Saturday, 6 December 2025
Trending
Top Machine Learning Algorithms You Need to Know in 2025 The Power of Microsoft Database Software The Power of Google Cloud Databases Machine Learning 101: A Beginner's Guide to Understanding the Basics Machine Learning With Applications

Subscribe

Database

Insecure Deserialisation – TryHackMe

By
1
0
0
Share

Insecure deserialization occurs when an application trusts serialized data without proper validation. Serialization is the process of converting an object (data structure) into a byte stream for storage or transmission. Deserialization reverses this process, reconstructing the object from the byte stream. Insecure deserialization arises when this deserialization process happens without validating the integrity or origin of the serialized data.

Insecure Deserialisation - TryHackMe

Insecure Deserialization

Answers for this room:

Task 1:

1) I am ready to start the room.

Ans: No Answer Needed

Task 2:

2) What is the function used in PHP for serialisation?

Ans: serialize()

3) What is the base score for the vulnerability CVE-2015–4852?

Ans: 7.5

4) Does serialisation allow only saving to a byte stream file? (yea/nay)

Ans: nay

Task 3:

5) What is the base64 encoded output after pickling the string You got it in Python? Utilise the notes app found at http://MACHINE_IP:5000.

Ans: gASVNQAAAAAAAACMCF9fbWFpbl9flIwFTm90ZXOUk5QpgZR9lIwFbm90ZXOUXZSMCllvdSBnb3QgaXSUYXNiLg==

6) What is the output after serialising the string You got it in PHP?

Ans: O:5:”Notes”:1:{s:7:”content”;s:10:”You got it”;}

7) What is the renowned binary serialisation module used in Ruby?

Ans: Marshal

Task 4:

8) Visit the URL http://MACHINE_IP/who/index.php and identify what is the user-defined function used for serialisation?

Ans: HelloTHMSerialization

Insecure Deserialisation - TryHackMe

Task 5:

9) What is the flag value after sharing a note with a valid subscription?

Ans: THM{10101}

10) What is the default role value once the user loads the notes application?

Ans: guest

Task 6:

11) What is the flag value after getting the reverse shell?

Ans: THM{GOT_THE_SH#LL}

12) What is the output of the whoami command after getting the shell?

Ans: www-data

Task 7:

13) What is the vector for exploiting CodeIgniter4/FR1 as per the PHPGGC?

Ans: __toString

14) What is the output of the whoami command on the vulnerable Laravel application?

Ans: root

15) What is the output of the uname -r command on the vulnerable Laravel application?

Ans: 5.4.0–1029-aws

Task 8:

16) Is it a good practice to blindly use the eval() function in your code? (yea/nay)

Ans: nay

Task 9:

17) I have successfully completed the room.

Ans: No Answer Needed

Your time is valuable, and I truly appreciate you sharing it. I’m eager to delve into your next blog post.

Stay ConnectedAudit Mania

1
0
0
Share
About author

Articles

Maruf Sheikh is a writer for Audit Mania, offering insightful perspectives on data science and technology. With a thoughtful approach, he blends technical knowledge with an understanding of human behavior.
Related posts
Database

Mastering SQL Injection Attacks Real-Life Case Studies & Future Trends

By
In an era where data is invaluable, the security of your databases and web applications is…
Read more
0
0
Share
Database

SQL Injection Attacks: Famous Incidents, Prevention, and Educational Insights

By
Introduction SQL Injection Attacks are one of the most common and dangerous cybersecurity threats…
Read more
0
0
Share
Database

Efficient Database Management Software for Your Needs

By
In today’s fast-paced business world, handling large-scale data effectively is crucial. Modern…
Read more
0
0
Share
Newsletter
Become a Trendsetter
Sign up for Davenport’s Daily Digest and get the best of Davenport, tailored for you.

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *