to me, this is a story about how timed competition and a trusted source saying "yes, it's still possible" leads to tons of people independently discovering a real 0 day, just like that.
@KitsuneAlex2 жыл бұрын
Strongly aggree x3
@LB_2 жыл бұрын
You'd think they would have reported it after the competition 😬
@Mr_Yeah2 жыл бұрын
Yeah, I'm worried that the other teams might've found a different exploit and didn't report it yet.
@henke372 жыл бұрын
The headers only working "sometimes" is a classic sign of an unsorted hashmap. Enumerating the key/value pairs will return the entries in an unpredictable order. My guess is that the code responsible for handling the header enumerates the hashmap entries and uses a switch statement to figure out what to do. The end result is that a random header ends up enumerated last and overwrites the work of the previous headers.
@almightyhydra2 жыл бұрын
Yea, would be interested to know what the fix is. I doubt this is the only header manipulation code that might be vulnerable.
@guiorgy2 жыл бұрын
@@almightyhydra Is there any time when detecting more than one header is ok? What if you just terminate if more than one is found?
@yScribblezHD2 жыл бұрын
@@guiorgy Couldn't the injected header still just be read first? I feel like the real issue is that batch requests is relying on a supplied IP address that can be forged as localhost.
@emptylog9332 жыл бұрын
Idk, why would the plugin need proxy support if the host expects requests only from localhost?
@sknt2 жыл бұрын
@@almightyhydra Here's the pull request for the fix: github.com/apache/apisix/pull/6251/files All they did was call str_lower() on the "x-real-ip" header field name. If I understand it correctly overwriting the header happens in nginx. Likely due to the already mentioned reason of enumerating a hashmap in a random order. RFC 7230 ( www.rfc-editor.org/rfc/rfc7230#section-3.2 ): Each header field consists of a case-insensitive field name followed by a colon (":"), optional leading whitespace, the field value, and optional trailing whitespace.
@ThePowerRanger2 жыл бұрын
This is literally the dream.
@monad_tcp2 жыл бұрын
Super useful when you want to root that pesky device. There's always a fucking webserver and it's apache running PHP. I love shitty technologies, it means I can always POWN my hardware.
@FrozenFire19972 жыл бұрын
@@monad_tcp what kinds of devices are you talking about?
@monad_tcp2 жыл бұрын
@@FrozenFire1997 smart TVs for example
@otherkrabs2 жыл бұрын
@@monad_tcp This isn't the apache web server though. It's APISIX, which is not the same software (and in the video it's running on nginx anyway)
@Stopinvadingmyhardware2 жыл бұрын
Nope
@saketsrv90682 жыл бұрын
This man is a gem and super talented guy.
@perceptoshmegington3371 Жыл бұрын
it's a case of hard work over talent
@MisterL2_yt2 жыл бұрын
Very interesting video, but how did this situation happen? Did the RealWorldCTF organisers find (or purchase) this vulnerability some time ago and just decided to keep it secret for the CTF and then not even report it afterwards? This seems very strange :o
@ThisIsTheInternet2 жыл бұрын
Yeah that's very questionable
@ahmedifhaam72662 жыл бұрын
Man.. this got me thinking, should I stack the vulnerabilities I find before reporting, and just create a prized challenge? lol. Maybe if the service is containerised I can report it first and use the old containers for the challenge, but then hmm that's impossible since people will just look for changes in the patch. How are real world CTFs actually done?
@ibrahimkalantn40722 жыл бұрын
Man i love your channel great video as usual
@seif-allahhomrani21692 жыл бұрын
Crazy how you make it looks like it easy to find a 0-day ! great video @liveoverflow
@larditard2 жыл бұрын
Excellent video. Thank you for making!
@siddharthchhetry42182 жыл бұрын
You and your team are awesome
@jandalfDerNice2 жыл бұрын
Great video as always! Thank you for making this awesome content for aspiring InfoSec students
@aakashadhikari37522 жыл бұрын
Dream boiiz dream..but congrats comrad for the CVE
@kevinwydler44052 жыл бұрын
So simple yet ingenious!
@JaspreetSingh-qg2xp2 жыл бұрын
Thank you so much and Congrats on solving and idetifying the issue . You're really making a valuable content and please , I request you to keep posting such a good informative as well as interesting things. You're full of knowledge and a motivation for me.
