ZipSlip w/ TAR & Server-Side Template Injection - HackTheBox University CTF

ZipSlip w/ TAR & Server-Side Template Injection - HackTheBox University CTF - "Slippy"

Рет қаралды 47,305

Күн бұрын

Пікірлер: 57

@Gweedzy 3 жыл бұрын

heyy John, I've been watching hours of your content and I think this is the right moment to leave a comment. I really love your videos and especially the rythm and the way you say everything that goes through your mind I'm still kind of half a noob at programming but listening to you thinking and testing stuff is way more enjoyable and inspiring than boring tutorials Thank your for sharing your knowledge, I wish you the best from France -A random dude that learns and devs web and python apps in his bedroom at parents'

@coreyknutson-huddleston8852 3 жыл бұрын

Love your vids man, teaching me to be a better programmer and problem solver...thanks for sharing your brain and time.

@m4rt_ 3 жыл бұрын

I found your channel many months ago through these kinds of videos, and here I am, still watching these videos.

@highvisibilityraincoat 3 жыл бұрын

john i've been subscribed for years and was really big on your channel about early last year. I fell off because of school and other stuff but tonight i sat down and watched the whole thing through, which I normally never do to any youtube video. now my itch is back and I want to get back into CTFs. thanks for sticking around and for the constant flow of informative engaging content.

@karlkoch5417 3 жыл бұрын

"Werkzeug" is german for "tool". Watching you is so interesting and helpful, love your videos. Greetings from germany.

@itssebis8183 2 жыл бұрын

Just wanted to send this information too... In germany we say: "dEr FrÜhE vOGeL fÄNgT dEN wuRM."

@АлексейЛавренович-х7е 3 жыл бұрын

opening a totally new world with you man, excellent

@XiSparks 3 жыл бұрын

I'm 100% using "That floated my fancy" in my day to day conversation from now on.

@sevadazohrabian4021 2 жыл бұрын

As always, amazing video. Thank you John.

@_CryptoCat 3 жыл бұрын

no chapters in a 40 min video 😱 this was a great challenge! nice to see the extra exploration of SSTI, i just replaced one of the python files with a modified version containing some friendly (totally non malicious) code 😈

@saite2560 2 жыл бұрын

Love the videos, they are always so much to absorb I love it. your probably aware of this one, but when you get a code output that's is all jumbled. rather then trying to splitting the code up. which works no doubt, just seems quicker or run it through an online code beautifier. some code editors might have a auto beautifier. they have them for most of the code language's. they doesn't alter the code just makes it human readable. puts in the tabs in the right spot for python. or other code types. also adds color for more complicated code which is a nice touch.

@JonathanLeeDev 3 жыл бұрын

Would be interested to see a CTF where you are to attack a Spring Boot Java application. Love the videos BTW!

@maurox1614 3 жыл бұрын

That's why I always run the webserver as a low privileged user and set all permission on files as read-only (for the web server user). Anyway as always thank you for sharing the knowledge!

@avishekkumar8477 3 жыл бұрын

I am your great fan john, I have learnt many stuffs from your vids

@claymoody 3 жыл бұрын

well done as always! Thanks.

@ZeldoKavira 3 жыл бұрын

Sublime allows you to open an entire folder at a time so that its easier for the viewers to follow along on where you are in the file tree

@PythonisLove 3 жыл бұрын

impressed and subscribed

@kevinalexander4959 3 жыл бұрын

Since it was running as root, could have just injected a python script to give you reverse TCP and it should be a reverse shell running as root, correct?

@Gigawipf 3 жыл бұрын

That tickled my boat

@vrushabhpatil2867 2 жыл бұрын

How did u find that file i want that filewhere i can that file or information plzz reply

@thepankaj.k_trades 3 жыл бұрын

can you tell us about Cyber Santa is Coming to Town (hackthebox ) challenge

@sergten 3 жыл бұрын

If that's Difficulty 1 I'm curious to what's involved in the 4-star problems.

@roypolinder8158 3 жыл бұрын

when day 2?

@anonymousshadow8308 3 жыл бұрын

why are all these unlisted?

@nagarajansree862 3 жыл бұрын

2 days ago?? SUS

@quasarcore 3 жыл бұрын

Dark magic...

@yanex4631 3 жыл бұрын

welcom back cyber sct

@-willplaysgames 3 жыл бұрын

As a hypothetical, if you were to engage this type of web app in a black box situation, how would you go about identifying the Zip Slip vuln on this machine? I'm having trouble wrapping my head around how to look at CTF boxes from a scope of work type of perspective. Do most of these types of vulns only get discovered in situations where you're allowed to audit (via source code or some other grey/white box situation) that this app is mishandling TAR and such? sorry if that's a complex question. Love your videos. Thanks for all you do for this community.

@luketurner314 3 жыл бұрын

About 1:50 he views the source of the webpage (all web browsers can do this, how would they display a webpage otherwise?) and at the bottom (in this case) is "/static/js/main.js". One could copy-paste that relative path into the browser's address bar to view the file. The contents of this file would be the same as 11:50, where he finds the TAR mishandling code and the "/api/unslippy" POST url. As for the ssti, he finds the server type in the request headers in the browser dev tools (3:18). All this recon solely through the browser, no special tools needed. The only additional info possibly needed would be experience

@marshalstewart7776 3 жыл бұрын

So cool

@1stAshaMan 3 жыл бұрын

Is StackOverflow really for anything Other Than new bastardized code?

@Nunya58294 3 жыл бұрын

Lmfao I'm sorry to laugh.... I seen "bastardized" and almost spit my drink out

@Walid-Lamraoui 3 жыл бұрын

Hey man .. can u please share the downloadable files (Dockerfile , app source code etc) from the challenge ?

@bhagyalakshmi1053 Жыл бұрын

Malloc?

@MsTarguisti 3 жыл бұрын

I loved how you were analysing the source codes, is there any tutorials for that?

@Djamieson713 3 жыл бұрын

start writing code

@jaredteaches894 3 жыл бұрын

Learn how to code? You can't really reverse engineer, if you can't even forward engineer

@MsTarguisti 3 жыл бұрын

Right Indeed, thank you guys!

@Vilvee 3 жыл бұрын

I love pretending like I know what's going on. *internal screaming*

@davidmiller9485 3 жыл бұрын

Class Pickle??!!??!! That better damn well be a DILL class!!! Look near his image at 34:00

@DePhoegonIsle 3 жыл бұрын

Ya know.... The thing that actually bothers me deeply is . 'Why the hell .. Why the bloody hell is directory climbing ALLOWED?' Preventing the ' .. ' would seriously nix the 'slippy' faults, and alot of the injection exploits? -- I'd also be very warry of how I allowed updates & debugging, let alone enabling some Read Only access to the web server to key script files.

@SumanRoy.official 3 жыл бұрын

it helps in exploiting LFI

@DePhoegonIsle 2 жыл бұрын

@@SumanRoy.official isn't that malware design? My point is, why is it even allowed when there should be no valid use of it in public sector use.