conikeec · April 23, 2024 01:36
diff --git a/Recipe for demo b/Recipe for demo
 # Preparatory Steps (Only needs to be done once!)
 -------------------------------------------------

 1. Install Java 
 -----------
 (MAC) https://tejaksha-k.medium.com/a-step-by-step-guide-to-installing-java-on-macos-5188bfdf99d7
 (WIN) https://www.java.com/download/ie_manual.jsp

 2. Install Maven
 -----------
 (MAC) https://www.digitalocean.com/community/tutorials/install-maven-mac-os
 (WIN) https://phoenixnap.com/kb/install-maven-windows

 3. Install Git 
 -----------
 (MAC) https://git-scm.com/download/mac
 (WIN) https://git-scm.com/download/win

 4. Setup Github
 ------------
 https://docs.github.com/en/get-started/onboarding/getting-started-with-your-github-account

 5. Setup PreZero
 -------------
 https://docs.shiftleft.io/sast/getting-started/setup

 Blog Reference
 --------------
 6. https://blog.shiftleft.io/java-deserialization-vulnerability-found-to-be-widespread-across-saas-vendor-sdks-8e7ec3dfc5fa

 Project Preparation
 -------------------

 Download bait project
 7. git clone https://github.com/conikeec/jackspoilt.git

 8. `cd jackspoilt`

 ## compile and package 
 9. mvn clean package

 ## verify if gadgets are avaliable to exploit (refer blog)
 10. mvn dependency:tree

 # (on a separate terminal) Start application server
 11. java -jar target/jackspoilt-1.0-SNAPSHOT.jar

 ## Exploit preparation : Spin up another terminal

 12. cd jackspoilt

 # create the exploit by editing ./master/exploit/Exploit.java
 # current version adds errros to log and spawns a calculator on OSX 
 # (For Linux based OS please revise the line to specify an exploit of your choice)
 # Modify here https://github.com/conikeec/jackspoilt/blob/master/exploit/Exploit.java#L13

 13. 
 For windows : `calc`
 For mac: `open -a Calculator`

 14.
 # Compile the exploit 
 # compile ./master/exploit/Exploit.java

 15.
 rm attackscripts/attack.json

 16.
 mvn exec:java -D"exec.mainClass"="EncodeExploit"

 # The command above creates attack.json in the attackscripts directory (view it)

 more attackscripts/attack.json

 ## Run the exploit

 # Ensure that the service is running on the other terminal
 # exercise the web routes 

 17.
 ./add.sh
 ./list.sh

 # This command will inject a malicious payload, trigger gadget chain and you should see the calculator
 # (Edit exploit/Exploit.java to add your exploit command of choice)

 18.
 ./exploit.sh

 After step 18, kill the running java process by pressing `control-c` in the terminal

 -- the section above has the base setup complete to prove exploit

 19. In Step (5) you already setup an account and downloaded `sl` . Head here https://app.shiftleft.io/organization/overview 
    and copy over your organization_id and slack Gabe to enable AutoFix for your Org
    
 20. If (5) and (19) is completed successfully, you should now be able to analze apps

 21. Let's analyze the bait project using the following command
    `sl analyze --wait --javasrc --app jackspoilt --verbose --force --oss-project-dir /[YOUR_FOLDER]/jackspoilt /[YOUR_FOLDER]/jackspoilt`
    Replace [YOUR_FOLDER] with your absolute path (just `cd` to the project folder and type `pwd`)

 22. The analysis will run in verboe mode and you should see detailed logs. Once complete head to the dashboard and 
    then click on the app, then search for any findings that say log_forging, deserialzation, etc and get into the details
    and to autofix tab. There should be a fix recommendation that alludes to replacing this line 
    `private static ObjectMapper deserializer = new ObjectMapper().enableDefaultTyping();` with 
    `private static ObjectMapper deserializer = new ObjectMapper();` here https://github.com/conikeec/jackspoilt/blob/master/src/main/java/io/shiftleft/jackspoilt/App.java#L22

