Summary

This module is for students looking to refine their knowledge of deserialization vulnerabilities specifically in regards to custom exploit development and whitebox testing; it aims to teach students enough about .NET deserialization and exploit development that they become comfortable exploiting such vulnerabilities on their own.

This module is divided up as follows:

Introduction: A brief refresher on Deserialization Attacks and an introduction to the module.
Identifying Deserialization Vulnerabilities: We discuss how to decompile a .NET application so that we may identify vulnerabilities as well as how to debug without source code.
Exploiting Deserialization Vulnerabilities: We tackle 3 unique deserialization vulnerabilities using custom exploits.
Defending against Deserialization Vulnerabilities: We discuss how to develop .NET applications securely to prevent deserialization attacks from happening.
Skills Assessment: Put your skills to the test against a custom target vulnerable to deserialization attacks.

This module is broken into sections with accompanying hands-on exercises to practice each of the tactics and techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas.

You can start and stop the module at any time and pick up where you left off. There is no time limit or "grading," but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.

As you work through the module, you will see example commands and command output for the various topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts presented in each section. You can do this in the PwnBox provided in the interactive sections or your virtual machine.

A firm grasp of the following modules can be considered a prerequisite for the successful completion of this module:

Introduction to Deserialization Attacks
Introduction to C#

Introduction

Introduction to .NET Deserialization Attacks

Note: To fully grasp the concepts taught throughout this module, it is expected that you have some basic understanding of deserialization vulnerabilities, as well as basic programming skills, preferably in C#/.NET. Despite the module offering a pre-customized Windows VM for exploit development in some of the sections, having a local one will be beneficial.

Serialization is the process of converting an object from memory into a series of bytes. This data is then stored or transmitted over a network. Subsequently, it can be reconstructed later by a different program or in a different machine environment. Conversely, deserialization is the reverse action, wherein serialized data is reconstructed back into the original object. However, when an application deserializes user-controlled data, there is a risk of deserialization vulnerabilities occurring, which may be exploited to achieve objectives such as remote code execution, object injection, arbitrary file read, and denial of service.

Many programming languages, including Java, Ruby, Python, and PHP, offer serialization and deserialization runtime libraries. The Introduction to Deserialization Attacks module covered fundamental deserialization attacks targeting web applications that use PHP and Python for the backend.

C#, Microsoft's flagship programming language, which utilizes the .NET framework, also provides multiple serialization technologies; moreover, it is the primary language developers use while building Internet-connected apps with ASP.NET Core, a widely used web development framework employed by numerous websites worldwide.

Understanding how to identify and exploit .NET deserialization vulnerabilities not only strengthens our offensive security toolkit significantly but also provides insights into how threat actors achieved RCE after exploiting CVE-2023-34362 - the MOVEit vulnerability that wreaked havoc globally.

There are three main serialization technologies in .NET: JSON serialization, XML and SOAP serialization, and Binary serialization:

JSON serialization: Serialize .NET objects to and from JavaScript Object Notation (JSON).
XML and SOAP serialization: Serialize only the public properties and fields of objects, not preserving type fidelity.
Binary serialization: Records the complete state of the object and preserves type fidelity; when deserializing an object, an exact copy is created.

This module will cover deserialization attacks from a white-box approach, exploiting vulnerabilities caused by JSON, XML, and Binary serializers available to .NET developers.

We will start with the decompilation of a binary file to retrieve the source code, identify potentially vulnerable code sections, and set up debugging to aid in exploit development. Later, we will look into recreating two well-known gadget chains and using them to exploit three unique deserialization vulnerabilities in a custom application. Following this, we will look at the target application from a developer's point of view, and how the vulnerabilities we discover could be patched as well as how vulnerabilities could be avoided in the future. To finish off the module, you will be tasked with identifying and exploiting a custom deserialization vulnerability on your own.

Although deserialization vulnerabilities affect applications developed in many languages, for this module we will focus on C#/.NET. The techniques learned can be repurposed to work with other languages, such as Java.

