Toxic Hack The Box < HOT — 2025 >

Our first goal is to read the flag. We know the flag is located at /flag from the Docker configuration. We need to create a malicious serialized object where $file is set to /flag , Base64 encode it, and send it back as our required cookie.

The required cookie contains a Base64-encoded string. Decoding this string reveals a serialized PHP object. This is a massive red flag. Whenever a web application takes a serialized object from a user and deserializes it, it opens the door to . Identifying the Vulnerability

is an "Easy" difficulty web challenge on Hack The Box that serves as a classic introduction to Local File Inclusion (LFI) Log Poisoning toxic hack the box

: By using the LFI vulnerability to "include" the poisoned log file, the server executes the PHP payload, granting the attacker a shell or the ability to run commands. Comprehensive Reports & Resources

: Explains the shift from LFI to RCE via log poisoning in depth. Our first goal is to read the flag

The attacker must perform further enumeration, scouring the file system

: Always audit __destruct , __wakeup , and __toString in PHP classes. The required cookie contains a Base64-encoded string

The crux of the "Toxic" challenge lies in a vulnerability class known as .