@zekiz7742 жыл бұрын
Finally: a video I understand
@SkippyDa2 жыл бұрын
I liked your outro.
@flopana57622 жыл бұрын
What bothers me is that you had to report it and that just due to the fact that you wanted to make a video about it. I can understand that the organiser didn't just want you to read a couple of commits to find the vulnerability that wouldn't be a good challenge. But I think it was a bit unresponsible from the organiser to not report this issue immediately after the ctf has ended or contact the apache foundation in some way. They basically just led multiple hacker groups to a remote code execution without caring about fixing it.
@dennydravis87582 жыл бұрын
Yeah it does violate the spirit of the ethical hacking CTFs
@damiannowak38112 жыл бұрын
@@dennydravis8758 yeah just did a masscan and there are a lot of those not updated yet. executing cross-compiled botnet binary on them for monero mining.
@aescling2 жыл бұрын
@@damiannowak3811 i hope you're capping because otherwise you just admitted to a crime in public?
@Sina-rw3bl2 жыл бұрын
@@aescling "in public" settle down buddy, nobody is catching him 💀
@The_One_0_02 жыл бұрын
@@damiannowak3811 already took skid lol
@patrick10200002 жыл бұрын
Did you hit up the other challenge solvers to make sure they found the same bug you did?
@JuanBotes2 жыл бұрын
thank you for sharing your knowledge \o/
@atraps78822 жыл бұрын
this shows me that being a "hacker" isnt just about using the popular tools, they got to have a lot of deep background knowledge in systems, web technologies, networking, bit manipulation, scripting, cryptography, containerization, virtualization and much more.. Im just an average software engineer focusing on backend development but man, these guys are just levels above and beyond
@hovnocuc45512 жыл бұрын
that's the difference between a hacker and a scriptkiddie.
@Aquriez2 жыл бұрын
This is really cool, great video
@yy6u2 жыл бұрын
that kind of ctfs are really great, it's all about expanding knowledge of someone's work and educating everyone else
@randomguy37842 жыл бұрын
Superb content!
@generallyunimportant2 жыл бұрын
i find it funny that no one actually reported the vuln to apache lol-
@1vader2 жыл бұрын
Funny but also pretty sad. It's honestly pretty shocking and irresponsible that the organizers didn't do it themselves.
@theairaccumulator7144 Жыл бұрын
@@1vader the organizers probably had a different vulnerability in mind, there's a chance that these guys found something entirely new.
@RahulSinghInfosec2 жыл бұрын
Thank you for sharing!
@LukasSMF2 жыл бұрын
I really love these videos
@kirdow2 жыл бұрын
Great video, haven't watched in a while but this title got me hooked. Will definitely watch some of your other videos to catch up :D Also at 12:15 in the report message, should you really have "1. " twice in Mitigation? :P Anyways, you surely have improved your editing and video style since the day I became a member, keep up the great work man
@sodiboo2 жыл бұрын
Isn't that markdown? in source files you often find numbered lists with all the points as 1. for easier reordering, because markdown rendering does NOT use the numbers in the document for the resulting list, it's simply that you have a number in front of every line, and then the marker starts at 1 and counts up for each entry. This can be somewhat confusing when viewing the document as plaintext, but it also isn't plaintext and shouldn't be viewed like that, so it's not a huge issue for most people.
@mynameisrezza Жыл бұрын
Just saw this and WOW!
@mikflores2 жыл бұрын
This is amazing. Great.
@monad_tcp2 жыл бұрын
This is such a good news!
@bigl95272 жыл бұрын
Another video of Ed Sheeran explaining about security in detail
@31redorange082 жыл бұрын
This isn't Ed Sheeran.
@nztpill2 жыл бұрын
@@31redorange08 thats literally him check his instagram
@johnpathe2 жыл бұрын
Such a great video. Really well explained. Doing amazing work as usual LO :) I had to playback some parts and ended up watching it at .75x speed :) Gratz on the first blood! :D
@thepenguin92 жыл бұрын
I feel like one of the organisers shares my mentality on chaos and it's current reign including a 0day
@Reichstaubenminister2 жыл бұрын
I only listened to the video while doing something else, and the entire time I though you said "bad requests plugin" and that the name was quite ironic. Turns out it was batch-requests.