A Brief History of Deserialization Vulnerabilities

Deserialization vulnerabilities have been public knowledge for a long time, but interest exploded in 2015 when the Apache Commons Collections gadget was discovered. A brief timeline of milestones in deserialization vulnerabilities and attacks is listed below:

2007: First registered deserialization vulnerability (CVE-2007-1701) allows attackers to execute arbitrary code via PHP's session_decode.
2011: First "gadget-based" deserialization vulnerability (CVE-2011-2894) uses Proxy and InvocationHandler to achieve arbitrary code execution upon deserialization against the Spring Framework.
2012: The White paper "Are you my Type?" is published, discussing .NET serialization and CVE-2012-0160 which was a deserialization vulnerability in the .NET Framework leading to arbitrary code execution.
2015: The Apache Commons Collections gadget is discovered (CVE-2015-4852, CVE-2015-7501) which allows attackers to achieve arbitrary code execution against many more Java applications. ysoserial is released at AppSecCali 2015 which allows attackers to automatically generate deserialization payloads using the Apache Commons Collections gadget.
2017: The white paper 'Friday the 13th JSON Attacks' was released, addressing deserialization vulnerabilities in .NET. It also introduced 'YSoSerial.NET,' a tool enabling attackers to generate deserialization payloads for .NET using a handful of gadgets.

Target WebApp: TeeTrove

Throughout this module, we will analyze and attack a website named TeeTrove, an e-commerce marketplace specializing in selling custom-designed attire. We were commissioned by the company behind TeeTrove to conduct a white-box penetration test on the application with the goal being remote code execution. To conduct the assessment, the company provided us with the compiled deployment files and the necessary credentials.

Sign Up / Log In to Unlock the Module

Please Sign Up or Log In to unlock the module and access the rest of the sections.

Sections

Introduction PREVIEW
Decompiling .NET Applications
Identifying Vulnerable Functions
Debugging .NET Applications
The ObjectDataProvider Gadget
Example 1: JSON
Example 2: XML
The TypeConfuseDelegate Gadget
Example 3: Binary
Automating Exploitation with YSoSerial.NET
Preventing Deserialization Vulnerabilities
Patching Deserialization Vulnerabilities
Skills Assessment

Relevant Paths

This module progresses you towards the following Paths

Senior Web Penetration Tester

The Senior Web Penetration Tester Job Role Path is designed for individuals who aim to develop skills in identifying advanced and hard-to-find web vulnerabilities using both black box and white box techniques. This path encompasses advanced-level training in web security, web penetration testing, and secure coding concepts. It also provides a deep understanding of the application debugging, source code review, and custom exploit development aspects of web security. Equipped with the necessary theoretical background, multiple practical exercises, and a proven methodology for web vulnerability identification, students will eventually be capable of performing professional security assessments against modern and highly secure web applications, as well as effectively reporting vulnerabilities found in code or arising from logical errors.

Hard

245 Sections

Required: 7500

Reward: +1500

15 Modules included

Injection Attacks

Medium

15 Sections

Reward: +100

This module covers three injection attacks: XPath injection, LDAP injection, and HTML injection in PDF generation libraries. While XPath and LDAP injection vulnerabilities can lead to authentication bypasses and data exfiltration, HTML injection in PDF generation libraries can lead to Server-Side Request Forgery (SSRF), Local File Inclusion (LFI), and other common web vulnerabilities. We will cover how to identify, exploit, and prevent each of these injection attacks.

Introduction to NoSQL Injection

Medium

12 Sections

Reward: +100

In this module, we will look at exploiting NoSQL injection vulnerabilities, specifically MongoDB, with examples in Python, PHP, and Node.JS.

Attacking Authentication Mechanisms

Medium

20 Sections

Reward: +100

Authentication plays an essential role in almost every web application. If a vulnerability arises in the application's authentication mechanism, it could result in unauthorized access, data loss, or potentially even remote code execution, depending on the application's functionality. This module will provide an overview of various access control methods, such as JWT, OAuth, and SAML, and potential attacks against each.

Advanced XSS and CSRF Exploitation

Medium

17 Sections

Reward: +100

Modern web browsers and applications utilize a variety of security measures to protect against CSRF and XSS vulnerabilities, rendering their exploitation more difficult. This module focuses on exploiting advanced CSRF and XSS vulnerabilities, identifying and bypassing weak and wrongly implemented defensive mechanisms.

