All-Army Cyberstakes - XXE Injection!

แชร์
ฝัง
  • เผยแพร่เมื่อ 29 ต.ค. 2024

ความคิดเห็น • 74

  • @aaronstone628
    @aaronstone628 4 ปีที่แล้ว +45

    CTFs have a learning curve I’ve been trying to master for months now... I’ve been burnt out and a bit depressed because of it. It’s nice to see your videos though can be a good source of motivation

    • @_JohnHammond
      @_JohnHammond  4 ปีที่แล้ว +6

      Happy to hear that! I get burned out and pretty bummed with all the stuff going on too. Just gotta stay on the grind and take breaks when you feel you need to! Thanks for watching!

  • @PritamDas-oy3mq
    @PritamDas-oy3mq 4 ปีที่แล้ว +7

    When i watch ur video i almost understand 20-30% of it.. and that other 70-80% make me more excited.. finally getting new content worth watching from youtube..
    Thanks 😀

  • @whowhoyousoundlikeanowl1217
    @whowhoyousoundlikeanowl1217 3 ปีที่แล้ว +1

    John, these videos keep me motivated and I’ve learned so much . Thank you very much for all you effort! You’re helping me in so many ways.

  • @billgen7663
    @billgen7663 4 ปีที่แล้ว +17

    John you are inspiring me and moreover you are fun to watch. Keep up the good work! Greetings from Greece.

    • @_JohnHammond
      @_JohnHammond  4 ปีที่แล้ว +1

      Very happy to hear that! Thank you so much!

  • @Sandesh98147
    @Sandesh98147 4 ปีที่แล้ว +10

    CTFs and tryhackme rooms are some of the most entertaining yet informative videos of yours. Thank you!

    • @_JohnHammond
      @_JohnHammond  4 ปีที่แล้ว +1

      Happy to hear that! Thank you so much for watching!

  • @mrdzha9519
    @mrdzha9519 11 หลายเดือนก่อน

    just wow! xml is really vulnerable! thank you for your job

  • @claudiafischering901
    @claudiafischering901 3 ปีที่แล้ว

    Nice to know. XXE Injection is greate. I learn much of the video and know how to secure my own server against. Thanks for this video to share with us. Great Job!

  • @jorisschepers85
    @jorisschepers85 4 ปีที่แล้ว

    Keep them coming John. Very informative!

  • @vrajpatel4664
    @vrajpatel4664 4 ปีที่แล้ว

    Wow. I solved some of the challenges in this particular CTF, but this video provided really great insight for that injection problem. Thanks @John Hammond.

    • @_JohnHammond
      @_JohnHammond  4 ปีที่แล้ว +2

      Thanks so much for watching! Currently I have 15 videos in the backlog for ACICTF, and I hope to release them each Monday/Wednesday/Friday. Once the challenges come back up I'll try and record more, and hopefully solve some others too!

  • @develepre
    @develepre 4 ปีที่แล้ว +1

    I'm in love with this format !!! Continue like this or better ;)
    Hi, from Italy🙂

  • @SumitSharma-tw9wj
    @SumitSharma-tw9wj 4 ปีที่แล้ว +1

    Okay that's interesting and insane at the same time ...thanks John

    • @_JohnHammond
      @_JohnHammond  4 ปีที่แล้ว

      Ha, ACICTF had some really cool challenges! Thanks so much for watching!

  • @viv_2489
    @viv_2489 3 ปีที่แล้ว

    Super duper cool challenge and explaination 👍

  • @bagusprabangkoro4334
    @bagusprabangkoro4334 4 ปีที่แล้ว +1

    I'm hooked up with your videos :D
    As web developer I know the normal way how server works, but this exploit, it blew my mind :O
    I've never imagined such possibilities .

  • @phunh0use
    @phunh0use 4 ปีที่แล้ว

    John. you, my friend, are awesome.

  • @annafan83
    @annafan83 4 ปีที่แล้ว

    OMG. Brilliant! Thanks for sharing

    • @_JohnHammond
      @_JohnHammond  4 ปีที่แล้ว

      Thanks so much for watching!

