GitLab 11.4.7 Remote Code Execution - Real World CTF 2018
Рет қаралды 149,008
5 жыл бұрынVideo write-up about the Real World CTF challenge "flaglab" that involved exploiting a gitlab 1day. Actually two CVEs are combined to achieve full remote code execution:
CVE-2018-19571 (SSRF) + CVE-2018-19585 (CRLF) = RCE
flaglab - docker-compose: gist.github.com/LiveOverflow/...
Release: about.gitlab.com/2018/11/28/s...
=[ ❤️ Support ]=
→ per Video: / liveoverflow
→ per Month: / @liveoverflow
=[ 🐕 Social ]=
→ Twitter: / liveoverflow
→ Website: liveoverflow.com/
→ Subreddit: / liveoverflow
→ Facebook: / liveoverflow
#CTF #CVE
@LiveOverflow 5 жыл бұрын
Thanks to Patreon and KZbin Members, there is also now a write-up blog about this video: liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/
@es9596 5 жыл бұрын
Could you also execute this attack with http 1.0 without a host header and a redis command as header?
@soneomeelse 5 жыл бұрын
@@es9596 Request is sent by Gitlab server, an attacker cannot decide which utility/http version backend uses.
@i_m_in_love_with_sanatan 5 жыл бұрын
nice video , can you help us to understand windows server security mechanize and exploit development
@karlkastor 5 жыл бұрын
I didn't understand everything in this video, but the part where the newlines came in was amazing.
@ir4640 5 жыл бұрын
I didn't understand anything
@retr0.1337 Жыл бұрын
@Etched Inverse Yeah, i started ruby scripting and alreaey write myself working wifi jammer with only one wireless interface
@dabupk3807 5 жыл бұрын
i am not at the stage of understanding these videos but i like them anyway
@trapworld3023 4 жыл бұрын
Me too bro
@paul_axe 5 жыл бұрын
LOL, actually ipv6 wasnt enabled during the ctf (except the last hour, it was anounced that the organizers decided to turn it on) and it's possible to solve the challenge without ipv6 ;)
@LiveOverflow 5 жыл бұрын
oh damn really? do you have a writeup about that?
@paul_axe 5 жыл бұрын
@@LiveOverflow well, the different only in this first step where you triggering SSRF. As far as i remember we (LC/BC) pwned flaglab through repository mirroring
@LiveOverflow 5 жыл бұрын
Oh, but you didn't use IPv6 for that? Did IPv4 work there?
@paul_axe 5 жыл бұрын
@@LiveOverflow yes. it uses git protocol so it's possible to use CRLF and craft redis commands
@LiveOverflow 5 жыл бұрын
@@paul_axe Ah the repository mirror still allowed IPv4 localhost?
@ohnonotthevampire7191 2 жыл бұрын
Thank you for the clear and detailed explanations unlike some techies who just throw super complex terms at you without explaining. Like and subscription well deserved.
@DrydenCurtWell 5 жыл бұрын
I like that you went back to solve it !
@Asdayasman 5 жыл бұрын
Seems like `redis` should just have a "strict" mode, which always exits on the first invalid command.
@Asdayasman 2 жыл бұрын
@@kronsyc339 This reply was not worth the two year wait.
@Badrlens 5 жыл бұрын
I didn't understand most of what you are doing but this is super cool stuff man
@TrustedCreeper 5 жыл бұрын
Pretty straight forward and well explained! Thanks.
@ssp666 5 жыл бұрын
Nice, love the real world CTF videos.
@nothingtoseehere93 5 жыл бұрын
Great explanation and easy to follow
@MrKristian252 5 жыл бұрын
LiveOverflow, you should do a livestream next time you apply to a CTF challenge. I would be interested to see all the researching and "failing" before finding the flags
@theherobrine6217 5 жыл бұрын
Mr.Kristian252 the problem is it would help other people doing the ctf, this is why he does all the videos after the ctfs are over.
@prayanshsrivastava932 2 жыл бұрын
@TheHeroBrine he can do a livestream of doing a CTF after it is over
@Vagelis_Prokopiou 4 жыл бұрын
Awesome info 👍. I can't understand the viewers who downvoted. Good job.
@burnstick1380 5 жыл бұрын
"this is so easy" yeah.. alright.
@theherobrine6217 5 жыл бұрын
Burn Stick super easy compared to the ETH smart contract flag.
@paprika5487 5 жыл бұрын
To be fair, he did say "simple", not "easy" haha, but yeah, this isn't exactly the most obvious attack in the world
@pavel9652 3 жыл бұрын
It is just 2-3 hours of work, yeah, sure. ;)
@heycherry100 5 жыл бұрын
Really cool as always.
@mojed6666 3 жыл бұрын
Thanks for explaining !
@Arcticgator64 5 жыл бұрын
I'm pretty new to this whole ctf thing and I was wondering how you might find a key that wasn't on the client-side somewhere, but on the server side. Let's say I want to retrieve a key, but you can only get it after inputting the right code. I would probably start by viewing page source and looking for different links, but I haven't got any ideas beyond that.
