in its sauce property.
Pizza Class Usage:
Create a Pizza object and assign the Spaghetti instance to its size property.
Serialization:
Serialize the Pizza object and encode it to base64 for the payload.
Can you explain it more? It's slightly hard.
Have not solved it yet, that was hints from someone who has
going back to this now, yes it's slightly hard
This payload works locally when testing but I can't get it to work on the target, tried multiple commands (id & some rev shells)
Tzo1OiJQaXp6YSI6MTp7czo0OiJzaXplIjtPOjk6IlNwYWdoZXR0aSI6MTp7czo1OiJzYXVjZSI7Tzo4OiJJY2VDcmVhbSI6MTp7czo3OiJmbGF2b3JzIjthOjE6e2k6MDtPOjEyOiJBcnJheUhlbHBlcnMiOjI6e3M6NDoiZGF0YSI7YToxOntpOjA7czoxNToiY2F0IC9ldGMvcGFzc3dkIjt9czo4OiJjYWxsYmFjayI7czoxNToiZXhlY3V0ZV9jb21tYW5kIjt9fX19fQ==
Not sure what I am doing wrong here, they all work good locally as said above.
Hmm.
Is it possible to automate this using phpggc or just manually?
Posts: 45
Threads: 2
Joined: Sep 2023
(Oct 23, 2024, 02:43 AM)olkn00b Wrote: (Oct 22, 2024, 03:50 PM)BFischer Wrote: (Oct 12, 2024, 01:22 AM)olkn00b Wrote: Here are hints if you stuck at creating the chain gadget
Object Chain Creation:
Use ArrayHelpers to manage a collection and set its callback to a function that can execute system commands.
Appending Commands:
Append a command that you want to execute to the ArrayHelpers instance.
Flavors Assignment:
Assign the ArrayHelpers instance to the flavors property of an IceCream object.
Invoke Behavior:
Make sure the IceCream object is invoked by passing it into another class.
Setting Sauce:
Use a Spaghetti object to hold the IceCream instance in its sauce property.
Pizza Class Usage:
Create a Pizza object and assign the Spaghetti instance to its size property.
Serialization:
Serialize the Pizza object and encode it to base64 for the payload.
Can you explain it more? It's slightly hard.
Have not solved it yet, that was hints from someone who has
going back to this now, yes it's slightly hard
This payload works locally when testing but I can't get it to work on the target, tried multiple commands (id & some rev shells)
Tzo1OiJQaXp6YSI6MTp7czo0OiJzaXplIjtPOjk6IlNwYWdoZXR0aSI6MTp7czo1OiJzYXVjZSI7Tzo4OiJJY2VDcmVhbSI6MTp7czo3OiJmbGF2b3JzIjthOjE6e2k6MDtPOjEyOiJBcnJheUhlbHBlcnMiOjI6e3M6NDoiZGF0YSI7YToxOntpOjA7czoxNToiY2F0IC9ldGMvcGFzc3dkIjt9czo4OiJjYWxsYmFjayI7czoxNToiZXhlY3V0ZV9jb21tYW5kIjt9fX19fQ==
Not sure what I am doing wrong here, they all work good locally as said above.
Hmm.
Hi, did u figure this out yet ?
Posts: 1
Threads: 0
Joined: Oct 2024
(Oct 27, 2024, 07:45 PM)st123 Wrote: (Oct 23, 2024, 02:43 AM)olkn00b Wrote: (Oct 22, 2024, 03:50 PM)BFischer Wrote: (Oct 12, 2024, 01:22 AM)olkn00b Wrote: Here are hints if you stuck at creating the chain gadget
Object Chain Creation:
Use ArrayHelpers to manage a collection and set its callback to a function that can execute system commands.
Appending Commands:
Append a command that you want to execute to the ArrayHelpers instance.
Flavors Assignment:
Assign the ArrayHelpers instance to the flavors property of an IceCream object.
Invoke Behavior:
Make sure the IceCream object is invoked by passing it into another class.
Setting Sauce:
Use a Spaghetti object to hold the IceCream instance in its sauce property.
Pizza Class Usage:
Create a Pizza object and assign the Spaghetti instance to its size property.
Serialization:
Serialize the Pizza object and encode it to base64 for the payload.
Can you explain it more? It's slightly hard.
Have not solved it yet, that was hints from someone who has
going back to this now, yes it's slightly hard
This payload works locally when testing but I can't get it to work on the target, tried multiple commands (id & some rev shells)
Tzo1OiJQaXp6YSI6MTp7czo0OiJzaXplIjtPOjk6IlNwYWdoZXR0aSI6MTp7czo1OiJzYXVjZSI7Tzo4OiJJY2VDcmVhbSI6MTp7czo3OiJmbGF2b3JzIjthOjE6e2k6MDtPOjEyOiJBcnJheUhlbHBlcnMiOjI6e3M6NDoiZGF0YSI7YToxOntpOjA7czoxNToiY2F0IC9ldGMvcGFzc3dkIjt9czo4OiJjYWxsYmFjayI7czoxNToiZXhlY3V0ZV9jb21tYW5kIjt9fX19fQ==
Not sure what I am doing wrong here, they all work good locally as said above.
Hmm.
Hi, did u figure this out yet ?
Did you figure it out or do you still need help ?
Posts: 101
Threads: 2
Joined: Jun 2023
|