  • @popooj
    @popooj 3 ปีที่แล้ว

    hope to reach your level of mastering all this... you're so damn good !! incredible !!

  • @mateenkiani6858
    @mateenkiani6858 4 ปีที่แล้ว

    Thanks man!

  • @padaloni
    @padaloni 4 ปีที่แล้ว

    Awesome, bro!

  • @mi2has
    @mi2has 4 ปีที่แล้ว +1

    That was one excellent video!

    • @_JohnHammond
      @_JohnHammond  4 ปีที่แล้ว

      Thank you so much! And thanks for watching!

  • @MaoooR13
    @MaoooR13 4 ปีที่แล้ว

    Awesome video!
    but I'm curious, if you would've sent in the title CYBER and then ran the xxe
    wouldn't it solve the one-liner wrapper issue?

  • @ashutoshpanda4336
    @ashutoshpanda4336 4 ปีที่แล้ว

    mind-blowing...... thanks man

    • @_JohnHammond
      @_JohnHammond  4 ปีที่แล้ว +1

      Thanks so much for watching!

  • @neilthomas5026
    @neilthomas5026 4 ปีที่แล้ว

    Very cool video as always!

    • @_JohnHammond
      @_JohnHammond  4 ปีที่แล้ว +1

      Happy to hear that, thank you for watching!

  • @danylozhydyk9086
    @danylozhydyk9086 4 ปีที่แล้ว

    Well now I know what I would do this summer)

  • @jakobcranium148
    @jakobcranium148 4 ปีที่แล้ว +1

    can't get enough of your videos! very entertaining and educational as well, please do more of these and also try hack me's :)

    • @_JohnHammond
      @_JohnHammond  4 ปีที่แล้ว

      More TryHackMe coming up! I try to release videos for THM each Tuesday and Thursday. I know I've got to do more KOTH, so many people keep asking for it. Maybe I'll have to pivot to Twitch to do some of those! Thanks so much for watching

  • @HTWwpzIuqaObMt
    @HTWwpzIuqaObMt 2 ปีที่แล้ว

    Nice vid as always, anyways have u replaced ls with exa? And if yes whatare your aliases like ll ls la etc.

  • @ayushksaxena5924
    @ayushksaxena5924 4 ปีที่แล้ว

    Great!

  • @letsgocamping88
    @letsgocamping88 4 ปีที่แล้ว +1

    From a Hobbyist web dev point of view these videos really help to highlight where the vulnerabilities are in my code.

  • @tracetv8115
    @tracetv8115 4 ปีที่แล้ว

    Ty for ur damn nice videos! Can u make a video about ur hacking setup like where did u host ur server, which programs u use etc.

  • @LokayB455
    @LokayB455 4 ปีที่แล้ว +1

    wo jhon :D Mind Blowing

    • @_JohnHammond
      @_JohnHammond  4 ปีที่แล้ว

      Thank you so much for watching!

  • @odenko7680
    @odenko7680 3 ปีที่แล้ว

    Hey john i was going good with you until u did make.php ?countr y' , how did you call the cou ntry and then you started new comand ,,, i think i did understand that when i was explaining that lol
    thnk you

  • @WhiterockFTP
    @WhiterockFTP 4 ปีที่แล้ว +1

    why did you need the reverse shell? At the point where you could run id, couldn‘t you have just ran ./flag like the hint suggested? :)

    • @_JohnHammond
      @_JohnHammond  4 ปีที่แล้ว +1

      You're right, the reverse shell wasn't entirely necessary -- but I think it is good to do whenever you can, maintain some easier access on the box. In case the binary needed like a full PTY or if it had some gimmicks like requiring input, I certainly prefer to have the command-line control. Thanks for watching!

  • @vivekverma30494
    @vivekverma30494 4 ปีที่แล้ว

    WOW

  • @ca7986
    @ca7986 4 ปีที่แล้ว

    ♥️

  • @MatejDujava
    @MatejDujava 4 ปีที่แล้ว +7

    Hi, you didn't need to make revshell, you could just read dir content and execute it after breaking out of sed command.

