Course

In this exercise, you will delve into the exploitation of a serialization vulnerability in Java. Specifically, it addresses the unserialization of arbitrary objects provided as base64-encoded data using ObjectInputStream. The primary objective is to learn how to create your own gadgets for exploitation without depending on pre-made tools like ysoserial. The exercise builds incrementally, providing you with a class called AnotherClass to leverage for command execution.

To exploit this vulnerability, you will write a Java program that creates a malicious object and encodes it in base64. The trick lies in using a java.util.PriorityQueue that triggers the compare() method upon deserialization. Since the AnotherClass lacks a compare() method, you will bypass this limitation by employing a java.lang.reflect.Proxy, which forwards calls to the class of your choice via java.lang.reflect.InvocationHandler. This setup will ultimately allow you to gain code execution through the invoke() method in AnotherClass.