HTB challenge: LoveTok (php addslashes restricted quotes bypass)

The challenge

On a recent hackthebox challenge the following code required to be exploited to get the flag:

<?php
class TimeModel
{
public function __construct($format)
{ 
$this->format = addslashes($format);

[ $d, $h, $m, $s ] = [ rand(1, 6), rand(1, 23), rand(1, 59), rand(1, 69) ];
$this->prediction = "+${d} day +${h} hour +${m} minute +${s} second";
}

public function getTime()
{
eval('$time = date("' . $this->format . '", strtotime("' . $this->prediction . '"));');
return isset($time) ? $time : 'Something went terribly wrong';
}
}

HTB: Networked walkthrough

“Networked” Info Card

Slight hint(s): Unrestricted file upload, bypass image upload restriction, bypass mimetype restriction
Slight hint(s) (PE): shell command injection, unescaped variable command injection
Continue reading

Haystack – hackthebox.eu walkthrough

This is a walkthrough on the machine called Haystack on hackthebox.eu, which most users found frustrating and/or annoying. Personally I would describe it more as a kind of annoying box, and although rated as easy my personal opinion is at least the Privilege Escalation part should be falling a bit more into the intermediate category. cat >> /etc/hosts <<<“10.10.10.115 haystack.htb”
Continue reading

Writeup walkthrough – hackthebox.eu

Introduction

This is a walkthrough on the retired htb machine called Writeup, which was rated as easy by most users, although the box had some quite tricky vectors, especially in Privilege Escalation.
Continue reading