# Queen of Hearts Write-Up
### Presented to you by [Team 0x194](https://0x194.com/writeup/Metasploit%20Community%20CTF%202020/Queen_of_Hearts).
Copyright © 2020 Team 0x194. Some Rights Reserved.
This work is licensed under a [Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)
For attribution, we would appreciate if you also include a link to our [original write-up](https://0x194.com/writeup/Metasploit%20Community%20CTF%202020/Queen_of_Hearts)
> This may not be the intended solution, but it works! lol
> We first thought that it required us to exploit some java serialization vulnerabilities...
> Yet it turns to be so... dramatic
If you visit port 9010 on the target machine, you can find a jar file `QOH_Client.jar`.
Download it and run it with `java -jar` commands.
Successfully connected to the server!
Please select an available action from the list below:
 Lists available files on the server
 Download available files from the server
 Authenticate to the server
Listing available files to download:
Thus, we can know that solving this challenge gives us the **Queen of Hearts** card. However, we cannot download it directly as the server returns:
Checking authentication status...
You are not authenticated. Please authenticate before attempting to download from the server
OKay, now let's disassemble the jar and play with it. Open your favorite IDE and set a breakpoint in the function `doDownload()` right before where the `Client.java` sends out authentication to server, i.e. `this.cliOut.writeObject(this.authState)`
Execute the program and attempt the download. As the program hits the breakpoint, change `this.authState.loggedIn` to `true` and resume.
That's it! The flag has been downloaded! Compute its hashes to submit.
$ md5sum queen_of_hearts.png