Rating:
# Queen of Hearts Write-Up
### Presented to you by [Team 0x194](https://0x194.com/writeup/Metasploit%20Community%20CTF%202020/Queen_of_Hearts).
Copyright © 2020 Team 0x194. Some Rights Reserved.
This work is licensed under a [Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)
For attribution, we would appreciate if you also include a link to our [original write-up](https://0x194.com/writeup/Metasploit%20Community%20CTF%202020/Queen_of_Hearts)
> This may not be the intended solution, but it works! lol
> We first thought that it required us to exploit some java serialization vulnerabilities...
> Yet it turns to be so... dramatic
If you visit port 9010 on the target machine, you can find a jar file `QOH_Client.jar`.
Download it and run it with `java -jar` commands.
```
Successfully connected to the server!
Please select an available action from the list below:
[1] Lists available files on the server
[2] Download available files from the server
[3] Authenticate to the server
1
Executing action...
Listing available files to download:
test.txt
queen_of_hearts.png
todo.md
```
Thus, we can know that solving this challenge gives us the **Queen of Hearts** card. However, we cannot download it directly as the server returns:
```
Checking authentication status...
You are not authenticated. Please authenticate before attempting to download from the server
```
OKay, now let's disassemble the jar and play with it. Open your favorite IDE and set a breakpoint in the function `doDownload()` right before where the `Client.java` sends out authentication to server, i.e. `this.cliOut.writeObject(this.authState)`
![breakpoint](https://user-images.githubusercontent.com/49149993/101406258-2eaab280-3914-11eb-881c-f8e4357d1269.jpg)
Execute the program and attempt the download. As the program hits the breakpoint, change `this.authState.loggedIn` to `true` and resume.
![file downloaded](https://user-images.githubusercontent.com/49149993/101406298-3a967480-3914-11eb-9192-c4194b31fcf5.jpg)
That's it! The flag has been downloaded! Compute its hashes to submit.
```
$ md5sum queen_of_hearts.png
717ffaff8f2e6b963333dc46dad60ced queen_of_hearts.png
```
![Queen of Hearts](https://user-images.githubusercontent.com/49149993/101406392-58fc7000-3914-11eb-9f09-1b5539ecf82b.png)