@chiragartani2 жыл бұрын
Incredible. Do you think that the servers are using APISIX? And are vulnerable? I mean I want to see in the real life, If I can find this vulnerability in the live servers.
@anion212 жыл бұрын
Well done. So, was your solution the "correct" solution expected by the creatores of this CTF-challenge or is there any other solution which does not contain 0days?
@kebien60202 жыл бұрын
I think in this setting any solution would qualify as a 0day, since the challenge involved RCE and was meant to work on the latest version.
@ahmedifhaam72662 жыл бұрын
pretty sure there was another exploit.
@faizalqorni79692 жыл бұрын
this is the dream man
@AbdelrahmanRashed2 жыл бұрын
if it didn't work for you the first time what would you have done ?
@casperes09122 жыл бұрын
That was a weird Minecraft Let's Play, but I liked it
@EER00002 жыл бұрын
A bit odd that it was not reported yet, but very nice find. HTTP header capitalization can be a nightmare sometimes, not just in LUA 😅
@joaokoritar21412 жыл бұрын
Very cool! Btw, which VSCode theme do you use, it looks nice!
@aescling2 жыл бұрын
looks like Solarized Dark
@meh.75392 жыл бұрын
If you check out the HTTP request smuggling attack preso from, i want to say 2019, he explains what's going on in it's most basic form. What you're showing here looks pretty similar to what he presents.
@allezvenga76172 жыл бұрын
Well done 👍
@bobsmithy31032 жыл бұрын
lmao i love it when you run the same piece of code but get different results
@ArnaudMEURET2 жыл бұрын
Huh, I’m frustrated that you did not present the actual piece of faulty code and its fix ! 😒 …I’ll look it up.
@Najumulsaqib2 жыл бұрын
Very engaging stuff.
@MTRNord2 жыл бұрын
This makes me wonder: Are there other services with this exact bug or a close variation? As it seems like a fairly normal pattern to have for things like this.
@FlorianWendelborn2 жыл бұрын
Most security vulnerabilities aren’t unique. A lot of them even make it to OWASP top 10 list :) I wouldn’t be surprised at all if there’s 100 different pieces of software out there somewhere that have this exact _kind_ of vulnerability.
@ThisIsTheInternet2 жыл бұрын
Do you know of other stupid gateways that let you dynamically create remote code execution endpoints? lol
@MTRNord2 жыл бұрын
@@ThisIsTheInternet there are countless of these api gateways yeah. It is pretty common in stuff like cloud. Serverless also kinda is a framework doing something like this. So is aws lambda kinda. Both not exactly like this but similar goals of having dynamic customer provisioned api endpoints
@ahmedifhaam72662 жыл бұрын
literally found something similar in a local community SAS
@EduardVasile52 жыл бұрын
Ah, yes. Of course.
@leesalmon76722 жыл бұрын
how to bruteforce hash 26bits
@HritikV2 жыл бұрын
Checkout pateron and stuff. Lol, best ending ever
@alexanderwences66002 жыл бұрын
So Are you gonna help with the Cyber war?
@hyperdrone9002 жыл бұрын
nice :D
@_Slaze2 жыл бұрын
After watching some of your videos I feel like I should quit learning pentesting. If you call this "not a hard challenge" what am I doing all the time? ^^
@nobodynoone25002 жыл бұрын
I mean, it's not super advanced stuff. I think the most technical thing was the proof of work code.
@odessairenikute69612 жыл бұрын
So it is all about just to learn how to ask smart questions. Not a rocket science but it is still tricky thing :)
@alwan77772 жыл бұрын
Yeyyyy
@andyelgangster53202 жыл бұрын
nice video 😎
@ChrisBigBad2 жыл бұрын
LoL. SSRP as a Service :D
@mikena85192 жыл бұрын
yes that was a good punch line i thought too!
@awesomesauce8042 жыл бұрын
SSRS as a service, lol.