    • @theepicgamer1196
      @theepicgamer1196 4 ปีที่แล้ว

      He probably did it just because that is what he felt most comfortable with.

    • @_JohnHammond
      @_JohnHammond  4 ปีที่แล้ว +10

      True! But, hey, whats to stop us from having full access and nice-and-easy command control :) I think whenever you _can_ get a full reverse shell, it is a good thing to go for!

    • @MrPaddy35
      @MrPaddy35 4 ปีที่แล้ว

      yep i thought the same , just read the flag right but tbh he will have to use multiple commands and decode everytime right cause its a binary

  • @recon0x7f16
    @recon0x7f16 2 ปีที่แล้ว

    why is it suspended

  • @robertadamplant
    @robertadamplant 4 ปีที่แล้ว

    You did this in under 30 minutes? Dude.

    • @robertadamplant
      @robertadamplant 4 ปีที่แล้ว

      Please can you do a walk through of how you solved Move ZiG? I was (and still are) debugging my client side script.

    • @_JohnHammond
      @_JohnHammond  4 ปีที่แล้ว

      @@robertadamplant Well, keep in mind I had solved this previously (and that probably took like 3-4 hours, who knows) but the video is an after-the-fact writeup with a little acting artifice to sprinkle some curiosity and entertainment into the video ahaha. Thanks for watching!
      I can definitely showcase Move ZIG! That should come next week!

  • @Synceditxboxoffice
    @Synceditxboxoffice 3 ปีที่แล้ว

    i love you

  • @thatcrockpot1530
    @thatcrockpot1530 4 ปีที่แล้ว

    Plicked!
    That was a bit of a brainfuck, but good job man.

  • @prakharsatyam6259
    @prakharsatyam6259 4 ปีที่แล้ว

    Hey jhon this is from a person who is not so experienced in this genre and I want to actually understand what you are saying Im new to programing and even a bigger noob in pen testing and try hack me stuff it would be really helpful if you could tell me what i should start with thankyou 😄😄

    • @_JohnHammond
      @_JohnHammond  4 ปีที่แล้ว

      Have you checked out some of my other videos? TryHackMe has a lot of great stuff for beginners! And are you tracking some of the upcoming games on CTFtime.org, have you worked through Bandit from OverTheWire?

  • @DHIRAL2908
    @DHIRAL2908 3 ปีที่แล้ว

    Ah I think we could have used the data:// or expect:// php wrapper to get RCE quickly haha. Ot maybe they were blacklisted...

    • @waterlord6969
      @waterlord6969 3 ปีที่แล้ว

      If the PHP code is reflecting the input ino the web page, then why didn't he just used php?? He could just have used this:
      If in the web page is 1 ( in the title ), then there is an easy RCE...
      Why didn't he realized it right after seeing this? 🤣

  • @therealgunny
    @therealgunny 4 ปีที่แล้ว

    only an absolute beginner codes like that but, nevertheless a fun challenge

    • @_JohnHammond
      @_JohnHammond  4 ปีที่แล้ว +3

      I will always be an absolute beginner, probably even 50 years from now -- still more to learn! And hey it's a dirty CTF script, a flag is a flag ;)
      Thanks so much for watching!

  • @LegacyVision.
    @LegacyVision. 4 ปีที่แล้ว

    could you not just strings the ./flag and sed new lines to a single line? no need for BYOB or revshells.

    • @_JohnHammond
      @_JohnHammond  4 ปีที่แล้ว

      You're right, you totally could -- I guess I prefer getting the reverse shell whenever possible, so I am not unknowingly fighting against bad characters or weird things that might get in the way. But yeah, you could just execute it in the current directory or try strings and get your flag easily enough :P Thanks for watching!

  • @123strelok
    @123strelok 4 ปีที่แล้ว

    HC

  • @gin263
    @gin263 4 ปีที่แล้ว

    hello,can you addition subtitle in your video,3Q

    • @_JohnHammond
      @_JohnHammond  4 ปีที่แล้ว

      If you turn on closed captioning/subtitles that might help! Thanks so much for watching!

  • @livecode9190
    @livecode9190 4 ปีที่แล้ว

    first?