I legally defaced this website.

As someone who works in the reliability engineering team of a medium-sized corp, this is literally one of my worst nightmares. People don't realise how easy it is to create vulnerabilities in bigger projects.

Another solution instead of the file api could be to name the file ”0.php%00%.jpeg”. The check might be looking for the filename to end with .jpeg but in some versions of php when php writes the file to disk it looks for the first null character in the filename to know when it’s “done”. That way “0.php%00%.jpeg” becomes “0.php”

to think all of this can be mostly protected by ratelimiting the user and not letting them send thousands of requests in a few minutes

If you would want to secure that, an API shouldn't take a file as an input, you should store any user-uploaded files with an ID that you store in a database and have the API reference that ID to find the file. That's already the whole "access any file on the system" issue fixed.
Then, you should make sure that the API is the only thing that can access those user-uploaded files, and you should make sure the code behind your API treats the data as a string and doesn't execute it.
It is also generally good practice to have every admin page locked with a secure, hashed password, and if you want to go above and beyond the server should only take requests from your private key, any incorrectly encrypted requests should be ignored as they didn't come from your key.

As a Junior offensive cybersec student this was so informational. I loved the methodical method you explained and really liked to watch the whole process.
I always struggle to find good methodical aproches from where to start and how to deal with roadblocks when trying to sort things out.
Hope to see more of this on your channel

Ur Channel is underrated. Please dont stop posting, I know your channel will blow up one day.

"Be a developer first, before being a hacker" - my mentor

As someone who's currently developping a pretty big web app these videos always scare the shit outta me man ! I am pretty confident that I'm able to produce "safe" code but, the fear's always present. Love the content tho

Man this was straight Information, No Stupid Intro, No Freaking, Direct Knowledge❤

Your channel is so underrated , LOVE IT

I remember my first hack. I used blind sql injection and got the login details of admin and used it to replace images on the site with memes.
Good times.

The File API should have been configured to only give access to specific folders.
For the upload API you could search for code symbols etc.
Also a cooldown for login attempts would slow down such bruteforce attacks.
But this was a very good and informational video.
Also a follow up video where you would go into detail on how to prevent such exploitation would be great.

Especially of you're a developer, you should just use static site generation or write a HTML site from scratch, for a simple site like this.
Static HTML allows for no attack surface and even a default config web server on an up to date, reasonably secured Linux system, should provide practically no attack surface.

i started studying cyber sec a couple months ago and your channel is a gem, really keeps me motivated as a see the things i'm learning being applied and it helps a lot with piecing together an image. Thanks a lot for sharing this :)

You had access to an anonymous FTP server. I believe you could have uploaded a PHP backdoor and used the LFI to include the script.

It's so nice to watch, especially when I know most of the stuff you used or did, but would've never thought about using it :)

Haha, it is like some real world CTF I use to do, and some steps where similar... man, this kind of stuff is what I like to watch so I can memorize it again, and not forget about it.

amazing content , gives a lot of insights on exactly whats going on in the websites

I learned a lot from this video! However, at 17:08 I knew what you were gonna try. Appending "garbage" data to a JPEG or PNG is "the oldest trick in the book". In rare cases, we can trick the server into stripping the header, allowing us to upload arbitrary files without extra data

As someone who is not doing anything this video was really helpful on finding annoying comments.

What i understand is this is not simple you have lots of knowledge and better understanding what are you doing with files and how you read error increadible salute sir❤

well, underrated AF, keep it going man! Apreciating your content

thank you so much your videos are so informative, i recently learned how to self host a website, and i didnt know we needed to disable directory listing...

