webPromedium

Lab 124 — SprintForge — Insecure Deserialization via Cookie Session + Debug Key Leak

hackadvisor

Task: Laravel 10.48.4 project management app with APP_DEBUG=true leaking APP_KEY via Ignition error page, and SESSION_DRIVER=cookie enabling deserialization. Solution: Extract APP_KEY from debug page, craft phpggc Laravel/RCE gadget chain, encrypt as Laravel cookie with AES-256-CBC, inject as laravel_session to trigger unserialize() RCE, exfiltrate flag via OOB curl to Interaction Server.

$ ls tags/ techniques/

rce php information_disclosure debug_mode nginx deserialization aes_cbc decoy_flag laravel phpggc app_key oob_exfiltration cookie_session ignition

decoy_flag_avoidancelaravel_debug_mode_environment_leakapp_key_extraction_from_ignition_pagephpggc_laravel_rce_gadget_chainlaravel_cookie_session_deserialization_rceaes_256_cbc_encryption_with_leaked_keyoob_data_exfiltration_via_curl

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 353 — MailForge — Insecure Deserialization via Custom Session Handler— hackadvisor
[web][Pro]Lab 13 — WebForge — Insecure Deserialization in Config Import— hackadvisor
[web][Pro]Lab 385 — SprintForge — Prototype Pollution to RCE via React Flight Protocol— hackadvisor
[web][Pro]Lab 362 — LogPulse — Insecure Deserialization via Pickle Session Cookie— hackadvisor
[web][Pro]Lab 313 — ThreadForge — PHAR Deserialization Chain via Backup Leak & Chunked Upload— hackadvisor