Rating:

# Queen of Hearts Write-Up

### Presented to you by [Team 0x194](https://0x194.com/writeup/Metasploit%20Community%20CTF%202020/Queen_of_Hearts).

For attribution, we would appreciate if you also include a link to our [original write-up](https://0x194.com/writeup/Metasploit%20Community%20CTF%202020/Queen_of_Hearts)

> This may not be the intended solution, but it works! lol
> We first thought that it required us to exploit some java serialization vulnerabilities...
> Yet it turns to be so... dramatic

If you visit port 9010 on the target machine, you can find a jar file QOH_Client.jar.

Download it and run it with java -jar commands.


Successfully connected to the server!
Please select an available action from the list below:
[1] Lists available files on the server
[3] Authenticate to the server

1
Executing action...

test.txt
queen_of_hearts.png
todo.md


Thus, we can know that solving this challenge gives us the **Queen of Hearts** card. However, we cannot download it directly as the server returns:


Checking authentication status...


OKay, now let's disassemble the jar and play with it. Open your favorite IDE and set a breakpoint in the function doDownload() right before where the Client.java sends out authentication to server, i.e. this.cliOut.writeObject(this.authState)

Execute the program and attempt the download. As the program hits the breakpoint, change this.authState.loggedIn to true and resume.

That's it! The flag has been downloaded! Compute its hashes to submit.


\$ md5sum queen_of_hearts.png