Thanks to Patreon and TH-cam Members, there is also now a write-up blog about this video: liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/
The only thing i know for sure that i will remember is that the ssrf from gitlab is so common that redis basically said f*** it i'm fixing it myself. Love your videos, keep going
LOL, actually ipv6 wasnt enabled during the ctf (except the last hour, it was anounced that the organizers decided to turn it on) and it's possible to solve the challenge without ipv6 ;)
@@LiveOverflow well, the different only in this first step where you triggering SSRF. As far as i remember we (LC/BC) pwned flaglab through repository mirroring
Thank you for the clear and detailed explanations unlike some techies who just throw super complex terms at you without explaining. Like and subscription well deserved.
LiveOverflow, you should do a livestream next time you apply to a CTF challenge. I would be interested to see all the researching and "failing" before finding the flags
Man i really wish I could understand anything he is talking about. Would be cool learning hacking and watching someone so high level and learning from him
btw. when you already use docker-compose you can use it for entering the container aswell by just giving it the service name of your docker-compose.yml (e.g. "docker-compose exec web bash")
I'm pretty new to this whole ctf thing and I was wondering how you might find a key that wasn't on the client-side somewhere, but on the server side. Let's say I want to retrieve a key, but you can only get it after inputting the right code. I would probably start by viewing page source and looking for different links, but I haven't got any ideas beyond that.
Given the times I've seen Redis used for an exploit (due to its "too" simple interface), I feel like it's becoming the next Flash. Broken from a security perspective and just band-aids slapped on until the next vulnerability. While interactive soft fails (i.e. bad commands) might be useful in some conditions, it seems like in common use, the moment it hits any error it should disconnect, not just blinding keep going. But maybe Redis has fixed that issue in the years since this video was made.
you should use docker hub mirror in China to speed up your download, because the global bandwidth in China is just not enough for 1 billion internet users.
Try to install Linux on your PC. Try to deploy some apps like GitLab using git. Try to work with some APIs like Facebook/Telegram. Combine all this things)
imagine if you got to the last step on the real ctf, and since the real server doesn't have nc you sent it "apt update && apt install -y netcat" so it would update gitlab as well
How do you solve a challenge like this in a day though? It seems you need to have really deep knowledge across a wide range of the techologies being used. I've used redis but I don't really know in detail the protocol it uses and everything
As I mentioned in the video, this SSRF to redis is quite commonly know for a few years. When you try to follow the news, follow good people on twitter, then you probably will come across a writeup eventually. And if you think about it, you also just learned about it and from now on you know it works :) This kind of knowledge is passed on through talks, blogs (and now videos)
@@DHIRAL2908 Thanks for helping bro. I know it is a very noob question but he used his local IP in that payload, but I should my IP over the VPN right?
I love to watch your videos and your way to solve problems. I just wanted to know Do you have Discord server or like that grp, which we can join for CTFS? Thanks a lot. 🚩🚩👍🚩🚩
please switch from 25p to 30p. The judder is distracting. If you want to be really nice record at 60p most of your content is screen based so the smooth scrolling and snappy terminal response would be nice.
Thanks to Patreon and TH-cam Members, there is also now a write-up blog about this video: liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/
Could you also execute this attack with http 1.0 without a host header and a redis command as header?
@@es9596 Request is sent by Gitlab server, an attacker cannot decide which utility/http version backend uses.
nice video , can you help us to understand windows server security mechanize and exploit development
I didn't understand everything in this video, but the part where the newlines came in was amazing.
I didn't understand anything
@Etched Inverse Yeah, i started ruby scripting and alreaey write myself working wifi jammer with only one wireless interface
The only thing i know for sure that i will remember is that the ssrf from gitlab is so common that redis basically said f*** it i'm fixing it myself.
Love your videos, keep going
i am not at the stage of understanding these videos but i like them anyway
Me too bro
LOL, actually ipv6 wasnt enabled during the ctf (except the last hour, it was anounced that the organizers decided to turn it on) and it's possible to solve the challenge without ipv6 ;)
oh damn really? do you have a writeup about that?