@aayushgore4245 Жыл бұрын
great vid. nice effort
@ichigok2594 5 жыл бұрын
I like the way you explain things :). Is the ctf available as ISO for download to practice?
@pavel9652 3 жыл бұрын
There is HTB machine (Ready) with this vulnerability.
@Fvneral_moon 5 жыл бұрын
Man i really wish I could understand anything he is talking about. Would be cool learning hacking and watching someone so high level and learning from him
@fdvoid0 3 жыл бұрын
Nice vedio , good look for you, dude...
@0x2e2e2f 5 жыл бұрын
Man, u are awesome.. hacking is sharing and u made this phrase work.. great job
@madhusudanacharya5777 5 жыл бұрын
i am waiting for next video on XSS :)
@heyserge 3 жыл бұрын
This tutorial is soooo good. Crazy that this content is free.
@CoolFire666 5 жыл бұрын
Presumably you would not be able to apt install netcat on the real CTF challenge, so you would exfiltrate the flag with something like curl instead?
@codechapter6960 5 жыл бұрын
never clicked so fast!!!
@joaosalvador8209 5 жыл бұрын
Amazing stuff !
@SuperSand2000 5 жыл бұрын
You should have mentioned: docker-compose up -d You can autocomplete the container name when running docker exec
@robk5969 5 жыл бұрын
also, `docker-compose exec web bash`, where "web" is the simple name of the service in the compose file (name is line 1 of compose file seen at 1:52)
@mralderson5627 5 жыл бұрын
Dude are you the game guy as BattleNonSense?
@baldyardigan 5 жыл бұрын
Make a video about your setup: Computer Specs, Os'es, Tools and Setups (for vm's and stuff like iTerm)
@chillappreciator885 5 жыл бұрын
Tools are Docker inside vargant)
@wdai03 5 жыл бұрын
How do you solve a challenge like this in a day though? It seems you need to have really deep knowledge across a wide range of the techologies being used. I've used redis but I don't really know in detail the protocol it uses and everything
@AfonsodelCB 5 жыл бұрын
that's exactly what it is, the amount of previous experience you need for these things is quite large
@LiveOverflow 5 жыл бұрын
As I mentioned in the video, this SSRF to redis is quite commonly know for a few years. When you try to follow the news, follow good people on twitter, then you probably will come across a writeup eventually. And if you think about it, you also just learned about it and from now on you know it works :) This kind of knowledge is passed on through talks, blogs (and now videos)
@kaesegulasch6202 5 жыл бұрын
btw. when you already use docker-compose you can use it for entering the container aswell by just giving it the service name of your docker-compose.yml (e.g. "docker-compose exec web bash")
@_DeProgrammer 5 жыл бұрын
I need to buy this guy a beer.
@triularity Жыл бұрын
Given the times I've seen Redis used for an exploit (due to its "too" simple interface), I feel like it's becoming the next Flash. Broken from a security perspective and just band-aids slapped on until the next vulnerability. While interactive soft fails (i.e. bad commands) might be useful in some conditions, it seems like in common use, the moment it hits any error it should disconnect, not just blinding keep going. But maybe Redis has fixed that issue in the years since this video was made.
@williamn543 5 жыл бұрын
"You might need an 0day" that the organizer found.
@Inyafacegerman 5 жыл бұрын
what kind of program does he use for repeating requests?
@Inyafacegerman 5 жыл бұрын
sike got it already burp :)
@h4kster182 5 жыл бұрын
plz !! Can somone tell me whats the requirements knowledge to understand all the stuffs in the video !
@alphatier4919 5 жыл бұрын
studying computer science and knowing the right people..
@rune.theocracy 5 жыл бұрын
Watch more of his videos, you might get a rough idea.
@chillappreciator885 5 жыл бұрын
Try to install Linux on your PC. Try to deploy some apps like GitLab using git. Try to work with some APIs like Facebook/Telegram. Combine all this things)
@zanityplays 5 жыл бұрын
ye boi
@dewayne_21piru54 5 жыл бұрын
Any good tips for a good laptop i should buy for ceh
@chillappreciator885 5 жыл бұрын
Intel i5+, ddr4 8 Gb+, gtx1050+
@TheMave95 5 жыл бұрын
12:33 Redis Commands not Reddit
@SoloLifeJourneys 5 жыл бұрын
you should use docker hub mirror in China to speed up your download, because the global bandwidth in China is just not enough for 1 billion internet users.
@vcokltfre 4 жыл бұрын
xss is 'uninteresting'??
@h4kster182 5 жыл бұрын
i can't understand all what u said , but i will be back ;) link bookmarked :D
@chillappreciator885 5 жыл бұрын
2 months later...
@adenbagja4211 5 жыл бұрын
I don't know how much time i can get to this level.
@chillappreciator885 5 жыл бұрын
Just don't think about it and keep digging if you are interested on it all.
