{"id":16779783,"url":"https://github.com/petermosmans/deserialization-lab","last_synced_at":"2025-03-16T19:45:16.142Z","repository":{"id":75895074,"uuid":"580336063","full_name":"PeterMosmans/deserialization-lab","owner":"PeterMosmans","description":"Learn about insecure deserialization attacks","archived":false,"fork":false,"pushed_at":"2022-12-22T12:19:59.000Z","size":57,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-01-23T06:28:59.614Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/PeterMosmans.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-12-20T10:04:16.000Z","updated_at":"2023-08-18T10:24:40.000Z","dependencies_parsed_at":"2023-07-12T00:16:45.145Z","dependency_job_id":null,"html_url":"https://github.com/PeterMosmans/deserialization-lab","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PeterMosmans%2Fdeserialization-lab","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PeterMosmans%2Fdeserialization-lab/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PeterMosmans%2Fdeserialization-lab/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PeterMosmans%2Fdeserialization-lab/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/PeterMosmans","download_url":"https://codeload.github.com/PeterMosmans/deserialization-lab/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243924039,"owners_count":20369644,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-13T07:32:20.194Z","updated_at":"2025-03-16T19:45:16.127Z","avatar_url":"https://github.com/PeterMosmans.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Exfiltrating Data Using JavaScript Deserialization Attacks\n\n## Introduction\n\nAs part of the Dark Kittens group that's attacking Globomantics, it's your turn\nto try to get your hands on one of their highly sensitive documents.\n\nYou're suspecting that a Globomantics web server contains an insecure\ndeserialization vulnerability. By carefully crafting an exploit, and setting up\na Dark Kittens exfiltration server, you might succeed in exfiltrating the\n`/root/secrets.txt` file from the web server...\n\nAfter finishing this lab, you will understand how to find and exploit a\n\"Deserialization of Untrusted Data\" vulnerability in Node.js. Furthermore, you\nknow how to exfiltrate sensitive data, using the \"Exfiltration Over Web Service\"\ntechnique.\n\n### Lab setup\n\nThis lab consists of two servers; a vulnerable Globomantics web server named\n`tmo`, and a Dark Kittens web server named `nest`. Furthermore, we will use\nseveral command line tools to make our life as Dark Kitten as easy as possible:\n`curl`, as well as the Node.js interactive shell `node`, and `inotifywait`.\n\n### Take Me Out application\n\n`tmo` seems to be a \"Take Me Out\" web application server: It is a server which\nmatches dogs with people wanting to take them out. Apparently you can post JSON\nobjects containing take me out requests to the `/request` endpoint, after which\nthe server processes the request. This server runs in the Globomantics network,\nwhich you have web access to.\n\n### Exfiltration server\n\n`nest` is a simple HTTP web server which shows you what kind of data is being\nposted to it. Servers like this are often used to exfiltrate data using the HTTP\nprotocol. The server is accessible from the Globomantics network.\n\n## Installation\n\nTo help you get started, both of these servers, `tmo` as well as `nest` will be\nbuilt and started automatically. This way, you can focus on finding and\nexploiting the insecure deserialization vulnerability.\n\nOn a Debian Linux distribution (for example Kali), in a root terminal window,\nexecute the command\n\n```bash\ncurl https://raw.githubusercontent.com/PeterMosmans/deserialization-lab/main/install.sh | bash\n```\n\nThis will download the repository containing all required files, install the\nnecessary tools, and start both servers.\n\n:blue_book: **Note**: Several tools, modules and configuration\nsettings will be installed \"system-wide\". The setup script is meant to be\nperformed on a \"lab environment\".\n\nBe advised that the terminal remains open: This is by design. Server log\nmessages from `nest` are shown, which can help you in executing the infiltration\npart of the attack.\n\n:blue_book: **Note**: If you want to see what's going on with `tmo`, you can\nview its logs using the command `docker logs tmo`. However, usually you're\nunable to view the logs of the server that you are attacking.\n\nAs you will be using multiple applications (terminals and editors) at the same\ntime, it makes sense to split up the screen into two parts, and/or use two\ndesktops.\n\nSee for the lab [Lab instructions](Lab_instructions.md)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpetermosmans%2Fdeserialization-lab","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpetermosmans%2Fdeserialization-lab","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpetermosmans%2Fdeserialization-lab/lists"}