Skip to content

Queen of Hearts: Metasploit 2020 December CTF

This weekend I partook in the Metasploit 2020 December CTF. I captured three flags (8 of Hearts, Queen of Hearts, Red Joker) and this blog post will detail how I solved for the Queen of Hearts.

At http://$target:9010/ was a file available for download, QoH_Client.jar. When downloaded and run, it describes its usage:

Initial jar execution
Re-executing with the target host and port 9008, I was presented with a user interactive text program. We see that there are files available for download, and that authentication is required:

Basic program usage

I tried several passwords, but all of them failed to authenticate me. But since I have access to the client code, perhaps I can modify it to grant myself permissions. I extracted the Jar file and used CFR to decompile the class files and get Java source code:

Extract and decompile Java

Reading the source code, the AuthState object gets set following the authentication call to the server. But AuthState has a method called setLoggedInStatus; with a single line added to the source code I set LoggedIn status to 'true' after the authentication call, whether it succeeded or not.

With that change made, I recompiled the file and created a new Jar file containing my changed code.

Modify code and re-package

And with that change made, I ran the program, "failed" an authentication attempt but was able to download the flag file due to my modifications:

Auth fails but I can download anyway

and done!

Queen of Hearts

For coverage of a number of other tests from this CTF, see this blog post by Team Captain Steve Walker.


No Trackbacks


Display comments as Linear | Threaded

No comments

Add Comment

BBCode format allowed
Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.