I found everything except the xss, but still enjoyed the challenge. Great work :)
@Elliot.25913 жыл бұрын
same, that was fun!
@0xAAA Жыл бұрын
You didnt find the xss? It was honestly obvious from looking at the startswitj
@0xAAA Жыл бұрын
Holy this vid is old lol
@alexwolfeboy3 жыл бұрын
I love these videos, especially as I am working on a web service myself. I honestly wouldn't have thought of a lot of the string that were pulled at in this exploit researching project, meaning I could've left myself open to these exact issues. The best way to ensure the projects I make are more secure, is learn how other projects are broken into, and learn from those attacks.
@dasten1233 жыл бұрын
12:47 Pro tip: You can just write alert(1) - it's much shorter! ...just kidding :P
@peesicle3 жыл бұрын
I'm gay
@Puvipavan3 жыл бұрын
He explained why not to use alert(1) in another video.
@peesicle3 жыл бұрын
@@Puvipavan they're joking babe
@peesicle3 жыл бұрын
@@Puvipavan ily
@Puvipavan3 жыл бұрын
@@peesicle Oh! Now I got the Joke :P
@sankalpsingha3 жыл бұрын
Absolute beauty! Thank you for putting this into a CTF.
@christopherjr71893 жыл бұрын
What was the difficulty of this challenge, compared to the other challenges from CSCG 2021?
@CJ-ew8df3 жыл бұрын
I'd like to know the answer to this too! It's a very interesting challenge!
@_xzvf25573 жыл бұрын
@@CJ-ew8df I’d say it was average. There were some that were very easy (crypto stuff) and others (like en-pawnsant) which I didn’t manage to solve.
@zglozman3 жыл бұрын
There were easy pwn challenges , easy reverse. Couple of really awesome crypto challanges. They had an awesome file upload challanges with a zip manipulation.
@Florian.Dalwigk3 жыл бұрын
Perfect, I really enjoyed it :) It's always great if you find some vulnerabilities in the working context that result in a CTF challenge :D
@0dWHOHWb03 жыл бұрын
I didn't try solving this (I haven't done CTF I just watch these for education as a developer who makes bugs rather than finds/exploits them), but based on this run-through it seems pretty hard. But yeah, it's nice to see this stuff just in case I write something where I need to pay more attention to security.
@danielcastro5273 жыл бұрын
I really enjoyed this challenge! (SPOILERS / alternative solution ahead) . . . . . As an alternative to the OCR + timing, you can use the Chrome DevTools protocol to create a separate page (+ browser context) that outlives the screenshot page, which avoids the need for timing. From that separate page, you can use the DevTools protocol to listen to new pages being created in the browser, and use the trick you mention in the video to redirect to a URL that triggers the XSS. You might wonder how you connect to the API in the first place without needing to rely on one of the screenshot pages being alive (to avoid depending on the timing): it turns out you can connect to the "browser" rather than a "page" by using the WebSockets URL returned by /json/version, which is stable throughout the session.
@SF-eg3fq Жыл бұрын
yeah i did the same approach, plus the chrome dev tools server was exposed so i didn't have to actually try to make a screenshot of other domains cuz i already have full access to chrome dev tools, exactly. there's more than one way to solve this
@Celastrous3 жыл бұрын
Very nice! I had a feeling the 10 second timer would be a vulnerability, as well as the "startswith" bit. I don't know anything about docker or webdev in general, but this taught me a good bit! At least I don't have to worry about these kinds of vulnerabilities as a simple EE firmware developer for offline embedded systems 😅
@brunoais3 жыл бұрын
I found 4 of the vulnerabilities but I was unable to puzzle them together into a successful attack. Thank you for showing it to us!
@themisir3 жыл бұрын
My brain autocompleted trailing slash after domain name so I didn't noticed the vulnerability there.
@thatlamp3 жыл бұрын
Haven't tried the challenge yet, but it reminds me very much of an exploit I found in the wild involving an HTML to PDF conversion library. By using XSS'ed s in the HTML content to be converted, I was able to hijack the headless browser process to fetch any local file I wanted via the file:// protocol. With this, I was able to dump the web.config contents into the output PDF file. Wouldn't this be possible here? Like, host a page with an that points to the absolute path of the flag.txt file on the victim box and use the @ trick to point the screenshot to your hosted URL. When the screenshot is returned, if the headless browser process had access to view the requested file on the OS level, then you should see the contents of that file within the in the screenshot.
@maxsilvester13273 жыл бұрын
I don't think this would be possible because the flag is present in the database in the app container and in the file in the admin container but not in the chrome container. The chrome container can't access the files of the other containers.
