Blind GQL injection and optimised binary search - A7 ~ Gee cue elle (misc) Google CTF 2017

Рет қаралды 76,273

Күн бұрын

Пікірлер: 77

@adamkrasuski4743 7 жыл бұрын

At 8:30, you checked log 64 - but wolfram alpha calculates natural logarithm, while you should take a base 2 logarithm instead. log2 64 is exactly 6, so trivial binary search needs 6 requests per letter.

@LiveOverflow 7 жыл бұрын

+akrasuski1 argh oooops! Thanks for the correction

@techwithwhiteboard3483 4 жыл бұрын

@@LiveOverflow are u from turkey

@Rac00n 4 жыл бұрын

@@techwithwhiteboard3483 3 yo video and as far as im aware he is german

@CZghost 3 жыл бұрын

@@Rac00n There are lots of Turkeys in Germany actually. One is even an actor :)

@VegaDW 7 жыл бұрын

I got a chuckle out of sublime being unregistered

@anunayy 5 жыл бұрын

I love how lovely he makes all his code... God when will I love to code beautifully.

@wbuchmueller 7 жыл бұрын

12:59 H A C K E R M A N

@sagarkapasi099 5 жыл бұрын

Lol

@Meowzofficial 3 жыл бұрын

YOURE RIGHT

@devikakrishna4464 3 жыл бұрын

@@sagarkapasi099 13:50 is what hackermen look like

@mdsdn 3 жыл бұрын

@@devikakrishna4464 lmao you’re absolutely right

@rafajanicki2456 7 жыл бұрын

Awesome to watch how you use your knowledge from so many domains to solve one challenge.

@yamakaja1252 7 жыл бұрын

Amazing video, as always :D Though if "5.00E+00" was the remaining search space, that's not zero :P

@LiveOverflow 7 жыл бұрын

:D I wrote the script and recorded the audio, and afterwards I realised I never reached 0 because of bad float calculations I never made it to 0

@AbbyChau 5 жыл бұрын

very impressed you figured out 15% is the best split ratio

@a_llama 3 жыл бұрын

its better than 50%, sure, but is it the best?

@AbbyChau 3 жыл бұрын

@@a_llama i think lof's explanation makes sense. making use of maximum 2 exceptions over 13 trials is 15%.

@AbbyChau 3 жыл бұрын

@@a_llama i think there is one more micro-optimization is that, the ratio can be adjusted after when the response of `Wrong Username` or `Wrong Password` is received. e.g. from 2/13, to 1/13, then to 1/9, etc., dynamically.

@alexandrerozier2758 7 жыл бұрын

The binary search idea killed me. Had to implement one for queries over a huge dataset, and it works great ! Thumbs up :)

@LiveOverflow 7 жыл бұрын

heh! Maybe you have some input for here: www.reddit.com/r/algorithms/comments/6kunwp/looking_for_the_fastest_on_average_search/

@Shirolicious 5 жыл бұрын

I am quickly becoming a fan of this channel. I love these subjects and I can only imagine how cool it is to be able to understand all this. Its like a game or a puzzle that you need to solve. I am for now just watching the videos, I hope at some point I start to understand things your explaining :)

@ArbelFS3 7 жыл бұрын

AWESOME!!! Thanks for sharing, I hope you will be granted with the write up reward from google :P

@MichaelMerritt 5 жыл бұрын

Holy shit that was amazing, nice work and presentation!

@GunboyzElite 7 жыл бұрын

Another Awesome video

@LemonChieff 5 жыл бұрын

:cries in yaml:

@farrugiathomas3789 7 жыл бұрын

Hey, keep going like that, your video are AWESOME.

@kevinwydler4405 4 жыл бұрын

Beautiful solution!

@theachapter 7 жыл бұрын

Hey man once again great video! One request tho. Can you pls make a video where you show and explain all the tools you use, such as your prefered OS, terminal, programming font and so on. And maybe even show your complete setup?! Cheers ;)

@azertyalex1996 7 жыл бұрын

He uses windows. Sublime text as editor. Chrome as browser. That's about all I could see in this video

@mentnahtulse2557 7 жыл бұрын

Nope. he uses MacOs. See the bniary hacking playlist, you'll see all the tools ( mostly python and brain )

@azertyalex1996 7 жыл бұрын

You can clearly see he used windows in this video, never said he only uses windows throughout this or his other videos.

