I'm pretty attracted by this. That teaches us no one shouldn't send back any external info without any sanitization to front-end, or at least hide server infos with using apache, nginx, litespeed kinda stuff.
It's not the color picker the problem here... The problem is the developer of the application that do not sanitze the user input and mess up with the render engine
Hey John, This was hands down the best and most interesting ctf I have participated in. Thanks to you and the team for putting so much effort and detail into the challenges. It really paid off. Definitely got excited when I saw this video because this was a fun one to solve. Looking forward to the next ctf, and maybe you'll join us for Longhorn next time ;)
damn you guys are insane. really look up to people like you as a beginner. wish i could be one of the few people like you who solve interesting challenges.
I was honestly too dumb to solve everything past the "Read the rules" challenge, although I now could easily follow along when you described and explained it now. Or maybe I was simply too tired…
noooo i had the RCE (i did not think to look into the readfile because i am greedy) and saw the object array but didn't know how to get the output displayed until this video!! haha cool challenge
Felt like these were too involved for "warm-up" flags and descriptions weren't great either. This flags description said Snyk can find it. I spent hours trying to figure out Snyk, only to find out it can't find it (at least from what I could see)
I kept trying to figure out how to read the flag.txt file using the include function from ejs itself, but you can only load .ejs files that way. I didn't realize it's basically an eval where you can do anything within Node.
I've been doing the Huntress CTF and have solved some things I have never done before. I don't think I would have solved this. Just keep at it and keep learning something new.
I spent way too much time trying to get the snyk scan to work and got so frustrated. "Snyk Code is not supported for org: enable in settings > Snyk code" How? snyk test or monitor "tested 74 dependencies for knowin issues, no vulnerable paths found." ?
Hacking should only be done in an ethical scenario. “Hacking WhatsApp” is nowhere near that easy, and shouldn’t be done unless you have permission. John’s not gonna go to prison so that you can see who your ex is chatting with lmao
Absolutely ROCKING the OnlyFeet t-shirt, Juan!
I'm pretty attracted by this. That teaches us no one shouldn't send back any external info without any sanitization to front-end, or at least hide server infos with using apache, nginx, litespeed kinda stuff.
Imagine getting hacked by a color picker
It's not the color picker the problem here...
The problem is the developer of the application that do not sanitze the user input and mess up with the render engine
@@maurox1614 ok
r/whooosh
It can pick you like tickles, you know...
Hey John,
This was hands down the best and most interesting ctf I have participated in. Thanks to you and the team for putting so much effort and detail into the challenges. It really paid off.
Definitely got excited when I saw this video because this was a fun one to solve.
Looking forward to the next ctf, and maybe you'll join us for Longhorn next time ;)
damn you guys are insane. really look up to people like you as a beginner. wish i could be one of the few people like you who solve interesting challenges.
I was honestly too dumb to solve everything past the "Read the rules" challenge, although I now could easily follow along when you described and explained it now. Or maybe I was simply too tired…
Really fun CTF but honestly, some of the "warm up" exercises (like this one) should have been in the medium category.
yeah agree, its not warm up anymore , its just straight burning
I have been learning since years from you John, I remember when you had just a couple of thousand subs. I'm glad ive come a long way. Thank you.
It was an amazing CTF, thank you for hosting it! This challenge was quick and fun too!
Finally a ctf writeup! I miss these
I must say it is kind of funny Snyk, as a SAST vendor, didn't alert on the vulnerability.
noooo i had the RCE (i did not think to look into the readfile because i am greedy) and saw the object array but didn't know how to get the output displayed until this video!! haha cool challenge
I really enjoyed the CTF! Thanks
Felt like these were too involved for "warm-up" flags and descriptions weren't great either. This flags description said Snyk can find it. I spent hours trying to figure out Snyk, only to find out it can't find it (at least from what I could see)
SSTI is pretty neat
OnlyFeet 😂😂😂😂 where do you find these t-shirts 😭
@@demotedc0derI made them for DEFCON 31
I kept trying to figure out how to read the flag.txt file using the include function from ejs itself, but you can only load .ejs files that way. I didn't realize it's basically an eval where you can do anything within Node.
I've been doing the Huntress CTF and have solved some things I have never done before. I don't think I would have solved this. Just keep at it and keep learning something new.
Very colorful - had to say it!☺️
good man John Hammond, good man
i missed the ctf :( is there a way to play it afterwards?
Plz upload the solution of finders keepers
I spent way too much time trying to get the snyk scan to work and got so frustrated. "Snyk Code is not supported for org: enable in settings > Snyk code" How?
snyk test or monitor "tested 74 dependencies for knowin issues, no vulnerable paths found." ?
Ya Which i Wasn't able to
This was really interesting challenge!
that was marked as an easy challenge? rip
Great challenge
Easy he says
This is why your the best! 🎉
Awesome content💥💥💥
Best content every time 🎉plz share How to hack WhatsApp plz make a brief vedio ❤
Hacking should only be done in an ethical scenario. “Hacking WhatsApp” is nowhere near that easy, and shouldn’t be done unless you have permission. John’s not gonna go to prison so that you can see who your ex is chatting with lmao
first!
Second!
❤❤❤❤❤❤❤❤❤❤❤
🎉third