@thatlamp3 жыл бұрын
@@maxsilvester1327 Ah, I wasn't thinking about the use of containers here. In the case I found, it was all a single ASP.NET server.
@_xzvf25573 жыл бұрын
Or, like mentioned in the CSCG discord, the malicious webpage could simply use the WebSocket API, bypassing the error prone OCR step
@C10udburst3 жыл бұрын
you couldn't get the websocket api url because of cors stuff with the /json/list endpoint
@Jay0neDE3 жыл бұрын
scanning for those missing quotes might be one of the few valid reasons to use an SCA tool lol
@infiniti20113 жыл бұрын
Yeah, I definitely wouldn't have got the quotes thing.
@Gramini3 жыл бұрын
If I'm not wrong it would have also worked with quotes. In that case your custom title would have to start with quotes to end the attribute. Then you can do some shenanigans to create your own attribute like onLoad="code" just like usual and end your title with an incomplete attribute like dummy=" which is then ended by the second quote in the template.
@yy6u3 жыл бұрын
so ultimately ctfs are hacking speedruns, how fast was the winner? and pretty interesting, its a bit difficult but ultimately the key here is the timing, that suspicion slowly arises as one investigates more and more...
@Dustyy013 жыл бұрын
I dont really get the point at the end, what information is sent to the backend server from xss.html? The flagger user and password?
@zglozman3 жыл бұрын
It’s awesome thank you
@Phroggster3 жыл бұрын
I found the time traveler. 😉
@ArmaRGool3 жыл бұрын
what the hell
@pesaventofilippo3 жыл бұрын
how? lol
@GiddyTechie3 жыл бұрын
@Zeev ... How did you get your post to be a month ago?
@bitfriends99513 жыл бұрын
scary
@bhnjhbjhbkgkkvhnhmbm3 жыл бұрын
How many points for this challenge? How long it took for you to come up with the solution for the original problem?
@ES-cf4ph3 жыл бұрын
I don't understand that much about hacking, but this is still a very interesting video!
@rwz2 жыл бұрын
this was AWESOME - did not come close to solving it, found couple of issues but failed to figure out the ssrf part due to lack of knowledge. Tried it again after watching the video - still hard - but an awesome lesson.
@zerobyter2 жыл бұрын
I really liked this because of the whole timing stuff. Really neat! The close timing aspect of this hack really feels like the overly-complicated hacking in action movies. Also, it's a reminder that hacking isn't always as simple as just sending payloads or attacking vulnerabilities, it is real hands-on precise hacking!
@Dan-rh8tn3 жыл бұрын
Absolutely lit 🔥
@ChillerDragon3 жыл бұрын
Most of times when youtubers use phrases like "OMAGAWD KEEP WATCHING BECAUSE IN THE END THERE IS SOMEGTHING RIILLYY IMPORTANTW!" I feel the urge to close the video. But when LiveOverflow warns me 3 times to not keep watching and do the challenge ... I keep watching :D
@DANLSN3 жыл бұрын
so basically you have a defiance disorder? Haha
@akuviljanen46953 жыл бұрын
If you try to log in with the correct username but the wrong password, it will create a new user with the same username and the password you entered. This was apparently not intentional, and is not useful because it never compares users by the username, always by the uuid.
@GiddyTechie3 жыл бұрын
Oh my gosh.... I wish I could give this 2 thumbs up. Good Job and this was a great learning tool for me. Wow.... I going to have to watch it again.
@falxie_3 жыл бұрын
Every time a see videos like this I want to learn cybersecurity
@tux7k3 жыл бұрын
Me and my friend were talking about making a Live Overflow style video and he said "we got to hire a german guy to do the accent" 😂😂😂
@Maxjoker983 жыл бұрын
Interesting. I would have probably used my good old keyboard instead of OCR, and failed because I can't type fast enough.
@kayrauckilinc3 жыл бұрын
I have no idea what's going on but he is a good story teller. Watched till the end
@ErrorNoInternet3 жыл бұрын
is there anyone else who got triggered because he didn't put a space after the colon? 😂
@lancemarchetti86733 жыл бұрын
I literally freaked out and ran to the kitchen to fix me a strong coffee to calm down!..lol
@igorfernandes41933 жыл бұрын
Thank you very much for the challenge. I could try by myself and got the flag :) That challenge gave me more confidence to try other challenges.
@i007c Жыл бұрын
dude are you crazy or somthing ??? my eyes are burning ... white website / black screen
@dasmaffin1633 Жыл бұрын
Im only 13 seconds in but Isnt that literally what the wayback machine does in worse?
