Java Serialize 06

This exercise is one of our challenges to help you learn Java Serialisation exploitation

> 4 Hrs.


In this exercise, you will delve into the exploitation of a serialization vulnerability in Java. Specifically, it addresses the unserialization of arbitrary objects provided as base64-encoded data using ObjectInputStream. The primary objective is to learn how to create your own gadgets for exploitation without depending on pre-made tools like ysoserial. The exercise builds incrementally, providing you with a class called AnotherClass to leverage for command execution.

To exploit this vulnerability, you will write a Java program that creates a malicious object and encodes it in base64. The trick lies in using a java.util.PriorityQueue that triggers the compare() method upon deserialization. Since the AnotherClass lacks a compare() method, you will bypass this limitation by employing a java.lang.reflect.Proxy, which forwards calls to the class of your choice via java.lang.reflect.InvocationHandler. This setup will ultimately allow you to gain code execution through the invoke() method in AnotherClass.

Want to learn more? Get started with PentesterLab Pro! GO PRO