Lab: Exploiting Java deserialization with Apache Commons
This lab uses a serialization-based session mechanism and loads the Apache Commons Collections library. Although you don't have source code access, you can still exploit this lab using pre-built gadget chains.
To solve the lab, use a third-party tool to generate a malicious serialized object containing a remote code execution payload. Then, pass this object into the website to delete the
morale.txt file from Carlos's home directory.
You can access your own account with the following credentials:
- Log in to your own account and observe that the session cookie contains a serialized Java object. Send a request containing your session cookie to Burp Repeater.
Download the "ysoserial" tool and execute the following command:
java -jar path/to/ysoserial.jar CommonsCollections4 'rm /home/carlos/morale.txt' | base64
This will generate a Base64-encoded serialized object containing your payload.
- In Burp Repeater, replace your session cookie with the malicious one you just created and URL-encode the entire value.
- Send the request to solve the lab.