# Queen of Hearts Write-Up

### Presented to you by [Team 0x194](https://0x194.com/writeup/Metasploit%20Community%20CTF%202020/Queen_of_Hearts).

Copyright © 2020 Team 0x194. Some Rights Reserved.

This work is licensed under a [Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)

For attribution, we would appreciate if you also include a link to our [original write-up](https://0x194.com/writeup/Metasploit%20Community%20CTF%202020/Queen_of_Hearts)

> This may not be the intended solution, but it works! lol
> We first thought that it required us to exploit some java serialization vulnerabilities...
> Yet it turns to be so... dramatic

If you visit port 9010 on the target machine, you can find a jar file `QOH_Client.jar`.

Download it and run it with `java -jar` commands.

Successfully connected to the server!
Please select an available action from the list below:
[1] Lists available files on the server
[2] Download available files from the server
[3] Authenticate to the server

Executing action...
Listing available files to download:


Thus, we can know that solving this challenge gives us the **Queen of Hearts** card. However, we cannot download it directly as the server returns:

Checking authentication status...
You are not authenticated. Please authenticate before attempting to download from the server

OKay, now let's disassemble the jar and play with it. Open your favorite IDE and set a breakpoint in the function `doDownload()` right before where the `Client.java` sends out authentication to server, i.e. `this.cliOut.writeObject(this.authState)`


Execute the program and attempt the download. As the program hits the breakpoint, change `this.authState.loggedIn` to `true` and resume.

![file downloaded](https://user-images.githubusercontent.com/49149993/101406298-3a967480-3914-11eb-9192-c4194b31fcf5.jpg)

That's it! The flag has been downloaded! Compute its hashes to submit.

$ md5sum queen_of_hearts.png
717ffaff8f2e6b963333dc46dad60ced queen_of_hearts.png

![Queen of Hearts](https://user-images.githubusercontent.com/49149993/101406392-58fc7000-3914-11eb-9f09-1b5539ecf82b.png)

Original writeup (https://0x194.com/writeup/Metasploit%20Community%20CTF%202020/Queen_of_Hearts).