Just a heads-up: at 19:40, when you wanted to only POST to the first URL and then follow the redirect without POST, you could have just dropped the "-X POST", since "-d" already implies POST, and curl would have followed to the redirected URL with GET.
The b/1337 is just a reference to a bug ID. At Google they use an internal bug tracking tool called buganizer, and short links are in the form of b/bug-id. Usually you see this in the code: TODO(b/5746327): fix foo
I think I need to start reading more writeups. I've always tried to do a CTF and if I can't get it after trying for some time I guess I usually walk away and I end up not actually learning from the CTF which is the point. Great video man!
I really enjoyed seeing the thought process. This was one I was super close to solving, but I'm a noob at XSS. I didn't know any cool tricks like shown in the vid. Keep up the great content!
That was actually super awesome. Thanks heaps my bro. love your honesty. that was not an easy challenge. you're such a smart dude it's kinda nice to see you need the help of others too.
This really helped understand XXS properly. Now I feel I can learn a little more! I would love to see a little shortcuts video. You fly around a terminal and subl! Maybe even just a little write-up, just a thought but great video
You may have answered this later in the video but b/1337 or any number is generally just shorthand for Bug 1337 or Bug whatever that's being tracked on some external issue tracker.
Real good explanation, i came here from LiveOverflow where he covered this CTF and mentioned yours explanation and, no offense for LiveOverflow :-), now i got it much clearly. Thank you!
The b/1337 refers to a bug on Google's internal bug tracker, commonly accessed on the intranet at b/$bugid. I'm surprised they left this in for an external event. Source: I'm a google employee :)
Definitely a good beginning point to have your video on ctf. I just became proficient in Javascript a couple months ago and being able to follow along with this task really motivated me!
It'll be really nice if you did the other web challenges as well. More than the solution seeing the rabbit holes and methodology of sorts is really important.
You are very kind and humbly willing, to tell the truth when you solve this with the help of others. It's not like someone there who considers himself as "a hacker that your friends told you about" but is only good at making videos and making up a tale.
If you look at the body-parser documentation here: www.npmjs.com/package/body-parser It says "The extended option allows to choose between parsing the URL-encoded data with the querystring library (when false) or the qs library (when true). [...] For more information, please see the qs library. If you follow that link, you can see a bunch of examples for how it lets you parses variou query strings into objects/arrays.
The one question how it supposed to get where issue is by this "b/1337"? I know it means leet but how it leads to JSON.stringify row of the code, can someone explain please?
Actually really interesting. It did strike me as odd that he used JSON.stringify when there was really no need, but I would have never looked much farther than that. Good content!
Hey John, I'm an officer for the Cyber Security club at my university. We would love if you could come in for 30 minutes and give a talk about some pen testing or any networking exploits that are interesting to you!
note that sending the object using the url encoded parameter is only possible because of the `extended=True` bit below the comment saying "we need this for the captcha for some reason" :) (understanding this was for me the clue that helped me solve the challange)
Personally I ended by not knowing how to send an object to the server and get out of the quetes, but sending cookie would probably be the second injected js ( right after alert(1); )
not disrespect you, but mid vod i had this idea 💡 of a drinkin game, when ever you say peculiar we take a shot 🥃 now i continu watching i love what you doing btw keep up the good work ❤️
Hey John, Amazing content as usual. I have a small question, where would you recommend for a python beginner to learn the necessary libraries and tools? Do you suggest a specific course or a website to learn the tools that you usually use such as pwntools, Crypto, requests, and so on? C++ is just not the tool for something like this
John: Im a newbie, still have a lot to learn
Me: *sobs*
me too 😂😩
Just a heads-up: at 19:40, when you wanted to only POST to the first URL and then follow the redirect without POST, you could have just dropped the "-X POST", since "-d" already implies POST, and curl would have followed to the redirected URL with GET.
This was incredible! Loved it! Never seen a challenge like this. This was very valuable to me. Please make more.
Would love to see you do the other ones :p
The b/1337 is just a reference to a bug ID. At Google they use an internal bug tracking tool called buganizer, and short links are in the form of b/bug-id. Usually you see this in the code: TODO(b/5746327): fix foo
I thought 1337 meant LEET
@@ancestrall794 that is what it stands for...
I think I need to start reading more writeups. I've always tried to do a CTF and if I can't get it after trying for some time I guess I usually walk away and I end up not actually learning from the CTF which is the point. Great video man!
ye. the struggle is real
I really enjoyed seeing the thought process. This was one I was super close to solving, but I'm a noob at XSS. I didn't know any cool tricks like shown in the vid.
Keep up the great content!
I’m getting buff doing all these cURLs bro!
Your content is great. It’s easy to follow, and I really like the perspective that we get when you show how you think through the challenges
A lot of people out there try to portrait something that they aren't and seeing someone like you being honest about not solving this CTF. Respect
That was actually super awesome. Thanks heaps my bro. love your honesty. that was not an easy challenge. you're such a smart dude it's kinda nice to see you need the help of others too.
This really helped understand XXS properly. Now I feel I can learn a little more! I would love to see a little shortcuts video. You fly around a terminal and subl! Maybe even just a little write-up, just a thought but great video
Thanks John, super interesting! Can’t wait to see the new challenges you are preparing!
Wow! You are the one who leads to how to think as a hacker. I searched looots of sources to learning CS. And you are my fav. Thankss
Glad to see I'm not the only one you get discouraged when those things happens.
Lesson learned I hope, Thank you papa for the teaching
You may have answered this later in the video but b/1337 or any number is generally just shorthand for Bug 1337 or Bug whatever that's being tracked on some external issue tracker.
Real good explanation, i came here from LiveOverflow where he covered this CTF and mentioned yours explanation and, no offense for LiveOverflow :-), now i got it much clearly. Thank you!
I'm here for the F U L L F R O N T A L honesty. 13:30
The b/1337 refers to a bug on Google's internal bug tracker, commonly accessed on the intranet at b/$bugid. I'm surprised they left this in for an external event. Source: I'm a google employee :)
Definitely a good beginning point to have your video on ctf. I just became proficient in Javascript a couple months ago and being able to follow along with this task really motivated me!
Sir please tell us how did you install that sublime build view? I am looking for it but couldn't install it. I am using sublime text 3
Really insightful video 👍 and now I want the pleasure of finding those flags
I feel so lucky to have a node js and js background
It'll be really nice if you did the other web challenges as well. More than the solution seeing the rabbit holes and methodology of sorts is really important.
Thank you ! , can't wait for another google ctf web challenge video !
You are very kind and humbly willing, to tell the truth when you solve this with the help of others. It's not like someone there who considers himself as "a hacker that your friends told you about" but is only good at making videos and making up a tale.
I lost it when cookie and hookbin came up. I'm weak there.
Hello, thanks for this video. How did you know about the "[ ]" in the "content[ ]" ? How can I find it if I'v never seen it ?
If you look at the body-parser documentation here: www.npmjs.com/package/body-parser
It says "The extended option allows to choose between parsing the URL-encoded data with the querystring library (when false) or the qs library (when true). [...] For more information, please see the qs library.
If you follow that link, you can see a bunch of examples for how it lets you parses variou query strings into objects/arrays.
You are so so good man, its interesting to watch your videos and learn from you.
Thanks u Sir.. love the way you explain all the stuff 👏👏👏
Hey John, take a look at webhook.site, I think the UI is much more intuitive for XSS/SSRF/CSRF.
It doesn't work on hookbin for me for some reason, but webhook does ! Thanks for the recommandation !
John ima need you to chill on these videos, my sleep schedule can't take it!! Loving them man, really fun to see your thought process!
First time motivated by watching your video
Thank you for this video please post more of these
Absolute amazing!
Wow dude thanks 👍🙏🏾 loved it
Thank you for this learned a lot from this video.
The one question how it supposed to get where issue is by this "b/1337"? I know it means leet but how it leads to JSON.stringify row of the code, can someone explain please?
