CUSTOM Java Deserialization Exploit - Serial Snyker

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video we're going to take a look at a challenge from the sneak fetch the flag capture the flag competition that was going on just previously I did want to get some videos out and about and thankfully sneak was super duper generous giving me a little bit of a sneak peek before the game even got started to take a look at one of the challenges so in this video we're going to dive in this challenge is called serial sneaker and I got to admit I'm going in cold I don't really know what I'm up against this is kind of new to me so uh forgive me for all the walls that I run into the rabbit holes that I fall down uh we're just gonna have some fun so I hope you enjoy let's get started I am inside of my Kali Linux virtual machine that I'll be using for the play test here and I'm online at this link hey cereal hyphen sneaker.c.ctf sneak dot IO that is currently where this challenge is hosted and uh we'll begin to uh have a chance to play with this thing looks like we have captured patch their sneak mascot for all the great stuff that they do their little puppy dog for cereal cat chasing it says please log in to pay for his release and we can log in or forgot password now before I dive in I do want to note that they have offered the source code or at least a zip archive a file to download to be able to poke and play with this it's called serial sneaker and I have it downloaded right here let me go ahead and unzip that if I can type and that should all extract your for us looks like uh some of the file names here are DOT Java which is interesting to me a little bit worried I don't know what I'm going to be getting into Java was not what I expected here and here are the files that we have looks like a placeholder flag a simple readme.markdown file even a help markdown file the challenge.yml of Docker file to wrap this all up I don't know what pom.xml or mvnw.cmd stuff is that might be some Java Shenanigans I think that is Maven or something that it uses here but let's go ahead and check out the readme to see what we're up against okay this just looks like some uh Hey structure and setup for how they would Define this it looks like it has the can you help patch Escape presumably the description for this the challenge name and how we might build it with Docker and how we can run it just as well including some links to the artwork that's really accessible but uh with that in mind I suppose we can go ahead and take a look at the source code I do see a SRC or Source directory looks like there are a couple of files here in Maine I'm going to use Sublime Text and open just a period here for the whole current directory so that I can view the entire folder over here on the side I can tell hey we have some resources presumably the templates or the HTML the actual hypertext markup language that builds this thing interesting the error Pages presumably includes even some exceptions like a trace back if something happens and something wrong and error is caused within the code the index.html is just as we saw out on the web browser it says Hey we've captured patch and we're going to be asked to log in to pay for his release ultimately that is just accessible on the front end not all too interesting same thing with all of the static file sales looks like there's bootstraps CSS images for us here ultimately the source code is what we want to dive into presumably in this Java folder here for serial sneaker and let's check out what this index controller is looks like this is the Java code that makes up the back end here and we're defining this as a package importing some things from the spring framework which is a bit interesting and we have a public class to be our controller or the real logic behind this thing we have mappings like URL routes for HTTP specific methods like get or post and we're going to be returning out okay presumably the index as needed same thing when we post to retrieve this when we're trying to authenticate we have the parameters that we might pass to this a username and password in csrf token and then it does something with serialization utils uh tries to deserialize the csrf Token a little bit interesting also prints out testing info I'm curious if that's just hey for debugging maybe the developer left in on accident we also add an exception for hello world all a bit interesting um and that's it okay what else do we have here serialsneaker.java we'll run this as its own application the serialization utils we saw which were a little bit interesting this does sound like a classic Java serialization vulnerability if there is something to actually take advantage of and beat up here we have base64 util as part of the Native Java Library included and deserialize looks like it does this as it is going to be working with whatever is passed in as in base64. uh goes ahead and returns and retrieves this as an object and that doesn't seem to return anything else other than throwing errors oh no excuse me it does return that object so that could be interesting and worthwhile to explore exec helper uh is this executing commands it seems like it I wonder if this is something we might be able to take advantage of given this is uh Java and we keep referring to serialization and the challenge is literally called serial sneaker part of me has to think this could very well be