In this assignment, you will:
- Find an insecure deserialization vulnerability in an object storage API
- Exploit the vulnerability to gain remote code execution
- Perform reconnaissance to find secrets
- Circumvent network and HTTP filtering to exfiltrate
Insecure deserialization is a vulnerability class that arises when untrusted data is parsed into runtime data. When the deserialization library in use supports parsing code or even invoking code defined on parsed data, arbitrary remote code execution can be gained by an attacker.
You have obtained access to a copy of the vulnerable object storage
API server. It is available in Canvas as source code in
vuln03.py. You should be able to run this code directly
given that the necessary dependencies are installed.
Your goal for this assignment is to locate a deserialization
vulnerability in this API, and exploit it to obtain access to secret
data. You can attempt to exploit a running instance of the API at http://storage.nëu.lol:port/, where
port = 6429 + group.
Locating the Vulnerability
The API builds on the SSRF challenge’s S3 wrapper API server. Study the API endpoint handlers defined in this file.
- Does the API ever perform deserialization? Where?
- What serialization framework is in use? Is it known to have deserialization vulnerabilities?
Once you have achieved remote code execution, you can search the server for secret data to exfiltrate.
If you have achieved remote code execution, you might have noticed that you are unable to transmit outbound traffic. Without that ability, how will you recover any secrets you steal?
- Could you tunnel the data out over a permitted network port?
- Could you return the data over the existing connection?
If you attempt to use the existing connection, the natural option is to directly return the secret as the data returned from the deserialization procedure. However, DevSecOps has noticed strange activity from the API and has applied a security patch that performs additional checks on deserialized data.
- Given the error message
401 no json, no secrets, what could these checks entail?
- Upload a
tgzarchive to Canvas containing the following files:
- A README.md describing what your attack does and the secret(s) you stole
- The source code for your attack
- Extra credit. Implement an additional exfiltration method.