webPromedium

GhostRegister

hackerlab

Task: PHP 8.1 web app with login/registration storing serialized User object in cookie; profile.php deserializes it without validation. Solution: craft cookie with nested Output object in logger field to trigger __wakeup() → file_get_contents('/flag.txt') POP chain.

$ ls tags/ techniques/

file_read php deserialization object_injection unserialize pop_chain magic_methods cookie_tampering

php_object_injection_via_cookie_deserializationpop_chain_wakeup_magic_methodarbitrary_file_read_via_output_classcookie_tampering_for_auth_bypass

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Запретный код (Forbidden Code)— hackerlab
[web][Pro]Десериализатор— bug-makers
[web][Pro]Доступ запрещён (Access Denied)— hackerlab
[web][Pro]143 - Личный блог— duckerz
[web][free]POP Restaurant— HackTheBox