something that we would take advantage of with why so serial one of the tools and command line utilities that will help us take advantage of serialization vulnerabilities base64 helper does a similar thing with at least base64 functions to decode here so I'm curious what we might be able to do now if all we're going to end up doing is authenticating with the post request and if we were actually to take a look at the source here I'll hit uh control U on my keyboard or just right click and view page Source now we can see the HTML here and it is posting to forward slash to you know that index and all the fields name that we're expecting username password and then a csrf token presumably this big long base64 string literally named based 64 or excuse me csrf token so I'm curious could I just go ahead and decode this and will it look like just a natural Java object serialized of course but is there something that we might be able to pull out of that let me try and Echo this right into base64 minus D or Tac D and yeah okay looks like there is a csrf token object with some interesting stuff in here where they're using Java utilia uid blah blah blah this is all bits and bytes and you know actual non-printable characters as it is a serialized data object but I wonder if we could do more with this thing no I got to admit hey being a sneak Capture the Flag put together by sneak wouldn't it make sense if sneak would be able to figure some interesting stuff out with this if I move into this main directory can I just even use in like the Java source code segment let me try and move all the way into where all the Java files are here they are present let's see if I could use even the sneak command line utility to take a closer look at what might be present here in terms of vulnerabilities or weaknesses so I am using the sneak command line interface uh something you can grab online on their website go and install it and we'll use the code sub module or uh fragment here so that we're able to actually specify hey I want you to look at the files in this current directory and we'll test them and look for vulnerabilities so I'll hit enter on this it might take a little bit of time to scan through it all but fingers crossed uh it might find something for us to start our research or do something new with and ooh right away we do have one high vulnerability detected and it says deserialization of untrusted data our index controller.java on line 30 just as we were taking a look at this moments ago Yep looks like we go ahead and take our object created out of deserializing the csrf token that is passed in now the csrf token again is going to end up being passed through serialization utils and deserialize and this is going to end up running the function that we can see present here but deserialize takes this all in deserializes it obviously so I I'm I'm doing a bad job of explaining that if you weren't familiar with those terms I'm sorry uh serializing and destroyalizing data is kind of just packaging it up and compressing it a little bit so that it could be later represented or stored and saved and brought back to life really as an object as some piece of code and logic just bundles up a bunch of properties and potential functions or things maybe methods right but the object that's represented within programming within code to be used for later use so we could potentially get code execution with this sort of thing right could we uh do more with this other than having unsanitized input from an HTTP parameter flows into Java i o object input stream where it's used to deserialize an object this may result in an unsafe deserialization vulnerability hmm okay so that is seemingly how we would go ahead and exploit this that is something present in just the post method where we go ahead and enter anything with the csrf token so let me just see I suppose I could fire up burp Suite or something okay now burp is running we can fire up a temporary project with the default settings I will make sure the proxy options are rocking on port 8080 as they are we can use our foxy proxy now to set up some options for one two seven zero zero one port 8080 cool okay so now let's go ahead and switch to burp Suites and let's see if we can go ahead and do this please subscribe again burp sweet fires up here can I zoom in on this at all yeah let's set the font size to like 18 and set the Dark theme so that way if people aren't screaming and whining about you know having the dark mode right oh come on that doesn't give me the display up let me just fix that okay amp that up to 24. now we can get back to the proxy and you can see this a little bit better here so I wonder if we could go ahead and exploit this let me try and do some Googling let me see how I might exploit a Java deserialization vulnerability uh portswiger has some info on this I'm sure we could find something on like hat tricks or others and there are probably a whole lot of other great things to use even a Java deserialization cheat sheet and here's hat tricks just as well so let's read on about what portsfigure has to offer chatting about insecure deserialization vulnerabilities looks like we have some sections on how to identify insecurity serialization uh also passing malicious data in injecting arbitrary object types manually creating your own Advanced exploits so identifying this they chat about this thing in PHP they chat about this in