Tags: deserialize java xxe 

Rating: 0

tl;dr:
1. Serialize class with the same name, package and serial version id with XXE xml payload to recover the key
2. Craft SPEL payload to load the flag

Full writeup: https://github.com/p4-team/ctf/tree/master/2019-09-07-trendmicro-quals/exploit_300