@beb96323 жыл бұрын
This was really interesting! Vielen dank!
@jari2018 Жыл бұрын
programming seems to be same as building houses of toothpicks and glue -
@CA-FE-C0-FF-EE-003 жыл бұрын
I'm watching this, acting like I'm understanding it xD
@madlogik3 жыл бұрын
Having a metaphorical nosebleed trying to suck up as much as I can from this. Mad Respect. I feel like I'm mentally challenged when I try to follow your train of thought. People around me tell me they feel challenged trying to follow me... ... I have to wonder if other people around you makes YOU feel 'dumb/slow/ whatever you want to call it when you feel stupider than another human being and feel 'humbled' . ?? ty
@WhiterockFTP3 жыл бұрын
your new videos are so dark, I literally have to turn brightness up to 100% and drain my battery like crazy to see something… love them otherwise tho :)
@ayushmanhalder63053 жыл бұрын
Hi...i am an app reverser...if an app is written in java then i can reverse it to make the premium features purchased...but nowadays developers are using flutter and all the essential codes are stored in lib( .so format)...so can you upload some tutorials on lib??maybe a video with an app's lib??
@FalcoGer2 жыл бұрын
I'm a bit confused. Your exploit relies on the fact that you can create a websocket and connect to this debug port. But that was only accessible after you altered the files to expose that port.
@LiveOverflow2 жыл бұрын
Exposing port is just for debugging purpose. The actual exploit site runs on the admin (inside one of the containers) and accesses the port internally
@asmrwiz-m4e3 жыл бұрын
Do i need to Know about vlan for hacking?
@sk8nplayguitar3 жыл бұрын
I'm trying to learn cybersecurity, i know nothing at all but I'm glad I came across your video ... I'll try it , thanks man
@mrcobalt1243 жыл бұрын
imagine being the flagger user here lol you go to take a screenshot, and then suddenly there is (something from the xss) on your screen and you have no idea what happened
@paxdriver3 жыл бұрын
Why is the list.txt changing http to https? When in the pipeline does that occur, does anyone know? I love your videos man, please keep making more. React / vue ctf would be awesome if you're interested. I bet you know tons of tricks with hooks and stateful component apps.
@rikschaaf3 жыл бұрын
SPOILERS BELOW! . . . . . I did see that startsWith with the http url, but instead of extending the URL, making cscg a subdomain or username, I was thinking of editing the hosts file to point cscg to a different ip address. That way you don't have to have or pay for a domain name. It would also make it possible to do this attack if the code had startsWith with a slash at the end, something that the URL extention won't be able to bypass.
@FryuniGamer3 жыл бұрын
The NGROK service he used is free, no need to get your own domain
@_tartofraise3 жыл бұрын
No, that's not how it works... etc/hosts is only for your own machine. The code is executed server side and you cannot edit the etc/hosts config of the server.
@maxgat5761 Жыл бұрын
who could explain me what he tried to exploit?
@aldoguzman973 жыл бұрын
Very cool
@seraphina9853 жыл бұрын
In addition to the issue you highlighted with the template engine this really shows also why you should probably just be using uritools or your languages equivalent RFC 3986 library to parse information from URI's. Even then you probably still should never assume an external program will parse the URI exactly the same way, someone can probably craft a URI that will break one or both. But if you try to reinvent the wheel here breaking your implementation is likely to be rather trivial RFC 3986 implementation has a lot of edge cases making it deceptively easy to fall into one of the many pitfalls.
@G12GilbertProduction3 жыл бұрын
I'll probably test in the recess between YT watching and Python trainings someday. Good explanation, bro!
@samebinezer84913 жыл бұрын
Va mama 😀
@PlatinumVoid3 жыл бұрын
ERROR: The Compose file './docker-compose.yaml' is invalid because: Unsupported config option for services.admin: 'platform' Unsupported config option for services.chrome: 'platform' How to resolve the above error??
@C10udburst3 жыл бұрын
git checkout solution
@realjame3 жыл бұрын
Cool video, and big thanks for adding full English captions to all your videos :)
@Serj19033 жыл бұрын
cool challenge! unfortunately, I have no enough knowledge to solve)
@ragumu_rugiku3 жыл бұрын
Why he not making ctf like jhon & ippsec
@gabrielbianchi2246 Жыл бұрын
Please, what's this vscode theme?
@gowthamanks36543 жыл бұрын
Hi , please restart IOT hacking series. Its a kind request
@Valkurion083 жыл бұрын
I just know that Scott Pilgrim is a master hacker
@luizinhoensina3 жыл бұрын
You must be one of the most wholesome persons out there, just love ya man
@a.k.b.a.l.3 жыл бұрын
A video talking about the bug that you find in real world would be great a lot!
