This has been a long one, I had to brush up on my Java, watch thehackerish video on deserialization https://youtu.be/5grJYo9IqY0 and bang my head on any hard surface I could find, but it was worth it!
First things first, it is imperative to read all the lessons on deserialization prior to this one and then everything you find on google/youtube until you have a clear understanding of what is insecure deserialization
Once all the studying is done, the first thing needed in order to create an exploit for WebGoat InsecureDeserializationTask.java is the source code itself, so let’s clone WebGoat GitHub repository somewhere on your system
git clone https://github.com/WebGoat/WebGoat.gitBy going to WebGoat/webgoat-lessons/insecure-deserialization/src/main/java/org/owasp/webgoat/deserialization you will find InsecureDeserializationTask.java
This piece of Java code is the endpoint used by WebGoat to check our token in order to complete this lesson, what it is expecting is a VulnerableTaskHolder object and then does checks to see if the serialized code is a timeout of 5 seconds as requested
To create a VulnerableTaskHolder object we can use WebGoat/webgoat-lessons/insecure-deserialization/src/main/java/org/dummy/insecure/framework/VulnerableTaskHolder.java but first we need to compile it
Just to be thorough, the Java version used for this solution is
openjdk version "11.0.8" 2020–07–14To compile this class successfully I have commented out all the references to “lombok.extern.slf4j.Slf4j” as it is not needed, here is my code complete with comments
Another, simpler way, to achieve the same result would be to only keep class VulnerableTaskHolder and the needed class imports, you can do as you like
So let’s compile this class
javac VulnerableTaskHolder.javaOk so now we need a piece of code that creates a VulnerableTaskHolder object with a “sleep 5” task in it, by searching online you can find some Java files that do this, I found the following two:
thehackerish WebGoat Deserialization POC
I have made a few modifications to thehackerish’s Attack.java file as I am not using an IDE here and I wanted to use just javac/java commands for both Attack.java and BuildExploit.java
Here’s my Attack.java file source code
The screenshot shows the two source files, their compiled class files, the org directory in this lesson’s source and the serial file as result of running Attack.class
Let’s compile the source files
javac Attack.java
javac BuildExploit.javaRunning Attack.class creates serial file which needs to be converted to base64 by means of
cat serial | base64 -w0Running BuildExploit.class instead outputs the token directly in base64 format
The two tokens shown here are not the same as they have not been created at the same time
Copy the token of your choice in the lessons form to complete the lesson
If you would like to discuss this solution with me feel free to drop a comment
This concludes WebGoat Insecure Deserialization 5
I hope you liked it.
PVXs — https://twitter.com/pivixih
Big thanks to thehackerish for the all the content he has put online, go check out his website and his channels if you are looking for good infosec learning material
