What it does

This writeup documents two coordinated sub-challenges: a vulnerable web “honeypot” portal where we harvested six flags through enumeration, SQLi, IDOR, and cookie tampering, and a thick-client Java service where we converted an inert trading request into remote code execution.

How we built it

We scripted every web step to keep the attack reproducible, which can be viewed here. For the Java target we wrote our own client that wrapped the vendor protocol, stuffed a ysoserial CommonsCollections7 gadget into BuyRequest.data, and let the payload run a Bash command whose output we exfiltrated with ntfy.sh (also detailed out here).

Challenges We Ran Into

  • Java exploit vector stayed murky for hours. We brute-forced negative stock amounts, fiddled with session IDs, even rebuilt the upstream client before realising deserialisation was the door.
  • Even after spotting the gadget path, our payloads died because the socket parser choked on raw spaces; switching to ${IFS} as the separator finally proved the attack chain was correct.

Accomplishments that we're proud of

  • We've got all the flags!
  • We also identified an “infinite money” logic flaw by buying and selling negative stock quantities.

Built With

Share this project:

Updates