Java and they note any class that implements the interface serializable can be serialized and deserialized if you have source code access take note of any code that uses the read object method which is used to read and deserialize data from an input stream they also note deserialize objects always begin with the same bytes which are encoded as r o zero in base64 which we should have seen in our csrf token so that might be the right way here also going back to our code an interesting thing is that this uh exec helper class does implement that serializable package or that class here sorry and down below I don't know if you caught it but it has that read object function so we might be able to just straight up call this function or create an object that will do use this class and do it for us let's see how can we go ahead and create one of these do they explain or showcase this at all for Java specifically here it is and Java deserialization object input stream read object acts like a Constructor for re-initializing a serialized object oh will it run it will it do the command it will it will so it calls run and run is this function that will actually execute this literally as a scanner running runtime exec our Command here so that we'll kind of detonate and Trigger this code for us we could use tools like yso serial to kind of chain gadgets naturally but I do want to know how we might create our own exploits here it says when off-the-shelf gas Gadget chains and documented exploits are unsuccessful like using Weiss's serial you need to create your own exploit to successfully build this you only almost certainly need source code access thankfully we do we know what we are targeting here um once you've worked out a successfully construct this gadget chain the next effects to create the serialized object simply a case of studying the class Declaration of the source code creating a valid serialized object with the appropriate values required for your exploits as we've seen in previous labs this is relatively simple when working with string based utilization formats oh we have a string format here don't we we have an override two string where if we return a oh exact helper being the command and the output uh so how do I craft this oh I just need to pass in a command that is base64 correct here they have a lab for this does it let me do this I don't want to access the lab I just kind of want to know how it's done oh they do have a little template here to use a generic Java program for serializing objects let me open that up and see if we can play with that here's a Java code import data Foo blah blah blah creating the serialized object serializing the original object being a new object that we Define here yada yada yada okay so I wonder if I can just do this can I not let me grab this code we'll call this main.java right can I just kind of make a file here slap this in I don't do Java so I'm making a fool of myself let's do main.java how about that it does have to match the class name we're including all this stuff can I import just the exec helper right uh and then let's not do any of this stuff right now for our main thing but let's actually go ahead and try a simple system out print line to see Hello just to validate that this will run for us and then we have the functions that we might like here correct so let's see if in a simple command line can I go ahead and run this thing here I'll fire up a new command line move into that directory now I have my main.java can I run Java C on main.java oh I need to install it okay seemingly I might be able to run that but it does need a DOT to denote where it's getting this stuff uh so let me make a data directory and let's try and copy the exact helper into our data correct uh does that need anything else what do they use for their example here they have a food Java which is just oh given a specific package and then serializable so let me just go ahead and modify my data exploit one and just put that in the data package right so now main.java could go ahead and import data exec helper so those functions and folder names kind of all match right let's try that again package data does not exist no it's in the current directory we use Java C again but I don't have that installed all right let's uh sudo apt install defaults spelled properly jdk fingers crossed that will give us everything that we need to compile Java code okay now fingers crossed can I run Java C yes I can all right let's try and Java C my main dot Java and that does not like base64 helper yep because that needs to be uh included now the way that they do this an exec helper uh looks like because it's also base64 helpers in the same package they can use this ultimately I think we can just grab this here and just slap it into our exec helper that is within our data directory because this is one that we're going to be trying to build within our own uh little exploit here with our own main.java let's try and run that again fingers crossed base64 helpers public should be declared in a file named that okay fine create a new file called base64 helper dot Java can I save that as that perfect now let's just slap that in there and let's grab everything that it included and their original base64 Java but we're going to put that in package data so it's in the same folder as our other exec helper fingers crossed this should now allow us to compile and it does no errors I