PimpMyRide

By Yaakov Cohen

PimpMyRide

Let's start, we got a jar file garage.jar. We decompiled it with this site. You can find the files here.

We noticed that the jar file contained both the client's and the server's code.

 

Let's take a look at the server code. We see that when the client chooses [3] Save garage the server serialize the garage object and sends it to the user:

 

Then the user takes the garage byte array and saves it to a file called "garage":

 

And when the client asks to [2] Load existing garage the client takes the garage file and sends it to the server:

 

Then the server takes that stream and serializes it to a garage object without performing any checks:

 

In the garage class we can see a private object private Employee garageManager; that is never set. In the the code flow of the garageManager class we can see that the function readObject has a custom implementation, this function will be executed when the object is serialized:

 

If only we could create a garageManager and change closeMessageFile attribute from close.txt to /flag.txt...

Wait a second, we can!

So the plan is:

  1. Create a garage object with a modified garageManager.
  2. Send it to the server, in the serialization the garageManager will read /flag.txt in the closeMessage attribute.
  3. Save the garage to a file.
  4. Submit the flag.

We modified garage object:

 

Created a new garage object:

 

Sent it to the server: [2] Load existing garage, and got the new garage object from server: [3] Save garage.

In the object file we can see the flag: BSidesTLV{I_Am_Inspector_Gadget}.

Success