Muito bom!!!!! Grato por compartilhar seu conhecimento. Aprendo muito com seus vídeos.
more google CTFs will be appreciable
Appreciate the video walkthrough.
Great walk through, love your video
Actually really interesting. It did strike me as odd that he used JSON.stringify when there was really no need, but I would have never looked much farther than that. Good content!
Thus was incredible!!
Awsome bro... You're inspiring us... Thank you.
I think the Tracing challenge would make for another great walkthrough video!
Thank you bring more these kinds of ctfs and python scripting.
At first I assumed the solution was to post because .slice(1, -1) would only remove the outer ;) Nice video, keep it up!
Ed Sheeran really is talented.
Lol so relative
Amazing content always! I struggled so much last weekend hopefully I learned a lot!!! thnx
wow...it always amazes me how much information and syntax you input for the CTF. How did you learn all this stuff? haha
Hi, john.
Can u point me to an article which discusses when tp use request.session() and when request.get/post() ?
Thx
Pretty Nutz! Keep up the good work man!
Hey John, I'm an officer for the Cyber Security club at my university. We would love if you could come in for 30 minutes and give a talk about some pen testing or any networking exploits that are interesting to you!
Feel free to send me an e-mail, I'm always happy to hang out! :)
Thanks, John
very cool ctf real video, thanks man.
note that sending the object using the url encoded parameter is only possible because of the `extended=True` bit below the comment saying "we need this for the captcha for some reason" :) (understanding this was for me the clue that helped me solve the challange)
My name is, what? My name is who? *imitates turntables zickazicka john hammond *to the tune of my name is slim shady*
I really liked but I got list and cannot understand how figured out the double slash
Why does log-me-in above pasteurize in the challenge list have only 7 points or has it been solved by too many people or my eyes aren't working??
Please provide links to the writeups you are talking about....
Very Nice video just as always. Stay frosty.🥶
Awww, I missed the live stream.
Hmm, i really dont have a clue about anything going on here, but i still watched it
#commenting_for_the_algorithm
You are great John!
Dude I didn't even know something like hookbin exists thanks John and yes I'm a John too 😅
something never be changed..: "Hello, my name is John Hammond.."..NICE
for the algo
Always love your videos, especially because I'm shit in web challenges
we want more
great tutorial ... like always ... thank you
Thank you so much for sharing your knowledge.
+1 sub
How come the microphone character 🎤 @7:10 in your Sublime is in color?
that was very cool ! thanks !
This was great!
Commentingforthealgorithm
Replying for algorithm.
You're the best! Thanks so much!
Commenting the flagorithm
This was the only challenge I got. Can you also explain some other challenges as well?
Writeups ❤️
YESS PLEASE DOO MORE OF THESEE PLEASSEEEEEE!!!!!!!!!
Please continue doing those.
thank you so much!!!
I love you solved this problem
Sir can u also explain both rev and pwning in google ctf . Please
feels good to know node
Personally I ended by not knowing how to send an object to the server and get out of the quetes, but sending cookie would probably be the second injected js ( right after alert(1); )
Loved it
not disrespect you, but mid vod i had this idea 💡 of a drinkin game, when ever you say peculiar we take a shot 🥃 now i continu watching i love what you doing btw keep up the good work ❤️
Thanks dude!
i like how said i'm not that good
aswm broooo
you are great.👍
Excellent
Missed the live Stream, but loved the video!
awesome!
hey pls replied me why d you use usr/bin/python3 . we need in kali linux?
that's the path to the python3 executable file
keep up the good work!
Johnito, thank you for you video!!!11!!!!
Thanks so much for watching!
why put "[]" after "content" it work?
Please do the REV beginner ones!
COOL!
Hey John, Amazing content as usual. I have a small question, where would you recommend for a python beginner to learn the necessary libraries and tools? Do you suggest a specific course or a website to learn the tools that you usually use such as pwntools, Crypto, requests, and so on? C++ is just not the tool for something like this
please make a complete one.