do have a main dot class so I can simply run Java Main and that says hello as my simple hello world okay now we'll go ahead and actually create our original object that should be an exec helper type correct so that needs to be our original object that should be an exec helper with a command we'll just use sleep as sort of a temporary test hmm trying to see hey because this is blind we don't know if we'll get command output responded and returned out so let's just see if we could actually return this um we'll want to serialize that object and then print it out and we could deserialize it if we wanted to just as well but ultimately the serialized object is all that I'm really interested in uh can I go ahead and spit that out let me Java c main one more time oh it did complain incompatible types string cannot be converted to base64 helper ah okay so I need base64 helper to be the argument that I give this thing base64 helper should be a base64 string correct so it has a single decode function and we give it encoded base64 as the argument this ends up being the command that they decode so it does need to be a command that is base64 encoded as a object let's see if we can mess with that let's create a base64 helper command being a base64 Helper and do I need to go ahead and import that as well presumably base64 helper uh that should take a string that is a command that I want to run as base64. so let's enter that command variable and we'll need to be able to fill this out and I think that needs to be some sort of array Or List considering this Square braces but I'm not quite sure yet so let me just Echo sleep five into base64. and that gives me this now this is where I will enter in double quotes here can I run this fingers crossed nope cannot find symbol base64 helper what are you talking about oh that should be a new object correct I think I might just wrap this in curly braces is that how that's done in Java let's try it that is okay so it we can keep it as a list we just need to wrap it in curly braces so that's one of those now if I run this fingers crossed Java main there's our serialized object and we could see if this will actually sleep let's try it out let me go back to this application here let me turn burp back on with proxy proxy let's get this thing cruising intercept is on let's do it at a whatever a submit this and now our csrf token we can modify to be our own csrf token use Ctrl U to be able to hate I don't know base64 URL encode stuff and fingers crossed if I hit forward here you don't have data exec helper that makes sense you kind of need to be using the exact same package names oh goodness okay so if this were to be interpreted in the natural packages that they all use we should have this in a location where we can use com dot sneakctf serial sneaker so let me move my main.java up a couple directories into where com should be right so it should be in that Java folder let's take this let me grab all this code and then just create this under Java where I can say oh here's main.java as the file that we want to use here and let's go ahead and say we're going to import all of the other components under the com sneak serial sneak so I can delete that old main.java and now in our new one let's go ahead and import exec Helper and base64 helper from all of those package locations does that work let's try it I'll go back to my command line let me go ahead and remove my main.class and let's move up a couple directories okay so I move into Java and now I have my main.java let's try in Java C that main dot Java no errors it did compile just fine let's try and run that main class and there's our output okay let's try this now go back to burp Suite let's add in our csrf token I'll control U to URL encode this and now fingers crossed cannot run program sleep five error no such file directory ah this is because I have to be separated and that okay tokenize for commands and their arguments but that does mean that we are starting to get remote code execution finally so let's break this up a little bit more I can use the base64 helper to encode correct can I not uh the base64 helper does not have an encode option that's kind of annoying can I just use base64 get D get encoder rather than this let me do that as a little experiment super duper quick system dot out dot print line oh getting coder needs to be a function call how about that please no errors excellent let's run Java main now we have base64 encoded stuff arbitrarily good good good okay so so now we have a primitive of base64 encoding stuff and let's just say ARG 0 can be a string right of the simple syntax of bash how about that and then let's use ARG one can be a Tac C correct and now we could basically have Arc two uh be really anything else that we would want to run because we're using bash as sort of a subshell to invoke things so could I then run sleep five presumably including the space there I've tokenized these other Arguments for bash but this next one can be all of the arguments that we would have that bash command run with tax C so fingers crossed if I now use my command I could change this up to be base64 helper based off of all of these arguments Arc zero ARG one and arc2 correct oh oh I just need I was thinking wrong I need multiple new base64 helpers that's the issue so let's get new base64 helper of Arc zero do the same thing for R2 and Arc one there and now let's try this compile