THM: Jason
Jason is an easy box where we’ll practice exploiting insecure deserialization in NodeJS. To make it a little more interesting, this is a blind vulnerability, meaning we’ll have to find some other way besides checking if our input is reflected back to us to verify code execution.
THM: Debug
In Debug we’ll practice an exploitation technique called PHP Objection Injection, also known as a PHP deserialization attack. This vulnerability occurs when an application does not sanitize user-supplied input before passing it to the
unserialize()
function. It is not unique to PHP, and is also found in Python, Java, Node.js, and other object-oriented languages.