Java Serialize 03

This exercise is one of our challenges to help you learn Java Serialisation exploitation

< 1 Hr.


In this exercise, you will learn how to exploit a serialization issue in Java by crafting a malicious object that gets deserialized using ObjectInputStream. The goal is to build your own gadgets without relying on ysoserial, leveraging the provided class AnotherClass to achieve command execution. Specifically, you will create a java.util.HashMap that triggers the method hashCode() on deserialization, allowing you to execute a command.

The video walk-through explains how the HashMap's readObject() method reads key-value pairs, calling the hash() method on the key, which in turn invokes the hashCode() method of the malicious object. By understanding this flow, you can manipulate the deserialization process to execute arbitrary commands, demonstrating a practical approach to exploiting serialization vulnerabilities in Java.

Want to learn more? Get started with PentesterLab Pro! GO PRO