Course

In this exercise, we delve into the exploitation of a Java serialization vulnerability. The focus is on creating a malicious object using a Java program, which is then serialized as base64-encoded data. The challenge involves leveraging the java.util.PriorityQueue class, which calls the compare() method during deserialization. By understanding the flow of method calls—specifically how readObject() invokes heapify() and subsequently siftDownUsingComparator()—participants learn to manipulate these calls to execute arbitrary commands.

Throughout the exercise, you will be provided with the class AnotherClass to aid in building your exploit. The video walkthrough complements the course by demonstrating the practical steps needed to achieve command execution. By the end of this exercise, you will have a solid understanding of how to craft a straightforward gadget to exploit serialization vulnerabilities in Java applications.