18.3 Using application functionality to exploit insecure deserialization

This lab uses a serialization-based session mechanism. A certain feature invokes a dangerous method on data provided in a serialized object. To solve the lab, edit the serialized object in the session cookie and use it to delete the morale.txt file from Carlos’s home directory | Karthikeyan Nagaraj

Karthikeyan Nagaraj
2 min readJul 1, 2024

Description

This lab uses a serialization-based session mechanism. A certain feature invokes a dangerous method on data provided in a serialized object. To solve the lab, edit the serialized object in the session cookie and use it to delete the morale.txt file from Carlos's home directory.

You can log in to your own account using the following credentials: wiener:peter

You also have access to a backup account: gregg:rosebud

Solution

  1. Log in to your own account. On the “My account” page, notice the option to delete your account .
  2. Click delete account, capture the requestPOST request to /my-account/delete , send it to repeater and drop the request in proxy.
  3. In Burp Repeater, study the session cookie using the Inspector panel. Notice that the serialized object has an avatar_link attribute, which contains the file path to your avatar.
  4. Edit the serialized data so that the avatar_link points to /home/carlos/morale.txt. Remember to update the length indicator. The modified attribute should look like this:
    s:11:"avatar_link";s:23:"/home/carlos/morale.txt"
  5. Click “Apply changes”. The modified object will automatically be re-encoded and updated in the request.
  6. Send the request to solve the Lab.

--

--

Karthikeyan Nagaraj

Security Researcher | Bug Hunter | Web Pentester | CTF Player | TryHackme Top 1% | AI Researcher | Blockchain Developer