Rating:
Copyright © 2020 Team 0x194. Some Rights Reserved.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License
For attribution, we would appreciate if you also include a link to our original write-up
This may not be the intended solution, but it works! lol
We first thought that it required us to exploit some java serialization vulnerabilities...
Yet it turns to be so... dramatic
If you visit port 9010 on the target machine, you can find a jar file QOH_Client.jar.
Download it and run it with java -jar commands.
Successfully connected to the server!
Please select an available action from the list below:
[1] Lists available files on the server
[2] Download available files from the server
[3] Authenticate to the server
1
Executing action...
Listing available files to download:
test.txt
queen_of_hearts.png
todo.md
Thus, we can know that solving this challenge gives us the Queen of Hearts card. However, we cannot download it directly as the server returns:
Checking authentication status...
You are not authenticated. Please authenticate before attempting to download from the server
OKay, now let's disassemble the jar and play with it. Open your favorite IDE and set a breakpoint in the function doDownload() right before where the Client.java sends out authentication to server, i.e. this.cliOut.writeObject(this.authState)
Execute the program and attempt the download. As the program hits the breakpoint, change this.authState.loggedIn to true and resume.
That's it! The flag has been downloaded! Compute its hashes to submit.
$ md5sum queen_of_hearts.png
717ffaff8f2e6b963333dc46dad60ced queen_of_hearts.png
