Thanks to Patreon and RUclips Members, there is also now a write-up blog about this video: liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/
LOL, actually ipv6 wasnt enabled during the ctf (except the last hour, it was anounced that the organizers decided to turn it on) and it's possible to solve the challenge without ipv6 ;)
@@LiveOverflow well, the different only in this first step where you triggering SSRF. As far as i remember we (LC/BC) pwned flaglab through repository mirroring
Thank you for the clear and detailed explanations unlike some techies who just throw super complex terms at you without explaining. Like and subscription well deserved.
LiveOverflow, you should do a livestream next time you apply to a CTF challenge. I would be interested to see all the researching and "failing" before finding the flags
Man i really wish I could understand anything he is talking about. Would be cool learning hacking and watching someone so high level and learning from him
btw. when you already use docker-compose you can use it for entering the container aswell by just giving it the service name of your docker-compose.yml (e.g. "docker-compose exec web bash")
Given the times I've seen Redis used for an exploit (due to its "too" simple interface), I feel like it's becoming the next Flash. Broken from a security perspective and just band-aids slapped on until the next vulnerability. While interactive soft fails (i.e. bad commands) might be useful in some conditions, it seems like in common use, the moment it hits any error it should disconnect, not just blinding keep going. But maybe Redis has fixed that issue in the years since this video was made.
imagine if you got to the last step on the real ctf, and since the real server doesn't have nc you sent it "apt update && apt install -y netcat" so it would update gitlab as well
you should use docker hub mirror in China to speed up your download, because the global bandwidth in China is just not enough for 1 billion internet users.
I'm pretty new to this whole ctf thing and I was wondering how you might find a key that wasn't on the client-side somewhere, but on the server side. Let's say I want to retrieve a key, but you can only get it after inputting the right code. I would probably start by viewing page source and looking for different links, but I haven't got any ideas beyond that.
Try to install Linux on your PC. Try to deploy some apps like GitLab using git. Try to work with some APIs like Facebook/Telegram. Combine all this things)
How do you solve a challenge like this in a day though? It seems you need to have really deep knowledge across a wide range of the techologies being used. I've used redis but I don't really know in detail the protocol it uses and everything
As I mentioned in the video, this SSRF to redis is quite commonly know for a few years. When you try to follow the news, follow good people on twitter, then you probably will come across a writeup eventually. And if you think about it, you also just learned about it and from now on you know it works :) This kind of knowledge is passed on through talks, blogs (and now videos)
I love to watch your videos and your way to solve problems. I just wanted to know Do you have Discord server or like that grp, which we can join for CTFS? Thanks a lot. 🚩🚩👍🚩🚩
@@DHIRAL2908 Thanks for helping bro. I know it is a very noob question but he used his local IP in that payload, but I should my IP over the VPN right?
please switch from 25p to 30p. The judder is distracting. If you want to be really nice record at 60p most of your content is screen based so the smooth scrolling and snappy terminal response would be nice.
Thanks to Patreon and RUclips Members, there is also now a write-up blog about this video: liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/
Could you also execute this attack with http 1.0 without a host header and a redis command as header?
@@es9596 Request is sent by Gitlab server, an attacker cannot decide which utility/http version backend uses.
nice video , can you help us to understand windows server security mechanize and exploit development
I didn't understand everything in this video, but the part where the newlines came in was amazing.
I didn't understand anything
@Etched Inverse Yeah, i started ruby scripting and alreaey write myself working wifi jammer with only one wireless interface
i am not at the stage of understanding these videos but i like them anyway
Me too bro
LOL, actually ipv6 wasnt enabled during the ctf (except the last hour, it was anounced that the organizers decided to turn it on) and it's possible to solve the challenge without ipv6 ;)
oh damn really? do you have a writeup about that?
@@LiveOverflow well, the different only in this first step where you triggering SSRF. As far as i remember we (LC/BC) pwned flaglab through repository mirroring
Oh, but you didn't use IPv6 for that? Did IPv4 work there?
@@LiveOverflow yes. it uses git protocol so it's possible to use CRLF and craft redis commands
@@paul_axe Ah the repository mirror still allowed IPv4 localhost?
Years have passed since I did watch this video for the first time and I could not understand much, but now I understand everything, great content!
Thank you for the clear and detailed explanations unlike some techies who just throw super complex terms at you without explaining. Like and subscription well deserved.
Seems like `redis` should just have a "strict" mode, which always exits on the first invalid command.
@@kronsyc339 This reply was not worth the two year wait.
"this is so easy" yeah.. alright.
Burn Stick super easy compared to the ETH smart contract flag.
To be fair, he did say "simple", not "easy" haha, but yeah, this isn't exactly the most obvious attack in the world
It is just 2-3 hours of work, yeah, sure. ;)
LiveOverflow, you should do a livestream next time you apply to a CTF challenge.
I would be interested to see all the researching and "failing" before finding the flags
Mr.Kristian252 the problem is it would help other people doing the ctf, this is why he does all the videos after the ctfs are over.
@TheHeroBrine he can do a livestream of doing a CTF after it is over
Awesome info 👍. I can't understand the viewers who downvoted. Good job.
I didn't understand most of what you are doing but this is super cool stuff man
Nice, love the real world CTF videos.
Man i really wish I could understand anything he is talking about. Would be cool learning hacking and watching someone so high level and learning from him
Pretty straight forward and well explained! Thanks.
I like that you went back to solve it !
"You might need an 0day" that the organizer found.
This tutorial is soooo good. Crazy that this content is free.
btw. when you already use docker-compose you can use it for entering the container aswell by just giving it the service name of your docker-compose.yml (e.g. "docker-compose exec web bash")
I need to buy this guy a beer.
