# Too Many Credits

TAMUctf 2020 - Web.

# TAMUctf 2020 : Too Many Credits

### Challenge details

Event Challenge Category Points Solves
TAMUctf 2020 Too Many Credits Web 432 71

### Description

Okay, fine, there’s a lot of credit systems. We had to put that guy on break; seriously concerned about that dude.
Anywho. We’ve made an actually secure one now, with Java, not dirty JS this time. Give it a whack?
If you get two thousand million credits again, well, we’ll just have to shut this program down.
Even if you could get the first flag, I bet you can’t pop a shell!
http://toomanycredits.tamuctf.com

### TL;DR

Too Many Credits was a web challenge with an unsafe Java object deserialization vulnerability. This result into a blind RCE thanks to ysoserial.

### Discover vulnerability

As a web challenge, I got to the given URL using a web browser, the index page looked like this:

When we click on the button, a request is send and the credit is incremented by one. Looking at the requests, we do not get any parameters. However, our cookie is changing at each request:

• Counter: “H4sIAAA…5KDUls6QYg87NT0nN0XMG85zzS/NKjDhvC4lwqrgzMTB6MbCWJeaUplYUMEAAIwCwY0JiUgAAAA==”
• Counter: “H4sIAAA…5KDUls6QYg87NT0nN0XMG85zzS/NKjDhvC4lwqrgzMTB6MbCWJeaUplYUMEAAEwAKMkv7UgAAAA==”

The “Counter” cookie looks like base64 encoded data. Let’s decode it:

echo "H4sIAAAAAAAAAFvzloG1uIhBNzk/Vy+5KDUls6QYg87NT0nN0XMG85zzS/NKjDhvC4lwqrgzMTB6MbCWJeaUplYUMEAAIwCwY0JiUgAAAA==" | base64 -d

[󖁵��A79?W/�(5%�����OI��s��K�J�8o
�p��310z1��%攦V0@#�cBbR


… Maybe the data is compressed ? Let’s try gzip compression (note that if you try to edit your cookie with random value, you got a gzip error on the website). I decided to use gzip/gunzip :

echo "H4sIAAAAAAAAAFvzloG1uIhBNzk/Vy+5KDUls6QYg87NT0nN0XMG85zzS/NKjDhvC4lwqrgzMTB6MbCWJeaUplYUMEAAIwCwY0JiUgAAAA==" | base64 -d | gunzip

��sr-com.credits.credits.credits.model.CreditCount2	�	$GJvaluexp  Bingo ! It looks like a Java serialized object. Lets see the difference between our two first cookies. Since we got non printable characters, I decided to get the hexadecimal view of each data using xxd: echo "H4sIAAAAAAAAAFvzloG1uIhBNzk/Vy+5KDUls6QYg87NT0nN0XMG85zzS/NKjDhvC4lwqrgzMTB6MbCWJeaUplYUMEAAIwCwY0JiUgAAAA==" | base64 -d | gunzip | xxd > c1.raw echo "H4sIAAAAAAAAAFvzloG1uIhBNzk/Vy+5KDUls6QYg87NT0nN0XMG85zzS/NKjDhvC4lwqrgzMTB6MbCWJeaUplYUMEAAEwAKMkv7UgAAAA==" | base64 -d | gunzip | xxd > c2.raw cat c1.raw c2.raw  00000000: aced 0005 7372 002d 636f 6d2e 6372 6564 ....sr.-com.cred 00000010: 6974 732e 6372 6564 6974 732e 6372 6564 its.credits.cred 00000020: 6974 732e 6d6f 6465 6c2e 4372 6564 6974 its.model.Credit 00000030: 436f 756e 7432 09db 1214 0924 4702 0001 Count2.....$G...
00000040: 4a00 0576 616c 7565 7870 0000 0000 0000  J..valuexp......
00000050: 0001                                     ..
00000000: aced 0005 7372 002d 636f 6d2e 6372 6564  ....sr.-com.cred
00000010: 6974 732e 6372 6564 6974 732e 6372 6564  its.credits.cred
00000020: 6974 732e 6d6f 6465 6c2e 4372 6564 6974  its.model.Credit

### Flags

gigem{l0rdy_th15_1s_mAny_cr3d1ts}
gigem{da\$h_3_1s_A_l1f3seNd}

It was a nice challenge. I got stuck at the beggining of part 2 because of the blind RCE and the fact that even sleep command didn’t work for me, that’s why I decided to dig deeper.

Zeecka