Somebody commented about the issue I was having with the NodeJS crypto library but it disappeared 🤔 Not sure if it was deleted or just YT being weird again but in case anybody else is interested: They suggested that it's possible to have a version of node without crypto support compiled in - I did install the packages via NPM for local testing though so I would of thought that should of worked, maybe I'm misunderstanding something 😁 They also pointed out that you'll get different secret strings depending on the functions code, which will vary from version to version!
@@allthingsreversed Thanks! I don't understand why YT comments with links never appear in the "Held for Review" tab, it's been broken for the past year at least 😑
Yeah, that was me. I was wondering what happened to it :( Anyway, I also did later make and edit when I figured out that the parrot OS provided version is indeed too old to have that randomuuid function.
Awesome video @CryptoCat! Could you please post some writeups for the other DiceCTF challenges as well? I couldn't solve any challenges this time and would love to learn from you :)
Hello sir! I can't download pwndbg on my kali linux. I have error in unicorn version. Can you help me? Problem: angr 9.1.10913 requires unicorn==1.0.2rc4, but you have unicorn 1.0.2 which is incompatible.
Hmmm haven't seen this one, you could try to update unicorn with "python -m pip install --upgrade unicorn" Are you following the install instructions from: github.com/pwndbg/pwndbg#readme ?
They are both great tbh. I used Kali for many years (since backtrack5) and at one point I had a lot of issues (mainly with python) and decided to give Parrot a go. They are both very similar, with similar tools and interfaces but I've not had many problems with Parrot and really like the look and feel of it out of the box 😊
@@_CryptoCat man your literally great.... u even remember ur fans and their language really hats Off also i really like your videos and how u explained them so that everyone can understandd it 👍👍❤❤🔥🔥🔥
Great video as always. I was working on this chal as well, when I first saw the note URL I immediately knew what type of attack i would target, but the function call without the parenthesis was so LUL
@@_CryptoCat The Blazing/XSS chal drove me crazy, I was so close but didn't know the Unicode character length trick. Do you guys have a discord server that I can join and discuss sometimes?
You were getting “undefined” because that’s what it should return if the function isn’t called and being only referenced . The “secret” part was clear since it was hard coded. Hope this answers you question. Great video!
Thanks mate! The undefined thing turned out to be a NodeJS version issue. The function was being referenced rather than invoked so it should of printed the function code (like at 8:02). It was that code we needed as the secret but if using Kali/Parrot, the default node version wouldn't provide it due to missing crypto library function, instead printing "undefined" (same with tio.run).
![JWT Key Confusion & Nunjucks SSTI - "Naughty or Nice" [Day 5: HackTheBox Cyber Santa CTF]](http://i.ytimg.com/vi/tV7C6HSrtm4/mqdefault.jpg)
![JWT Key Confusion & Nunjucks SSTI - "Naughty or Nice" [Day 5: HackTheBox Cyber Santa CTF]](/img/tr.png)
Somebody commented about the issue I was having with the NodeJS crypto library but it disappeared 🤔 Not sure if it was deleted or just YT being weird again but in case anybody else is interested:
They suggested that it's possible to have a version of node without crypto support compiled in - I did install the packages via NPM for local testing though so I would of thought that should of worked, maybe I'm misunderstanding something 😁
They also pointed out that you'll get different secret strings depending on the functions code, which will vary from version to version!
I also don't see my comment where I've commented that this api function was added in 15.6.0. Probably it disappeared due to link in the comment
@@allthingsreversed Thanks! I don't understand why YT comments with links never appear in the "Held for Review" tab, it's been broken for the past year at least 😑
Yeah, that was me. I was wondering what happened to it :(
Anyway, I also did later make and edit when I figured out that the parrot OS provided version is indeed too old to have that randomuuid function.
@@CoolFire666 Ah yes, it was you! thanks for the update 😊
Awesome video @CryptoCat! Could you please post some writeups for the other DiceCTF challenges as well? I couldn't solve any challenges this time and would love to learn from you :)
Great video! Sorry, I don't know exactly "webup" you use in 1:27 ???
thanks mate! it's just a bash alias i have setup to run "sudo python3 -m http.server 80" 😉
Hello sir! I can't download pwndbg on my kali linux. I have error in unicorn version. Can you help me?
Problem: angr 9.1.10913 requires unicorn==1.0.2rc4, but you have unicorn 1.0.2 which is incompatible.
Hmmm haven't seen this one, you could try to update unicorn with "python -m pip install --upgrade unicorn"
Are you following the install instructions from: github.com/pwndbg/pwndbg#readme ?
@@_CryptoCat Yes, I did.
I have some questions about security os. Kali linux or Parrot os? What os you recommend?
They are both great tbh. I used Kali for many years (since backtrack5) and at one point I had a lot of issues (mainly with python) and decided to give Parrot a go. They are both very similar, with similar tools and interfaces but I've not had many problems with Parrot and really like the look and feel of it out of the box 😊
So freakin cool - thanks for sharing
wow, fuckin wow!
🥰🥰🥰
Thanks for your writeup!
🥰🥰🥰
great writeup!
thanks mate! 🥰
Really WonderFul Chals, btw after a long break i am watching your writeup
nandri 🥰
@@_CryptoCat man your literally great.... u even remember ur fans and their language really hats Off also i really like your videos and how u explained them so that everyone can understandd it 👍👍❤❤🔥🔥🔥
awww thanks mate 💜
Great video as always. I was working on this chal as well, when I first saw the note URL I immediately knew what type of attack i would target, but the function call without the parenthesis was so LUL
Thanks mate! It was indeed, I didn't even notice actually a teammate got it. I was too busy trolling with the XSS 😂
@@_CryptoCat The Blazing/XSS chal drove me crazy, I was so close but didn't know the Unicode character length trick.
Do you guys have a discord server that I can join and discuss sometimes?
I'm in a discord group with a team but it's not been very active for a few month. You can DM me on discord though crypto#4049
You were getting “undefined” because that’s what it should return if the function isn’t called and being only referenced . The “secret” part was clear since it was hard coded.
Hope this answers you question.
Great video!
Thanks mate! The undefined thing turned out to be a NodeJS version issue. The function was being referenced rather than invoked so it should of printed the function code (like at 8:02). It was that code we needed as the secret but if using Kali/Parrot, the default node version wouldn't provide it due to missing crypto library function, instead printing "undefined" (same with tio.run).