POP Restaurant — HackTheBox

Description

"Spent a week to create this food ordering system. Hope that it will not have any critical vulnerability in my application."

Target: http://154.57.164.65:30759

Technology Stack

• PHP 7.4 with Apache on Debian
• SQLite database for user/order storage
• Flag stored at /<random_12chars>_flag.txt on the server (randomized filename)

Architecture

PHP food ordering web application with the following structure:

File	Purpose
register.php / login.php	User registration and login (session-based auth)
index.php	Main page with food order buttons (Pizza, IceCream, Spaghetti)
order.php	Processes orders — deserializes user-controlled POST data
Models/PizzaModel.php	Pizza class with __destruct() magic method
Models/SpaghettiModel.php	Spaghetti class with __get() magic method
Models/IceCreamModel.php	IceCream class with __invoke() magic method
Helpers/ArrayHelpers.php	Extends ArrayIterator, has current() with call_user_func()
Models/DatabaseModel.php	SQLite database operations
Helpers/CheckAuthentication.php	Session-based auth check

Each food order button on index.php submits a form with a hidden data field containing base64_encode(serialize(new Pizza())) etc. — this is the intended flow.

Analysis

Vulnerability: PHP Object Injection via unserialize()

The critical vulnerability is in order.php (line 16):

$order = unserialize(base64_decode($_POST['data']));

The application deserializes the data POST parameter without any validation or class allowlist. Since PHP's unserialize() can instantiate any loaded class and set arbitrary properties, an attacker can craft a malicious serialized object that chains magic methods across multiple classes to achieve Remote Code Execution.

Gadget Classes (Magic Methods)

Four classes provide the building blocks for the POP chain:

1. Pizza::__destruct()

public function __destruct() {
    echo $this->size->what;
}

Accesses property what on $this->size. If size is an object without a what property, PHP triggers __get().

...