 23. After step (22), save the file and repeat step 9, 10, 11
    
 24. The server is restarted

 25. Repeat step 18 and now the calculator does not pop, which indicates that the fix worked

 ---

 Adios
	# Preparatory Steps (Only needs to be done once!)
	-------------------------------------------------

	1. Install Java
	-----------
	(MAC) https://tejaksha-k.medium.com/a-step-by-step-guide-to-installing-java-on-macos-5188bfdf99d7
	(WIN) https://www.java.com/download/ie_manual.jsp

	2. Install Maven
	-----------
	(MAC) https://www.digitalocean.com/community/tutorials/install-maven-mac-os
	(WIN) https://phoenixnap.com/kb/install-maven-windows

	3. Install Git
	-----------
	(MAC) https://git-scm.com/download/mac
	(WIN) https://git-scm.com/download/win

	4. Setup Github
	------------
	https://docs.github.com/en/get-started/onboarding/getting-started-with-your-github-account

	5. Setup PreZero
	-------------
	https://docs.shiftleft.io/sast/getting-started/setup

	Blog Reference
	--------------
	6. https://blog.shiftleft.io/java-deserialization-vulnerability-found-to-be-widespread-across-saas-vendor-sdks-8e7ec3dfc5fa

	Project Preparation
	-------------------

	Download bait project
	7. git clone https://github.com/conikeec/jackspoilt.git

	8. `cd jackspoilt`

	## compile and package
	9. mvn clean package

	## verify if gadgets are avaliable to exploit (refer blog)
	10. mvn dependency:tree

	# (on a separate terminal) Start application server
	11. java -jar target/jackspoilt-1.0-SNAPSHOT.jar

	## Exploit preparation : Spin up another terminal

	12. cd jackspoilt

	# create the exploit by editing ./master/exploit/Exploit.java
	# current version adds errros to log and spawns a calculator on OSX
	# (For Linux based OS please revise the line to specify an exploit of your choice)
	# Modify here https://github.com/conikeec/jackspoilt/blob/master/exploit/Exploit.java#L13

	13.
	For windows : `calc`
	For mac: `open -a Calculator`

	14.
	# Compile the exploit
	# compile ./master/exploit/Exploit.java

	15.
	rm attackscripts/attack.json

	16.
	mvn exec:java -D"exec.mainClass"="EncodeExploit"

	# The command above creates attack.json in the attackscripts directory (view it)

	more attackscripts/attack.json

	## Run the exploit

	# Ensure that the service is running on the other terminal
	# exercise the web routes

	17.
	./add.sh
	./list.sh

	# This command will inject a malicious payload, trigger gadget chain and you should see the calculator
	# (Edit exploit/Exploit.java to add your exploit command of choice)

	18.
	./exploit.sh

	After step 18, kill the running java process by pressing `control-c` in the terminal

	-- the section above has the base setup complete to prove exploit

	19. In Step (5) you already setup an account and downloaded `sl` . Head here https://app.shiftleft.io/organization/overview
	and copy over your organization_id and slack Gabe to enable AutoFix for your Org

	20. If (5) and (19) is completed successfully, you should now be able to analze apps

	21. Let's analyze the bait project using the following command
	`sl analyze --wait --javasrc --app jackspoilt --verbose --force --oss-project-dir /[YOUR_FOLDER]/jackspoilt /[YOUR_FOLDER]/jackspoilt`
	Replace [YOUR_FOLDER] with your absolute path (just `cd` to the project folder and type `pwd`)

	22. The analysis will run in verboe mode and you should see detailed logs. Once complete head to the dashboard and
	then click on the app, then search for any findings that say log_forging, deserialzation, etc and get into the details
	and to autofix tab. There should be a fix recommendation that alludes to replacing this line
	`private static ObjectMapper deserializer = new ObjectMapper().enableDefaultTyping();` with
	`private static ObjectMapper deserializer = new ObjectMapper();` here https://github.com/conikeec/jackspoilt/blob/master/src/main/java/io/shiftleft/jackspoilt/App.java#L22

	23. After step (22), save the file and repeat step 9, 10, 11

	24. The server is restarted

	25. Repeat step 18 and now the calculator does not pop, which indicates that the fix worked

	---

	Adios