Day 8: Insecure deserialization

Serialization is whereby objects are converted into byte streams for storage or transmission into memory or the database. The reverse process is deserialization.

Insecure deserialization occurs when an attacker leverages the serialization process to pass malicious data/code to the application. This vulnerability is enabled by an application that fetches data without any validation checks. It can allow for an attacker to gain remote access to the web application servers in what is known as Remote Code Execution (RCE).

I found this blog informative on serialization and insecure deserialization.

LAB 1 :INSECURE DESERIALIZATION — COOKIES PRACTICAL

Websites use cookies to store user-specific information. Sometimes the cookie value is stored in an encoded form.

This lab requires that we access and modify the cookie values in order to get privileged access.

First Flag( Cookie Value)

Logging in to the app directs you to the profile page that gives information, among which includes your user access level

The challenge gives us the hint that the first flag is in one of the cookies;

Right-click the page and navigate to inspect element

Click the application tab then storage:

On the cookies tab, you realize that the cookies and values are stored in either plaintext or encoded in base64(e.g sessionid)

Since all the other cookies are in plaintext, we can tell that neither of them contains the flag. However, the sessionid cookie value is encoded.

Decode the cookie value (used base64decode.org online) to get the flag:

Second Flag (Admin Dashboard)

The second challenge requires that we modify the cookie values in order to get admin access.

On login, myprofile page shows the user access level. This information is reflected in the cookies table with the name “userType” and value “user”.This shows that the userType field represents the user access level / what a user can do in the system.

The cookie can therefore be modified to admin so as to give you the admin rights; This can simply be achieved by double-clicking on the field value and changing it to admin

Having changed the access rights to admin, you can navigate to the app’s admin page using url/admin

As long as the browser tab is still open, you will be immediately redirected to the admin dashboard (url/admin) on every login.

When you change the value back to “user” and attempt to log in again, you’ll be redirected to the user home page url/myprofile.

LAB 2:INSECURE DESERIALIZATION — CODE EXECUTION

In this lab, we are expected to pass an encoded payload to the web server to get a remote shell and find the flag on flag.txt file.

First, change the userType cookie from “admin” to “user” and navigate back to myprofile page.

On the left side of myprofile page, left-click on “Exchange your vim” — when you do this, a cookie is encoded and stored in the browser.

After this, left-click on “Provide your feedback!. You should be redirected to the feedback page. When you visit this page, the cookie that was created is obtained, decoded and de-serialized. This process can be exploited using Python pickleme payload. The payload has been attached in the tryhack me room.

Run netcat on your kali machine to listen on any port 4444. Ensure that netcat is running throughout the entire lab.

Copy the content on pickelme.py payload, paste it into a file and save it as rce.py (or whichever name you may choose).

Replace the ip in the python file with the IP of your VPN

On running the python script, you will obtain a cookie value. Replace this value on the web application under the encodedPayload cookie.

After this step, refresh the browser to get a reverse shell into the web server

After spawning a reverse shell, the task was to find the flag on flag.txt file. So first, we list the directories in the current folder;

Since there is no flag.txt in this folder, check the current directory;

Switched directory to /home/cmnatic

In the folder, we had flag.txt

Open the file to view the content and find the flag

--

--

--

@rrietwrites is a cybersecurity researcher who also enjoys conversations on personal finance, lifestyle, mental health and human psychology

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

What is the best ASP.NET service provider?

How to develop Enterprise Asset Management System

Project Details Screen — Asset Management System

From Zapier to Integromat: What Makes Us Different?

Design & execute Postman script, for web pages having CSFR tokens for Login

Understanding Variables and Data Types in Python

Go: Fuzz Testing in Go

Custom UIViewController transitions

Why we hate your hack client: Your keybinding code probably sucks

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
@rrietwrites

@rrietwrites

@rrietwrites is a cybersecurity researcher who also enjoys conversations on personal finance, lifestyle, mental health and human psychology

More from Medium

Write-up: CSRF with broken Referer validation @ PortSwigger Academy

Portswigger Labs — Reflected XSS 3

Top 10 Tips to Protect Against OWASP Top 10 Vulnerabilities

OWASP Top 10 Vulnerabilities

Upload Vulnerabilities