@xB-yg2iw2 жыл бұрын
The ending had me rolling hahahaha
@DarkOverFlowOverflow2 жыл бұрын
i've never seen you with glasses before, congrats on your 700k followers tho
@LiveOverflow2 жыл бұрын
why didn't you watch the previous video 🤡 haha
@DarkOverFlowOverflow2 жыл бұрын
@@LiveOverflow damn i got hacked lol
@ndm132 жыл бұрын
Why, Apache? Why do you keep doing this?
@D0Samp2 жыл бұрын
I guess it's finally time to set or change some localhost-only admin passwords/tokens.
@jonathan-._.-2 жыл бұрын
🤔 halfway through : maybe we can set the host header to lcoalhost
@ahmedifhaam72662 жыл бұрын
was a very engaging and fun video. I am just surprised how this Flo guy writes Lua code so fast.. I got the gist of it but I couldn't understand the Lua script that well, anyone care to explain? would appreciate, thanks
@_AN2032 жыл бұрын
Are you working in another CTF in the time of recording ???????
@jaopredoramires2 жыл бұрын
what's the `(base)` at the top-left of the terminal prompt?
@sadhlife2 жыл бұрын
it could be a python virtual environment, or the name of their ssh sever / docker container, or anything really.
@necroowl39532 жыл бұрын
Bro, pls look into golang, I have a fast recursive hasher that you guys could write down in minutes
@dev__004 Жыл бұрын
Now, what was the real solution or were the organizers too expecting you guys to come up with a 0day😆😆
@oeerturk2 жыл бұрын
IS IT JUST ME OR DOES HE LOOK LIKE MR ROBOTS FATHER GUY WITH THE GLASSES??????????????? thx for allllll the incredible content
@CentigradeMind Жыл бұрын
Yup
@raass93162 жыл бұрын
the main take away , if you want to hack it just try it ! why all new bug is like this ?
@mr.guljaan71752 жыл бұрын
🆂︎🅾︎🅾︎🅾︎🅾︎🅿︎🅴︎🆁︎
@sookmaideek2 жыл бұрын
zerday guyz
@neuramancer2 жыл бұрын
How to register for RealWorldCTF?
@stef90192 жыл бұрын
Is it me or did you recently switch to reading from a script? If it was the case already before it's a bit more obvious rn IMO.
@LiveOverflow2 жыл бұрын
I have read from a script since I started this channel hahha. There are only a handful of non-scripted videos. But this was the first time wearing glasses while reading of the teleprompter. Maybe I struggled a bit here? 😅
@stef90192 жыл бұрын
@@LiveOverflow Ahah could be the case, I've never noticed before!
@cbruegg2 жыл бұрын
@@LiveOverflow Completely fine IMO :)
@yeetyeet70702 жыл бұрын
he w i d e
@random_guy10242 жыл бұрын
Can you make a video on how a script-kiddie like me can be a hacker like you... or at least try to be......
@tomysshadow2 жыл бұрын
Check out his video "the secret hidden guide to hacking."
@casperes09122 жыл бұрын
Rule number 1. Have fun.
@gowthamanks36542 жыл бұрын
You posses lots of knowledge. Why dont you make an udemy course. Or beginner friendly youtube course's
@karanb20672 жыл бұрын
Very cool, but like realworldctf people just decided to not expose this vulnerability? kinda sketchy....
@bibasbajgain14342 жыл бұрын
🧐🧐
@creepychris4202 жыл бұрын
ayylmao123 😂
@v2nd2tt442 жыл бұрын
69k 😶😌 lucky
@aziztcf2 жыл бұрын
Hey, you might want to calm down your body language a bit while explaining stuff. It can get kinda distracting, especially to people who rely on subtitles :) Other than that, great job once again!
@codywohlers20592 жыл бұрын
I like the videos better when you were doing it as you filmed. I don't like these videos where someone talks over what they did after the they did it.
@LiveOverflow2 жыл бұрын
This is literally how I made CTF channel videos always. Only very very few are in a different style. Which videos were you thinking about?
@codywohlers20592 жыл бұрын
I don't know what I mean lol. I guess when there was less full screen cam and more code. Don't get me wrong I love your videos!
@espero_dev2 жыл бұрын
Bro there is a new 0-day hack lol it’s secret because it’s just my company that found it but it’s pretty secret no one else knows about the one we do because it works with mobile and desktops and laptops