HTTPs/TLS Attacks

Medium

15 Sections

Reward: +100

This module covers details on Transport Layer Security (TLS) and how it helps to make HTTP secure with the widely used HTTPS. That includes how TLS works, how TLS sessions are established, common TLS misconfigurations, as well as famous attacks on TLS. We will discuss how to identify, exploit, and prevent TLS attacks.

Abusing HTTP Misconfigurations

Hard

20 Sections

Reward: +100

This module covers three common HTTP vulnerabilities: Web Cache Poisoning, Host Header Vulnerabilities, and Session Puzzling or Session Variable Overloading. These vulnerabilities can arise on the HTTP level due to web server misconfigurations, other systems that have to be considered during real-world deployment such as web caches, or coding mistakes in the web application. We will cover how to identify, exploit, and prevent each of these vulnerabilities.

HTTP Attacks

Hard

18 Sections

Reward: +100

This module covers three HTTP vulnerabilities: CRLF Injection, HTTP Request Smuggling, and HTTP/2 Downgrading. These vulnerabilities can arise on the HTTP level in real-world deployment settings utilizing intermediary systems such as reverse proxies in front of the web server. We will cover how to identify, exploit, and prevent each of these vulnerabilities.

Blind SQL Injection

Hard

16 Sections

Reward: +100

In this module, we cover blind SQL injection attacks and MSSQL-specific attacks.

Intro to Whitebox Pentesting

Hard

18 Sections

Reward: +100

Whitebox penetration testing enables thorough testing to identify various hard-to-find vulnerabilities. This module covers the process of whitebox pentesting and follows that with a practical demo by exploiting an advanced code injection vulnerability.

Modern Web Exploitation Techniques

Hard

18 Sections

Reward: +100

This module covers advanced web concepts and exploitation techniques, including performing DNS Rebinding to bypass faulty SSRF filters and the Same-Origin Policy, identifying and exploiting Second-Order vulnerabilities, and conducting common web attacks via WebSocket connections.

Introduction to Deserialization Attacks

Hard

15 Sections

Reward: +100

In this module, we will explore deserialization attacks with specific examples in Python and PHP.

Whitebox Attacks

Hard

15 Sections

Reward: +100

This module explores several web vulnerabilities from a whitebox approach: Prototype Pollution, Timing Attacks & Race Conditions, and those arising from Type Juggling. We will discuss how to identify, exploit, and prevent each vulnerability.

Advanced SQL Injections

Hard

12 Sections

Reward: +100

This module covers advanced SQL injection techniques with a focus on white-box testing, Java/Spring and PostgreSQL.

Advanced Deserialization Attacks

Hard

13 Sections

Reward: +100

This module focuses on developing custom exploits for .NET deserialization vulnerabilities from a whitebox perspective.

Parameter Logic Bugs

Hard

21 Sections

Reward: +100

This 'secure coding' module teaches how to identify logic bugs through code review and analysis, and covers three types of logic bugs caused by user input manipulation.

V&M Products

Training path for new starters in V and M Products group. Focussing on - Windows Desktop and Server exploitation - Active Directory - NTLM and Kerberos - .Net Derserialization - Hardware attacks.

Hard

262 Sections

Required: 2960

Reward: +640

15 Modules included

Intro to Academy

Fundamental

8 Sections

Reward: +10

Your first stop in Hack The Box Academy to become acquainted with the platform, its features, and its learning process.

Getting Started

Fundamental

23 Sections

Reward: +10

This module covers the fundamentals of penetration testing and an introduction to Hack The Box.

Windows Fundamentals

Fundamental

14 Sections

Reward: +10

This module covers the fundamentals required to work comfortably with the Windows operating system.

Intro to Assembly Language

Medium

24 Sections

Reward: +20

This module builds the core foundation for Binary Exploitation by teaching Computer Architecture and Assembly language basics.

