In this retired challenge of the HackTheBox platform a professor has been a little careless in the development of his grading platform. By some miracle, we managed to get our hands on the grading platform source code. The goal is to exploit a code injection vulnerability to change our grades, or read the flag.

In this retired challenge of the HackTheBox platform we are supposed to exploit an insecure deserialization vulnerability. This challenge is part of the OWASP Top 10 tracks of the HackTheBox platform, with an easy difficulty. While the exploit in itself was relatively easy I thought the path to understanding how things worked deserved a write-up.