| Field | Detail |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | Insecure Deserialization — Java, Pre-Built Gadget Chain via ysoserial |
| Difficulty | Practitioner |
| Objective | Generate a malicious serialized object containing an RCE payload and use it to delete morale.txt from Carlos's home directory |
| Note | No source code access; the app loads Apache Commons Collections |
Exploiting Java Deserialization with Apache Commons¶
I logged in as wiener:peter and intercepted the /my-account request:
The session cookie doesn't decode cleanly as base64 text — the rO0AB prefix is the giveaway for a Java serialized object (binary format, AC ED 00 05 magic bytes), not a human-readable PHP-style object like the previous labs.
Without source code access, building a gadget chain from scratch isn't feasible. Apache Commons Collections is a Java library known for containing usable deserialization gadget chains, and ysoserial is the standard tool for generating serialized Java payloads that exploit them — it ships multiple CommonsCollections variants targeting different library versions.
Without knowing the exact Commons Collections version running, the approach is to iterate through the variants until one lands. After resolving Java 16+ compatibility issues (newer JVM module restrictions require additional --add-opens flags for ysoserial to generate output at all), generating the payload:
java -jar ysoserial-all.jar CommonsCollections4 'rm /home/carlos/morale.txt' | base64 -w 0; echo
-w 0 disables line wrapping so the base64 output is a single compact string. Pasting the result into Burp's Inspector to get the URL-encoded version, then setting it as the session cookie:
The server deserialized the malicious object, the gadget chain triggered, and rm /home/carlos/morale.txt executed server-side. The payload delivery is the same as previous labs — cookie manipulation — the novelty here is needing an external tool to build the binary serialized payload rather than hand-crafting a text format.
Lab solved u,u