Java Serialize 03
Bookmarked!This exercise is one of our challenges to help you learn Java Serialisation exploitation
In this exercise, you will learn how to exploit a serialization issue in Java by crafting a malicious object that gets deserialized using ObjectInputStream
. The goal is to build your own gadgets without relying on ysoserial, leveraging the provided class AnotherClass
to achieve command execution. Specifically, you will create a java.util.HashMap
that triggers the method hashCode()
on deserialization, allowing you to execute a command.
The video walk-through explains how the HashMap
's readObject()
method reads key-value pairs, calling the hash()
method on the key, which in turn invokes the hashCode()
method of the malicious object. By understanding this flow, you can manipulate the deserialization process to execute arbitrary commands, demonstrating a practical approach to exploiting serialization vulnerabilities in Java.