I believe since you already discovered an LFI vulnerability you can upload a file that can allow you to run system commands or upload your deface page and rename it to index.html
Without exploiting the OS.🤔

Thank you for this video! Loved it

Yeah, never used Apache. I use nginx, and have my websites in folders that are not in the nginx folder. I also dont use SSH or FTP servers.
My nginx is running on Windows, so it is easy for me to access the files remotely without needing third party software.
I used to create websites in PHP, But moved over to JS/TS frameworks like Angular and NextJS.

tip: if you're using a web hosting service, make a backup on there and a physical one. same for a server that you personally host

I feel like that example just screamed "Set-up" on every detail. Putting the basic auth inside an html comment.. creating a "file uploader" and a "file api" with basic html/no css. I would love to see a more mature setup, for example a vServer with basic hardening with Laravel running. This site just looked like it was made as his first website ever.

Each additional service increases the surface area, particularly if it leaks version info. There may also be version info in the HTML code. I think there's also a step where franks password may have worked on ftp, so maybe you got the directory structure without bruteforce...

If chromebooks weren't so largely restrictive, I would have absolutely taken this opportunity when I was in high-school as the chromebooks they provided were unstable, and unusable after they locked them down excessively.
Unfortunately the only way around the issues was to bring in a personal laptop instead.

Some of that webpage was in HTML3, as the tag was used: and that sites files were REALLY insecure

Great video! I just graduated college with degree in cyber security recently and just found your channel. You gained a sub

Question - why would a server not block you after being spammed with requests for all of these brute force attacks?

Instructions unclear, I somehow hacked NASA's website and got life sentence.

Very underrated channel!! You got my sub

it was amazing sir keep going ❤

This was incredibly useful for studying for the Pentest+

frank should reconsider learning the basics of web development

Beautiful walkthrough , just a question , why the server has executed phpinfo while the file extension was still jpeg and the content type was also image/jpeg ?

Your strategies are quite insightful, no cap. I would always scan the ports first, and if it’s a website, I would do file/directory/subdomain enumeration immediately

Amazing video. Good stuff!

In first 5 mins is more like tinkering with stuff to realise this 'victim' did not forget to change passwords and search in documentation to, practice back-door access.
I'm not in cyber much. But things are closed loop now and all you need to do is just disable back door access or someone is trying to penetrate you.

I know nothing about hacking but these videis are very interesting to me, you guys are very intelligent, my brain gets very confused watching it but It's still very fun to watch it 😂

Great video! But I'm wondering why not use the file return to return the upload.php file that the uploader was posting to and get the path that way?

This reminds me of webservers security in 2006 🤣

Plot twist: The developer watched this video and defaced their own website to test the hacker's skills

Where is that development protection coming from? Apache? Php? Custom auth?

how did you get into the shell of the server, you glossed over that, I assume you used the ssh, but where did you get the credentials for the ssh?

I just made a portfolio with this template and the thumbnail had be scared a second

I have never seen anyone defacing a web page in details like this before .❤❤

The best way to keep things secure is to have your password list and your user lists both offline, and split into separate file locations.
If you only ever are going to need them very occasionally, the extra steps of having to reference both halves wouldn't be too bad.
An extra step is having a list of fake data, that looks real, but is actually a cypher for the real data.

This is so nice that i immediately Subbed to you :)

wait, how did you get a shell at 24:09 so you could run the exploit?

when i try to use wfuzz it says "fatal error: you must specify a payload" i typed it letter for letter

My website has no vulnerabilities, it's just HTML and a little CSS.
Though there may be some on the server side (the stuff hosting the HTML and CSS files), but I'm just using something similar to GitHub pages, so I don't really have to worry about that stuff.

00:14 🚀 The video aims to demonstrate how hackers find vulnerabilities in websites and exploit them.
00:40 🕸 Hackers generally start by using the website normally, exploring every link, page, and feature.
02:31 ⚠ Directory listing should be disabled to prevent unauthorized access to files.
03:42 🛠 The video covers brute-force attacks to find hidden folders and features.
06:27 🔍 Port scanning is another method used to find potential weak points in the server.
11:06 📂 The video demonstrates a Local File Inclusion (LFI) vulnerability.
14:48 🤦‍♂ Developers should not leave backup files or comments that reveal sensitive information.
17:20 📤 File upload features should be properly coded to prevent abuse.
22:06 🎯 Exploiting vulnerabilities can lead to remote code execution on the server.
24:06 🛡 Keeping server and software up-to-date is crucial for security.
25:38 😱 The video concludes by showing how easy it is to deface a website if vulnerabilities are not addressed.

so what you're telling me is i should always have an ftp server with just an image of a troll face in it

- i got remote code execution on the server !
- i should use it to learn more about the server !
Said no hacker ever

Nice video, but for some reason I can't set up and use wfuzz in my pc(windows), what do I have to do?