no errors let's run uh print that out I'm done compile again run again there we go let's try this thing let's see if we will sleep for a little bit of time burp back on a at a.com a burp Suites Rockin slap in that csrf token run this move it to the side fingers crossed look at it spinning look at it look at it look at it look look at okay we are successfully sleeping four or five seconds and we get an exec helper response out perfect totally fine it did run the command now we have valid code execution let's see if we can get a reverse shell so because this is out on the open internet I am going to want to use ngrok as a tunnel or I might be able to actually catch this despite me using a local Port here so let's see if uh starting up a little ngrok listener I can start a netcat listener on that same port quad 9 9999 as I am listening for that now uh I still want to be able to modify and create my own payloads so let's get back here and let's change the Sleep syntax to a simple reverse shell syntax let's go to rev shells.com and this way I can gain code execution not not that I don't already I already have code execution but we can get better code execution and like an interactive way so let's grab our ngrok listener location and let's grab that number for a port slap that in and now bash should be able to just generate this thing I can run this and that hopefully hopefully hopefully will give me a call back let me pass this in and I am going to use bash to run this rather than attack I uh because we know at least with the previous bash tax C testing that that does exist as a command for us and let's see if we can get something here let me go ahead and compile this one more time no errors run this we've got our payload now generated let's copy this and rock with burp Suite one more time I do want to make sure I've got this accessible invisible for us for my netcat listener I do want to hop on over to our page let's fire up burp Suites and try this one more time with an a at a.com try and log in here paste in our csrf token as usual control U to URL to code that and let's hit forward and there's more connection that's it compromised it on the box and now we've got all the access that we might need fantastic uh where is my flag we can check in the docker file where the actual location of this thing all is uh let me open up that Docker file in the current directory here okay this spits this into home app and it'll actually know our flag is in slash home so let's go move into that directory CD slash home LS and there is our flag and we are done we've completed this challenge we have finished that and we did some super cool little custom Java deserialization now very well we could have done like why so serial If This Were something that we would have other gadgets to launch onto like the commons collection for whatever or spring or other Frameworks where there were other libraries we might be able to pull from but in this case we had some Primitives with this exec Helper and the base64 helper that we kind of needed to be able to use and run this was just hey the convenience of the application giving this to us but it also gave us a little bit more of actual hey some structure to be able to solve this Challenge and run code playing with this example that thankfully ports wigger and that burp Street Academy labs and stuff was willing to give us that sped up a little bit of our work but we still need to be able to craft and create these objects so that we could serialize them and then run them and give them to the application I hope that all made sense I think that's kind of cool a lot of fun for this challenge I spent way too long on this thing because I was bumping around with why so serial trying to think if I could do anything more with it but uh man we got it and it is all done hey huge thanks to sneak for offering their fresh the flag competition the capture the flag that they put out for free for anyone to jump into and play and learn some cool stuff and uh honestly I'm just super duper grateful for all of sneak's support it's no secret they have been a lovely and incredible sponsor for this Channel and hey I'd like to Showcase them some love because you know what they're doing great stuff uh and I'm just grateful for capture the flag training something that I'm a huge advocate and proponent for that they are still a champion of and showcasing some of the sweet stuff and sneak itself like the tool in the product did get to help hone Us in on what the real vulnerability was in case you weren't familiar with deserialization before but the honest of it was kind of us tiptoeing around uh learning something and doing some sweet improv to learn something new on the fly but uh thanks so much for bearing with me thanks for letting me struggle with Java syntax and I should probably get better at that but I hope you enjoyed hope you learned something if you did please do all those YouTube algorithm things like comment subscribe you know the drill thanks for watching everybody I hope you enjoyed this video and I'll see in the next one love ya take care

Info

Channel: John Hammond

Views: 24,852

Rating: undefined out of 5

Keywords: cybersecurity, learn, programming, coding, capture the flag, ctf, malware, analysis, dark web, how to learn cybersecurity, beginners

Id: S103iW01dxQ

Channel Id: undefined

Length: 29min 12sec (1752 seconds)

Published: Tue Nov 15 2022