For a detailed writeup follow the link.

- RMI server running on target
- We can inject code by passing custom objects to the remote method
- Due to a bad security manager we can access the file system
- Flag is stored in file `flag`

Original writeup (https://github.com/LevitatingLion/ctf-writeups/tree/master/polictf_2017/lamermi_484).