You could've saved yourself a bit of brute forcing to find the upload dir by using the LFI to read the upload script. In general, I use any LFI I have to grab as much Backend code as I can to get a better understanding for what's happening behind the scenes, can highly recommend it

Sir please start an manual exploit development series Based on Real world exploits Like EternalBlue, SMBGhost, Discovering bugs in new SAMBA//Apache versions

This is a wonderful way to learn how to be a pentester I just wanna know how you install the Ctf/Chainz I'm getting confused, if you could explain what and how to do these stuff more specifically I would really appreciate it.🙏🙌

Really good Video and nice channel!

What server framework was this website created with? PureShit? None of my websites would display that "Index for /img" thing

Is the .env file safe, if i incert passwords there could they be hacked ??

So instead we publish website with standard naming convention on file system and routes in production, it is more secure to name files and folder with random ASCIIs maybe 256 long or more so that we can counter the exploits of the hacker tools?

As someone who does not have cybersecurity knowledge, what would the best forms of protecting your website be? Such as from brute force and by other means.

Dude , you're amazing !!

thanks to you now i can prevent attackers

as someone who lives in colorado, i can confirm that..
DO NOT TRUST THE WEATHER PREDICTIONS!
colorado is cool until they say its winter tomorrow but then its actually summer

I can change there front-end our not after this ???

We missed you bro

how do u hack the website if it’s made with all modern tools like react, webpack and hosted as a docker container on aws with correct configuration, which aws provides by default, i.e correct vpcs, security groups and so on?

Most of these vulnerabilities are disabled by default in apache, like directory traversal and directory listing.
Anyways good job

aight. this gotta go to watch later because i need to watch full verison of this when i got itme

Would you say hosting sites inside containers is a security feature? Any tips or videos on hackers penetrating Container layers?

Nice video! What tools are you using?

what's the template called

I really liked this video!

That Ubuntu 10 exploit. How do you look for it? Also what php code did you add into 1.jpeg

the goal of this video : never use php

24:15 What just happened here? How you gained access to the terminal of the server to run exploit?

Great Content ...

your could read the sshd config using the file reader exploit and gain the ssh password.

Does anyone have the link to that website?

In a few days I am anout to reactivate my server. The timing of finding this was perfect.

That was just insane !

I have little to no knowledge about this but I enjoyed this video! keep up

idk what youre doin but its entertaining

As someone who doesn’t know sh*t about cybersecurity this was fascinating!
Edit: I got into a companies admin dashboard; which contained the link to their code in Git hub. What now?

Wouldn't it be easier to find the uploads path by using the local file inclusion to see the uploader.php code?

I ask this about every time but it is interesting to me what is your nmapf alias full command?

How do you connect to servers shell, before you decode and compile exploit?

loved how you used malay for the click here button

What if the website rename the filename when uploading? It will be difficult to locate it no?

I watched your video. But i don't understand. How did you get access to server. You compiled something. It looks line base64 of something. But what was is that?
I which software you used for repeating or bruteforce requests.
I am not negative just interesting.

What tool did you use to send the api requests?

can you do something similar for a website built with javascript framework (for example sveltekit)?
i think a lot of the problems here come from php and apache server.
Of course, there would be several exploits in the javascript version as well, but I want to see the extent of those vulnerabilities.

You can also deface any other website you want, you just need to own it

Cool stuff dude