You should have mentioned:
docker-compose up -d
You can autocomplete the container name when running docker exec
also, `docker-compose exec web bash`, where "web" is the simple name of the service in the compose file (name is line 1 of compose file seen at 1:52)
Man, u are awesome.. hacking is sharing and u made this phrase work.. great job
i am waiting for next video on XSS :)
Great explanation and easy to follow
Thanks for explaining !
Given the times I've seen Redis used for an exploit (due to its "too" simple interface), I feel like it's becoming the next Flash. Broken from a security perspective and just band-aids slapped on until the next vulnerability. While interactive soft fails (i.e. bad commands) might be useful in some conditions, it seems like in common use, the moment it hits any error it should disconnect, not just blinding keep going. But maybe Redis has fixed that issue in the years since this video was made.
Really cool as always.
i can't understand all what u said , but i will be back ;) link bookmarked :D
2 months later...
I like the way you explain things :). Is the ctf available as ISO for download to practice?
There is HTB machine (Ready) with this vulnerability.
never clicked so fast!!!
In the future, remember to always ask yourself this question:
"Would they include a live/unpatched vulnerability in a CTF?"
probably not.
Nice vedio , good look for you, dude...
great vid. nice effort
imagine if you got to the last step on the real ctf, and since the real server doesn't have nc you sent it "apt update && apt install -y netcat" so it would update gitlab as well
Hahh. But that step was just done during exploit development. Netcat is not part of the actual exploit in the end
wait why would that command update gitlab? you're just updating repos and installing netcat
@@baranoid oh right i thought it was up*grade*
It shouldn't bypass localhost. (with dot at the end). (regarding Chrome and proxies)
I keep hearing you saying REDDIT instead of REDIS lolol
you should use docker hub mirror in China to speed up your download, because the global bandwidth in China is just not enough for 1 billion internet users.
Amazing stuff !
Presumably you would not be able to apt install netcat on the real CTF challenge, so you would exfiltrate the flag with something like curl instead?
I'm pretty new to this whole ctf thing and I was wondering how you might find a key that wasn't on the client-side somewhere, but on the server side. Let's say I want to retrieve a key, but you can only get it after inputting the right code. I would probably start by viewing page source and looking for different links, but I haven't got any ideas beyond that.
But the original container didn't have netcat installed.
It was just for debugging during exploit development. Netcat is not needed in the actual exploit. The exploit only executed “cat”
I guess you could have just sent a command to install netcat before sending the actual payload for retrieving the flag
LiveOverflow The exploit used netcat to send the output of cat to your computer… But that's isn't a problem. curl could be used instead.
Ooops. Haha lol you are right
Make a video about your setup: Computer Specs, Os'es, Tools and Setups (for vm's and stuff like iTerm)
Tools are Docker inside vargant)
Web-Based Exploits... You already solved, 1 day is enough.
plz !! Can somone tell me whats the requirements knowledge to understand all the stuffs in the video !
studying computer science and knowing the right people..
Watch more of his videos, you might get a rough idea.
Try to install Linux on your PC. Try to deploy some apps like GitLab using git. Try to work with some APIs like Facebook/Telegram. Combine all this things)
I don't know how much time i can get to this level.
Just don't think about it and keep digging if you are interested on it all.
How do you solve a challenge like this in a day though? It seems you need to have really deep knowledge across a wide range of the techologies being used. I've used redis but I don't really know in detail the protocol it uses and everything
that's exactly what it is, the amount of previous experience you need for these things is quite large
As I mentioned in the video, this SSRF to redis is quite commonly know for a few years. When you try to follow the news, follow good people on twitter, then you probably will come across a writeup eventually. And if you think about it, you also just learned about it and from now on you know it works :)
This kind of knowledge is passed on through talks, blogs (and now videos)
Dude are you the game guy as BattleNonSense?
12:33 Redis Commands not Reddit
I love to watch your videos and your way to solve problems. I just wanted to know Do you have Discord server or like that grp, which we can join for CTFS?
Thanks a lot. 🚩🚩👍🚩🚩
Why it is 0day when it actually 1day by the day he posted online lol
ye boi
Any good tips for a good laptop i should buy for ceh
Intel i5+, ddr4 8 Gb+, gtx1050+
Who's here after HTB's Ready?😛
Hey, I am a beginner on HTB and ready is first machine i'm solving and in the process i reached here.
I didn't understand at 7:00. how did he get that shell. can u pls help
@@noname2588o Hi! Try looking in the online article LiveOverflow published. Use the encoded version of the payload at the end!
@@DHIRAL2908 Thnx bro!!
@@DHIRAL2908 Thanks for helping bro. I know it is a very noob question but he used his local IP in that payload, but I should my IP over the VPN right?
Shouldn't the title be named as *2019* ??
No, as stated the CTF was played December, 2018
what kind of program does he use for repeating requests?
sike got it already burp :)
xss is 'uninteresting'??
"grrrr"
"damn, this is so simple!" uh-huh..
people solving Ready HTB mark your attendance
Just because of tips like that, I don't wanna read tips in CTFs.
please switch from 25p to 30p. The judder is distracting. If you want to be really nice record at 60p most of your content is screen based so the smooth scrolling and snappy terminal response would be nice.
What do you mean by p?
Are you talking about FPSs?
@@nilsirl yes
Isn't this 11.4.8?
It was patched for 11.4.8
The vulnerable version is as mentioned gitlab/gitlab-ce:11.4.7-ce.0 ;)
LiveOverflow I knew I screwed up 😂
Thank You 😁
I love you , no homo
anddddddd gitlab is down.....
wtf is going on?
First
I understand individual things you do but don't understand anything as a whole.
Me too. It's an experience
Going to a CTF is totally worth bowing to an authoritarian government lol! Haha #SecurityIsCool
hey fifth comment i guess...
Get some sleep
first comment