I recently ran into a challenge where I was given a Java Jar file that I needed to analyze and patch to exploit. I didn’t find many good tutorials on how to do this, so I wanted to get my notes down. For now it’s just a cheat sheet table of commands. When the challenge ends, I’ll update with some narrative.
Jar File Structure
A Jar (Java Archive) file is just a ZIP file that contains Java class (compiled) files and the necessary metadata and resources (text, images). That said, they are very picky, and it can be important how to interact with them when pulling stuff in and out.
The Jar will have a
META-INF/ folder at the root, which contains metadata such as signatures, license, and the
MANIFEST.MF file provides the Jdk version, as well as optionally a
Main-Class attribute. If
Main-Class is present, this Jar can be executed without providing a class name, which makes it an executable Jar. The manifest file also contains base64 format hashes of the other files in the archive.
Here’s all the commands from this post (and a few extras that are useful with Jars):
|Delete from Jar||
It’s always important to track file structure and your relative directory. I’ve found it’s easiest to work out of the root directory of the unzipped Jar.