@@LiveOverflow well, the different only in this first step where you triggering SSRF. As far as i remember we (LC/BC) pwned flaglab through repository mirroring
Oh, but you didn't use IPv6 for that? Did IPv4 work there?
@@LiveOverflow yes. it uses git protocol so it's possible to use CRLF and craft redis commands
@@paul_axe Ah the repository mirror still allowed IPv4 localhost?
Years have passed since I did watch this video for the first time and I could not understand much, but now I understand everything, great content!
Thank you for the clear and detailed explanations unlike some techies who just throw super complex terms at you without explaining. Like and subscription well deserved.
"this is so easy" yeah.. alright.
Burn Stick super easy compared to the ETH smart contract flag.
To be fair, he did say "simple", not "easy" haha, but yeah, this isn't exactly the most obvious attack in the world
It is just 2-3 hours of work, yeah, sure. ;)
Seems like `redis` should just have a "strict" mode, which always exits on the first invalid command.
@@kronsyc339 This reply was not worth the two year wait.
LiveOverflow, you should do a livestream next time you apply to a CTF challenge.
I would be interested to see all the researching and "failing" before finding the flags
Mr.Kristian252 the problem is it would help other people doing the ctf, this is why he does all the videos after the ctfs are over.
@TheHeroBrine he can do a livestream of doing a CTF after it is over
I didn't understand most of what you are doing but this is super cool stuff man
Nice, love the real world CTF videos.
Awesome info 👍. I can't understand the viewers who downvoted. Good job.
Pretty straight forward and well explained! Thanks.
I like that you went back to solve it !
Man i really wish I could understand anything he is talking about. Would be cool learning hacking and watching someone so high level and learning from him
"You might need an 0day" that the organizer found.
This tutorial is soooo good. Crazy that this content is free.
Great explanation and easy to follow
You should have mentioned:
docker-compose up -d
You can autocomplete the container name when running docker exec
also, `docker-compose exec web bash`, where "web" is the simple name of the service in the compose file (name is line 1 of compose file seen at 1:52)
btw. when you already use docker-compose you can use it for entering the container aswell by just giving it the service name of your docker-compose.yml (e.g. "docker-compose exec web bash")
Thanks for explaining !
Really cool as always.
i am waiting for next video on XSS :)
I like the way you explain things :). Is the ctf available as ISO for download to practice?
There is HTB machine (Ready) with this vulnerability.
Man, u are awesome.. hacking is sharing and u made this phrase work.. great job
I'm pretty new to this whole ctf thing and I was wondering how you might find a key that wasn't on the client-side somewhere, but on the server side. Let's say I want to retrieve a key, but you can only get it after inputting the right code. I would probably start by viewing page source and looking for different links, but I haven't got any ideas beyond that.
I need to buy this guy a beer.
Nice vedio , good look for you, dude...
great vid. nice effort
It shouldn't bypass localhost. (with dot at the end). (regarding Chrome and proxies)
Presumably you would not be able to apt install netcat on the real CTF challenge, so you would exfiltrate the flag with something like curl instead?
Given the times I've seen Redis used for an exploit (due to its "too" simple interface), I feel like it's becoming the next Flash. Broken from a security perspective and just band-aids slapped on until the next vulnerability. While interactive soft fails (i.e. bad commands) might be useful in some conditions, it seems like in common use, the moment it hits any error it should disconnect, not just blinding keep going. But maybe Redis has fixed that issue in the years since this video was made.
never clicked so fast!!!
i can't understand all what u said , but i will be back ;) link bookmarked :D
2 months later...
12:33 Redis Commands not Reddit
Amazing stuff !
you should use docker hub mirror in China to speed up your download, because the global bandwidth in China is just not enough for 1 billion internet users.
Make a video about your setup: Computer Specs, Os'es, Tools and Setups (for vm's and stuff like iTerm)
Tools are Docker inside vargant)
plz !! Can somone tell me whats the requirements knowledge to understand all the stuffs in the video !
studying computer science and knowing the right people..