@animenosekai_edit3 жыл бұрын
Instead of using OCR couldn't we have made a website which the headless browser would load and would have, in JavaScript, fetch /json/list and connect to the WS???
@danielcastro5273 жыл бұрын
I tried this but I don't think it's possible because of the Same Origin policy. Since it would be a cross-origin request, you wouldn't be able to read the content of the list. I did find a workaround that doesn't involve OCR, though. The Chrome DevTools protocol is actually quite powerful, and you can (a) create a new "context" + page that outlives the screenshot and (b) listen to any new pages in the browser. So you don't really need any of the timing tricks, you can simply set up a page that monitors all of the screenshot requests and forces them to navigate to another website that exploits the XSS.
@animenosekai_edit3 жыл бұрын
@@danielcastro527 Oh yea I forgot we were working on a browser here
@supertemertem13043 жыл бұрын
I wish i can do that challenge how do i learn those things ?
@electrowizard26583 жыл бұрын
mostly this is made of python and i am quite pro in it
@fadop31563 жыл бұрын
4:43 line 12 syntax error? -> missing )
@Davi-c4q3 жыл бұрын
I think it's ridiculous that the flask template allows xss like that. Looks like a terrible design decision
@Gramini3 жыл бұрын
As he said it's context unaware. Same would happen with PHP or similar. In the end, they are just plain text generators.
@h4ckv1573 жыл бұрын
Thank you
@yy6u3 жыл бұрын
Very informative and educational about a ctf you made, respect and thanks a lot
@catsoften3 жыл бұрын
16:11 I love the irony of a page that only says "content"
@naveenkamaraj79863 жыл бұрын
I am a newbie. I understand nothing! 😒
@daviddelaricaareizaga5613 жыл бұрын
Sleep is healthy .
@gjsatru33833 жыл бұрын
Just a great species
@thecrazzxz33833 жыл бұрын
This is powerful hacking
@cipherguard3 жыл бұрын
incredible
@firdousProgrammer3 жыл бұрын
WOW 😯
@olaand26803 жыл бұрын
Please can you make more videos like this ?
@Bauibaubau3 жыл бұрын
Amazing Thanks a lot for sharing and explaining
@MartykanT3 жыл бұрын
No CORS on that websocket?
@a544jh3 жыл бұрын
I really like your presentation style, but as a casual watcher I sometimes feel that you gloss over crucial parts that would make your explanation easier to follow. Did I understand correctly that the browser taking the screenshot is screenshotting *its own* debug endpoint? Also at the very end, you're making the admin user's browser send the page it's showing which contains the flag that it added as a note (which you only mentioned in the beginning), to your server. Just mentioning these things explicitly would make your videos much easier to follow.
@berndeckenfels3 жыл бұрын
Cool challenge, especially since you need to check some of the code
@roy-ub7sy3 жыл бұрын
Awesome!
@castles9903 жыл бұрын
Coole idee :)
@SussyBacca3 жыл бұрын
Wow really slick! :)
@larryslobster78813 жыл бұрын
wow one of the best videos so far
@AntiWanted3 жыл бұрын
Nice
@Hackedpw3 жыл бұрын
Okæy then
@syeds67893 жыл бұрын
Top notch content! Learnt some new things :)
@BlackNetworkBit3 жыл бұрын
Jo war ne nette challenge :) hatte sie gelöst
@SALTINBANK3 жыл бұрын
Danke sehr : love you loF
@AbdelrahmanRashed3 жыл бұрын
how is it hard to understand a URL :D :D :D
@Gramini3 жыл бұрын
Because of the complexity of them.
@otherhandlewasdumb3 жыл бұрын
So this is the level after oswe.
@PlanetComputer3 жыл бұрын
ok
@danielchin12593 жыл бұрын
This is a good one.
@000t93 жыл бұрын
... my comment... gone :|
@manxiouss Жыл бұрын
Deutsch?
@_CryptoCat3 жыл бұрын
next level explanations and visuals as ever dude! love the challenge, super creative and realistic and.. i probably would not have solved it 👀😅
@miniontoby3 жыл бұрын
I can hack Cookie Clicker (and no not just by using auto clicker) Btw dude, please use a different color background, I can nearly see you without having to set my screen to its brightest
@TechnicalHeavenSM3 жыл бұрын
Awesome
@Dragiux3 жыл бұрын
Live overflow: DO NOT USE ALERT FOR XSS Also live overflow: onload=alert(document.body)