Day 8: Insecure deserialization
Serialization is whereby objects are converted into byte streams for storage or transmission into memory or the database. The reverse process is deserialization.
Insecure deserialization occurs when an attacker leverages the serialization process to pass malicious data/code to the application. This vulnerability is enabled by an application that fetches data without any validation checks. It can allow for an attacker to gain remote access to the web application servers in what is known as Remote Code Execution (RCE).
I found this blog informative on serialization and insecure deserialization.
LAB 1 :INSECURE DESERIALIZATION — COOKIES PRACTICAL
This lab requires that we access and modify the cookie values in order to get privileged access.
First Flag( Cookie Value)
Logging in to the app directs you to the profile page that gives information, among which includes your user access level
The challenge gives us the hint that the first flag is in one of the cookies;
Right-click the page and navigate to inspect element
Click the application tab then storage:
On the cookies tab, you realize that the cookies and values are stored in either plaintext or encoded in base64(e.g sessionid)
Since all the other cookies are in plaintext, we can tell that neither of them contains the flag. However, the sessionid cookie value is encoded.
Decode the cookie value (used base64decode.org online) to get the flag:
Second Flag (Admin Dashboard)
The second challenge requires that we modify the cookie values in order to get admin access.
On login, myprofile page shows the user access level. This information is reflected in the cookies table with the name “userType” and value “user”.This shows that the userType field represents the user access level / what a user can do in the system.
The cookie can therefore be modified to admin so as to give you the admin rights; This can simply be achieved by double-clicking on the field value and changing it to admin
Having changed the access rights to admin, you can navigate to the app’s admin page using url/admin
As long as the browser tab is still open, you will be immediately redirected to the admin dashboard (url/admin) on every login.
When you change the value back to “user” and attempt to log in again, you’ll be redirected to the user home page url/myprofile.
LAB 2:INSECURE DESERIALIZATION — CODE EXECUTION
In this lab, we are expected to pass an encoded payload to the web server to get a remote shell and find the flag on flag.txt file.
First, change the userType cookie from “admin” to “user” and navigate back to myprofile page.
On the left side of myprofile page, left-click on “Exchange your vim” — when you do this, a cookie is encoded and stored in the browser.
After this, left-click on “Provide your feedback!. You should be redirected to the feedback page. When you visit this page, the cookie that was created is obtained, decoded and de-serialized. This process can be exploited using Python pickleme payload. The payload has been attached in the tryhack me room.
Run netcat on your kali machine to listen on any port 4444. Ensure that netcat is running throughout the entire lab.
Copy the content on pickelme.py payload, paste it into a file and save it as rce.py (or whichever name you may choose).
Replace the ip in the python file with the IP of your VPN
On running the python script, you will obtain a cookie value. Replace this value on the web application under the encodedPayload cookie.
After this step, refresh the browser to get a reverse shell into the web server
After spawning a reverse shell, the task was to find the flag on flag.txt file. So first, we list the directories in the current folder;
Since there is no flag.txt in this folder, check the current directory;
Switched directory to /home/cmnatic
In the folder, we had flag.txt
Open the file to view the content and find the flag