The vulnerability of this challenge is we could change the URL for the remote widget to our host. So, we could create a malicious widget to create a widget and the application will deserialize our malicious widget. idk about the name of this vulnerability, perhaps we could call it widget hijacking ¯\\\_(ツ)_/¯

[https://nyxsorcerer.github.io/write-up-ctf-defcon-2022-quals-discoteq/](https://nyxsorcerer.github.io/write-up-ctf-defcon-2022-quals-discoteq/)

Original writeup (https://nyxsorcerer.github.io/write-up-ctf-defcon-2022-quals-discoteq/).