@justsomedude4660 5 жыл бұрын

@@mentnahtulse2557 not macos, ubuntu

@mahdiarfaramarzpoor 7 жыл бұрын

this challenge was really hard for me to understand . u explained it well . butt still damn harddd

@gerrygooable 7 жыл бұрын

I’ve been doing ICPC for two years, the search (and search optimization) seemed super straight forward to me, it’s the part about being familiar with all the ‘web’ technologies that I don’t get haha

@LiveOverflow 7 жыл бұрын

+gerrygooable do you have a good theoretical background on this stuff? I have a real problem understanding some stuff about the algorithm. I posted a question in cs.stackexchange.com but I guess I was not really eloquent there :/

@gerrygooable 7 жыл бұрын

I checked out your question (sorry if it sounds stalky, you're the only liveoverflow over there), I understand that you want to know why the skew on the search is not what you calculated, and also why is the "Minimization of Maximum Regret" strategy more efficient for that problem. Even though I've (maybe) had Minimization of Maximum Regret problems before I'd have to think about it a lot, and unfortunately I'm quite devoid of time for that. I will share this video (and the stackexchange question) with my icpc team. We usually enjoy these algorithm appropriateness mysteries very much

@gerrygooable 7 жыл бұрын

I just gave the egg problem mentioned in your stackexchange question. I haven't thought it through at all but the egg problem feels as if it was more adequate with the problem you were given. (Again, I haven't thought this through at all. I might be completely wrong) I feel as if the skew in the search diminished the number of times you guess wrong for being on some particular side of the search domain, whereas the MMR approach minimizes guesses in general.

@gerrygooable 7 жыл бұрын

I'm sorry if I'm not being clear What I mean is: I feel like: skewed search -> reduces guessing on the "punished" side of the search range mmr -> reduces guesses in general i.e. more efficient(?) Again, this is just my gut feeling. I'm sorry if I'm wrong. If any of the guys in my team actually explains this I'll surely let you know

@cyancoyote7366 7 жыл бұрын

Amazing!

@Deaple 7 жыл бұрын

Really awesome, thanks for sharing!

@ryuuji159 5 жыл бұрын

Correct me if im wrong but you could narrow your search using that regex that you mention at the start so you had to search less characters

@rickoo4368 5 жыл бұрын

My brain was smoking after this video.

@apg7118346 7 жыл бұрын

Great job !

@TETYYS 7 жыл бұрын

+ 1 gets you every time

@androkon6920 4 жыл бұрын

Gee gee.

@kalaxlimas 7 жыл бұрын

Ty...i thought you haven't read my twitt :) I spent hours trying to optimize that thing...i didn't noticed that exceptions trick :S

@MKkniGEAR 6 жыл бұрын

How did you know you could run multiple instances ? It seems like the app generates a new password for each instance you run, but that means you could have validated the challenge with multiple flags ? How did you know running multiple instances would not ruin and let you validate only one flag (like the last instance you ran or something) ? Thanks for the videos.

@LiveOverflow 6 жыл бұрын

yeah, the flag validation was unique for each instance. The flag validation was like a "license key" check. There was some logic to validate them. So each instance had the chance to find a valid flag.

@JordanWiens 7 жыл бұрын

Very nice! You pause the video at one point on "hi = hi". Shouldn't that be "hi = max_val"?

@LiveOverflow 7 жыл бұрын

+Jordan Wiens yap. I just noticed myself that I had some fails in the script after I made it pretty with comments and variable renaming. -.-

@JordanWiens 7 жыл бұрын

LiveOverflow heh, that makes sense. My CTF solutions are never that pretty! Though you did do the progress bar in the live version which was a nice touch.

@sweet-sinner 6 жыл бұрын

omg so goooood

@sagarkapasi099 5 жыл бұрын

My Gosh, Where Do You Learn This Stuff! Its Ridiculous Practice I Guess!

@dream0p2131 4 жыл бұрын

Correct me if I'm wrong but couldn't you have just proxied everytime you were banned. Or did I miss something?

@BananaMan77777777777 7 жыл бұрын

Can you please provide me a link to that sweet intro/outro music? BTW I love your videos :D

@mohammaddh8655 4 жыл бұрын

hi i have the knowledge of ceh and sans 542 and i know owasp top ten but, real world have a big difference with courses examples so please tell me where i can gain some good experience that help me in real hacking i need every resource (book,video,...) please this is more than a dream for me its a goal

@MrHackingcrazy 7 жыл бұрын

I was a little confused in 05:24. In what cases the query returned the password and in what cases it didn't? (Also, I assumed you would be bruteforcing password field, but the sql query matches 'user' field)

@LiveOverflow 7 жыл бұрын

Just read the query? It says: SELECT password WHERE user = '%s' So the query will return the password of a given user. and don't return a password if the user doens't exist. But with the Injection we create this query: SELECT password WHERE user = 'admin' AND password > 'A' So we return the password for the user admin if his password is bigger than A. If it would be smaller than A, then the query doesn't find a matching password and return nothin. And with those two possible cases, we can slowly bruteforce the passwod.

@GurunathEswar 6 жыл бұрын

hey, how can see my server PHP file in the browser without rendering raw PHP like the index.php, I want to see the PHP code

@shivamprasad2266 5 жыл бұрын

Make whole code a string, pass it javascript and then push it in textarea

@StreetRacersCy 7 жыл бұрын

nice :)

@michiel8625 6 жыл бұрын

Damn!

@tobiaswegner2725 5 жыл бұрын

Wait... didnt you not just simply get lucky there? 150 from 260 tries sounds already pretty probable with multiple runs. You shift the probability in a binary search, so there is 85% left and 15% right. But doesn't that increase the overall search complexity? I am not completely sure but it might even out in the end (=>you have a 35% bigger chance of avoiding the exception but you need 35% longer to check all of the results...)