Portswigger Insecure Deserialization — Lab 3

Using application functionality to exploit insecure deserialization

In this lab we need to modify the serialized cookie for the account either for wiener or gregg and delete morale.txt from carlos user's home directory

We can login with the credentials wiener:peter although we are given another account gregg:rosebud but we'll see what's the purpose of gregg user

We can grab the user’s cookie and see that’s it’s a serialized cookie which is base64 encoded

O:4:"User":3:{s:8:"username";s:6:"wiener";s:12:"access_token";s:32:"evc58p8rx44g58fzvikyrajffjmtfn8q";s:11:"avatar_link";s:19:"users/wiener/avatar";}

To understand what’s happening in the cookie here

• O:4 represents the object user of character length 4 which as 3 attributes
• s:8 represents the the string attribute username which is of character length 8 which has the string value wiener of having length 6
• s:12 represents the string attribute access_token of the character length 12 which has a random value of 32 characters
• s:11 represents the string attribute avatar_link of character legnth 11 having the value users/wiener/avatar which is the path where the avatar is stored of character length 19

It also has an option to delete the account which also deletes the avatar users/wiener/avatar so this is probably the reason why we are given two accounts if we fail to exploit the application's functionality with wiener

To solve the lab we need to delete morale.txt from carlos's home directory so we need to change the avatar path to /home/carlos/morale.txt

O:4:"User":3:{s:8:"username";s:6:"wiener";s:12:"access_token";s:32:"jg6c74hrhfs1r1y44n0arp5hmux7zem2";s:11:"avatar_link";s:23:"/home/carlos/morale.txt";}

Replacing the cookie and clicking on the delete account button we’ll solve the lab