@Raj_darker 5 жыл бұрын
I love to watch your videos and your way to solve problems. I just wanted to know Do you have Discord server or like that grp, which we can join for CTFS? Thanks a lot. 🚩🚩👍🚩🚩
@meithecatte8492 5 жыл бұрын
But the original container didn't have netcat installed.
@LiveOverflow 5 жыл бұрын
It was just for debugging during exploit development. Netcat is not needed in the actual exploit. The exploit only executed “cat”
@tiberiud 5 жыл бұрын
I guess you could have just sent a command to install netcat before sending the actual payload for retrieving the flag
@maowtm 5 жыл бұрын
LiveOverflow The exploit used netcat to send the output of cat to your computer… But that's isn't a problem. curl could be used instead.
@LiveOverflow 5 жыл бұрын
Ooops. Haha lol you are right
@philippetrov4881 5 жыл бұрын
It shouldn't bypass localhost. (with dot at the end). (regarding Chrome and proxies)
@sophiatheodores7985 5 жыл бұрын
imagine if you got to the last step on the real ctf, and since the real server doesn't have nc you sent it "apt update && apt install -y netcat" so it would update gitlab as well
@LiveOverflow 5 жыл бұрын
Hahh. But that step was just done during exploit development. Netcat is not part of the actual exploit in the end
@baranoid 5 жыл бұрын
wait why would that command update gitlab? you're just updating repos and installing netcat
@sophiatheodores7985 5 жыл бұрын
@@baranoid oh right i thought it was up*grade*
@alw1ez_413 5 жыл бұрын
Web-Based Exploits... You already solved, 1 day is enough.
@hewfrebie2597 5 жыл бұрын
Why it is 0day when it actually 1day by the day he posted online lol
@TheoParis 5 жыл бұрын
I keep hearing you saying REDDIT instead of REDIS lolol
@shashikanthp3145 5 жыл бұрын
Shouldn't the title be named as *2019* ??
@morsiskoPC 5 жыл бұрын
No, as stated the CTF was played December, 2018
@triularity Жыл бұрын
In the future, remember to always ask yourself this question: "Would they include a live/unpatched vulnerability in a CTF?" probably not.
@johnfielbrosas9672 3 жыл бұрын
"damn, this is so simple!" uh-huh..
@SA601154 5 жыл бұрын
Isn't this 11.4.8?
@LiveOverflow 5 жыл бұрын
It was patched for 11.4.8 The vulnerable version is as mentioned gitlab/gitlab-ce:11.4.7-ce.0 ;)
@SA601154 5 жыл бұрын
LiveOverflow I knew I screwed up 😂 Thank You 😁
@poophahahahahahaha 5 жыл бұрын
"grrrr"
@damejelyas 5 жыл бұрын
I love you , no homo
@PvmCurtis 5 жыл бұрын
anddddddd gitlab is down.....
@DHIRAL2908 3 жыл бұрын
Who's here after HTB's Ready?😛
@noname2588o 3 жыл бұрын
Hey, I am a beginner on HTB and ready is first machine i'm solving and in the process i reached here.
@noname2588o 3 жыл бұрын
I didn't understand at 7:00. how did he get that shell. can u pls help
@DHIRAL2908 3 жыл бұрын
@@noname2588o Hi! Try looking in the online article LiveOverflow published. Use the encoded version of the payload at the end!
@noname2588o 3 жыл бұрын
@@DHIRAL2908 Thnx bro!!
@noname2588o 3 жыл бұрын
@@DHIRAL2908 Thanks for helping bro. I know it is a very noob question but he used his local IP in that payload, but I should my IP over the VPN right?
@cmap1503 2 жыл бұрын
wtf is going on?
@ismailsamirusta2780 5 жыл бұрын
hey fifth comment i guess...
@pswalia2u 3 жыл бұрын
people solving Ready HTB mark your attendance
@danivincent1042 5 жыл бұрын
please switch from 25p to 30p. The judder is distracting. If you want to be really nice record at 60p most of your content is screen based so the smooth scrolling and snappy terminal response would be nice.
@nilsirl 5 жыл бұрын
What do you mean by p? Are you talking about FPSs?
@danivincent1042 5 жыл бұрын
@@nilsirl yes
@kokop1107 5 жыл бұрын
First
@Thmyris 4 жыл бұрын
Just because of tips like that, I don't wanna read tips in CTFs.
@eshansingh1 5 жыл бұрын
Going to a CTF is totally worth bowing to an authoritarian government lol! Haha #SecurityIsCool
@glennv.merkel3020 5 жыл бұрын
first comment
@maheshnayak6382 4 жыл бұрын
Ok so many script kiddies in comment section including me
@Demintika 5 жыл бұрын
I understand individual things you do but don't understand anything as a whole.
@chillappreciator885 5 жыл бұрын
Me too. It's an experience
@user-ro1cc8tz6d 5 жыл бұрын
Get some sleep
LiveOverflow
Рет қаралды 89 М.