webPromedium

Lab 172 — PulseGuard — Insecure Deserialization via JSON.NET TypeNameHandling

hackadvisor

Task: ASP.NET Core monitoring platform uses Newtonsoft.Json TypeNameHandling on heartbeat API endpoint, accepting polymorphic $type in Metrics field. Solution: inject application-specific SystemDiagnostic type whose ScriptPath property setter executes OS commands during deserialization; discovered via timing-based property brute force with sleep; exfiltrate flag by copying to webroot.

$ ls tags/ techniques/

rce linux command_execution nginx deserialization dotnet decoy_flag aspnet_core json_net typenamehandling newtonsoft_json

decoy_flag_avoidancejson_net_typenamehandling_type_injectionapplication_specific_gadget_chaintiming_based_property_discoveryfile_write_to_webroot_exfiltration

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 170 — PulseGuard — SnakeYAML Deserialization to H2 JDBC OOB Exfiltration— hackadvisor
[web][Pro]Lab 127 — PulseMetric — Insecure Deserialization via Pickle in Agent Report API— hackadvisor
[web][Pro]Lab 138 — PulseGuard — SpEL Injection via Whitelabel Error Page— hackadvisor
[web][Pro]Lab 238 — PulseWatch — SQL Injection in Collector Configuration— hackadvisor
[web][Pro]Lab 247 — PulseGuard — SSTI in Webhook Notification Templates— hackadvisor