Windows Privilege Escalation

Medium

33 Sections

Reward: +20

After gaining a foothold, elevating our privileges will provide more options for persistence and may reveal information stored locally that can further our access in the environment. Enumeration is the key to privilege escalation. When you gain initial shell access to the host, it is important to gain situational awareness and uncover details relating to the OS version, patch level, any installed software, our current privileges, group memberships, and more. Windows presents an enormous attack surface and, being that most companies run Windows hosts in some way, we will more often than not find ourselves gaining access to Windows machines during our assessments. This covers common methods while emphasizing real-world misconfigurations and flaws that we may encounter during an assessment. There are many additional "edge-case" possibilities not covered in this module. We will cover both modern and legacy Windows Server and Desktop versions that may be present in a client environment.

Stack-Based Buffer Overflows on Windows x86

Medium

11 Sections

Reward: +10

This module is your first step into Windows Binary Exploitation, and it will teach you how to exploit local and remote buffer overflow vulnerabilities on Windows machines.

Introduction to Active Directory

Fundamental

16 Sections

Reward: +10

Active Directory (AD) is present in the majority of corporate environments. Due to its many features and complexity, it presents a vast attack surface. To be successful as penetration testers and information security professionals, we must have a firm understanding of Active Directory fundamentals, AD structures, functionality, common AD flaws, misconfigurations, and defensive measures.

Windows Attacks & Defense

Medium

16 Sections

Reward: +20

Microsoft Active Directory (AD) has been, for the past 20+ years, the leading enterprise domain management suite, providing identity and access management, centralized domain administration, authentication, and much more. Throughout those years, the more integrated our applications and data have become with AD, the more exposed to a large-scale compromise we have become. In this module, we will walk through the most commonly abused and fruitful attacks against Active Directory environments that allow threat actors to perform horizontal and vertical privilege escalations in addition to lateral movement. One of the module's core goals is to showcase prevention and detection methods against the covered Active Directory attacks.

Active Directory Enumeration & Attacks

Medium

36 Sections

Reward: +20

Active Directory (AD) is the leading enterprise domain management suite, providing identity and access management, centralized domain administration, authentication, and much more. Due to the many features and complexity of AD, it presents a large attack surface that is difficult to secure properly. To be successful as infosec professionals, we must understand AD architectures and how to secure our enterprise environments. As Penetration testers, having a firm grasp of what tools, techniques, and procedures are available to us for enumerating and attacking AD environments and commonly seen AD misconfigurations is a must.

Active Directory LDAP

Medium

12 Sections

Reward: +100

This module provides an overview of Active Directory (AD), introduces core AD enumeration concepts, and covers enumeration with built-in tools.

NTLM Relay Attacks

Hard

10 Sections

Reward: +100

The NTLM authentication protocol is commonly used within Windows-based networks to facilitate authentication between clients and servers. However, NTLM's inherent weaknesses make it susceptible to Adversary-in-the-Middle attacks, providing a significant attack vector. This module focuses on the various NTLM relay attacks that attackers use to compromise Active Directory networks.

Kerberos Attacks

Hard

23 Sections

Reward: +100

Kerberos is an authentication protocol that allows users to authenticate and access services on a potentially insecure network. Due to its prevalence throughout an Active Directory environment, it presents us with a significant attack surface when assessing internal networks. This module will explain how Kerberos works thoroughly and examines several scenarios to practice the most common attacks against it from multiple perspectives.

Brief Intro to Hardware Attacks

Mini-Module

Medium

8 Sections

Reward: +10

This mini-module concisely introduces hardware attacks, covering Bluetooth risks and attacks, Cryptanalysis Side-Channel Attacks, and vulnerabilities like Spectre and Meltdown. It delves into both historical and modern Bluetooth hacking techniques, explores the principles of cryptanalysis and different side-channel attacks, and outlines microprocessor design, optimisation strategies and vulnerabilities, such as Spectre and Meltdown.

Introduction to Deserialization Attacks

Hard

15 Sections

Reward: +100

In this module, we will explore deserialization attacks with specific examples in Python and PHP.

Advanced Deserialization Attacks

Hard

13 Sections

Reward: +100

This module focuses on developing custom exploits for .NET deserialization vulnerabilities from a whitebox perspective.