Watch more of his videos, you might get a rough idea.
Try to install Linux on your PC. Try to deploy some apps like GitLab using git. Try to work with some APIs like Facebook/Telegram. Combine all this things)
But the original container didn't have netcat installed.
It was just for debugging during exploit development. Netcat is not needed in the actual exploit. The exploit only executed “cat”
I guess you could have just sent a command to install netcat before sending the actual payload for retrieving the flag
LiveOverflow The exploit used netcat to send the output of cat to your computer… But that's isn't a problem. curl could be used instead.
Ooops. Haha lol you are right
In the future, remember to always ask yourself this question:
"Would they include a live/unpatched vulnerability in a CTF?"
probably not.
Dude are you the game guy as BattleNonSense?
imagine if you got to the last step on the real ctf, and since the real server doesn't have nc you sent it "apt update && apt install -y netcat" so it would update gitlab as well
Hahh. But that step was just done during exploit development. Netcat is not part of the actual exploit in the end
wait why would that command update gitlab? you're just updating repos and installing netcat
@@baranoid oh right i thought it was up*grade*
How do you solve a challenge like this in a day though? It seems you need to have really deep knowledge across a wide range of the techologies being used. I've used redis but I don't really know in detail the protocol it uses and everything
that's exactly what it is, the amount of previous experience you need for these things is quite large
As I mentioned in the video, this SSRF to redis is quite commonly know for a few years. When you try to follow the news, follow good people on twitter, then you probably will come across a writeup eventually. And if you think about it, you also just learned about it and from now on you know it works :)
This kind of knowledge is passed on through talks, blogs (and now videos)
I keep hearing you saying REDDIT instead of REDIS lolol
Who's here after HTB's Ready?😛
Hey, I am a beginner on HTB and ready is first machine i'm solving and in the process i reached here.
I didn't understand at 7:00. how did he get that shell. can u pls help
@@noname2588o Hi! Try looking in the online article LiveOverflow published. Use the encoded version of the payload at the end!
@@DHIRAL2908 Thnx bro!!
@@DHIRAL2908 Thanks for helping bro. I know it is a very noob question but he used his local IP in that payload, but I should my IP over the VPN right?
xss is 'uninteresting'??
Web-Based Exploits... You already solved, 1 day is enough.
what kind of program does he use for repeating requests?
sike got it already burp :)
Any good tips for a good laptop i should buy for ceh
Intel i5+, ddr4 8 Gb+, gtx1050+
I love to watch your videos and your way to solve problems. I just wanted to know Do you have Discord server or like that grp, which we can join for CTFS?
Thanks a lot. 🚩🚩👍🚩🚩
I don't know how much time i can get to this level.
Just don't think about it and keep digging if you are interested on it all.
Shouldn't the title be named as *2019* ??
No, as stated the CTF was played December, 2018
people solving Ready HTB mark your attendance
"grrrr"
ye boi
Why it is 0day when it actually 1day by the day he posted online lol
"damn, this is so simple!" uh-huh..
Isn't this 11.4.8?
It was patched for 11.4.8
The vulnerable version is as mentioned gitlab/gitlab-ce:11.4.7-ce.0 ;)
LiveOverflow I knew I screwed up 😂
Thank You 😁
please switch from 25p to 30p. The judder is distracting. If you want to be really nice record at 60p most of your content is screen based so the smooth scrolling and snappy terminal response would be nice.
What do you mean by p?
Are you talking about FPSs?
@@nilsirl yes
Just because of tips like that, I don't wanna read tips in CTFs.
wtf is going on?
anddddddd gitlab is down.....
I love you , no homo
First
Going to a CTF is totally worth bowing to an authoritarian government lol! Haha #SecurityIsCool
Get some sleep
hey fifth comment i guess...
I understand individual things you do but don't understand anything as a whole.
Me too. It's an experience
first comment