webPromedium

Lab 169 — GridPulse — Insecure Deserialization via Configuration Import

hackadvisor

Task: Java/Spring Boot industrial monitoring platform with config import/export feature that base64-decodes user input and passes it to ObjectInputStream.readObject() without class filtering. Solution: craft CommonsCollections6 gadget chain with Runtime.exec(String[]) for bash -c command execution, exfiltrate /flag.txt via bash /dev/tcp to interaction server.

$ ls tags/ techniques/

rce java insecure_deserialization decoy_flag spring_boot config_import commons_collections gadget_chain ysoserial oob_exfiltration dev_tcp objectinputstream

decoy_flag_avoidancejava_objectinputstream_deserializationcommons_collections_6_gadget_chainruntime_exec_string_array_for_complex_commandsoob_data_exfiltration_via_bash_dev_tcpcustom_ysoserial_payload_generation

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 63 — DataPulse — Insecure Deserialization via Preferences Cookie— hackadvisor
[web][Pro]Lab 59 — NetPulse — RCE via Command Injection in Network Diagnostics— hackadvisor
[web][Pro]DevPulse — CSRF via JSON Content-Type Bypass— hackadvisor
[web][Pro]Lab 384 — DevPulse — RCE via AI Log Assistant Prompt Injection— hackadvisor
[web][Pro]Lab 172 — PulseGuard — Insecure Deserialization via JSON.NET TypeNameHandling— hackadvisor