Hello! Thanks for the detailed review. However, I am still not sure whether to go for CBBH or BSCP first. I know BSCP is much cheaper, but since I need Burp Pro to finish all the Academy labs and for the exam, I think it would be necessary to get a 1-year subscription. Would it still be worth it to go first with BSCP instead of CBBH considering that the prices could be similar for both with the Burp Pro subscription + exam voucher cost?
Hmmmm good question! I haven't done the CBBH exam but I did finish the course. First thing I'll say is they both good, but very different. Portswigger will teach you everything you need to know about web vulns and exploits, but not much about the methodology of hunting. CBBH will go more into things like scope, recon, reporting etc. Personally, I would recommend BSCP first - the labs and material on portswigger are the gold standard IMO, everyone interested in web hacking should complete them. The exam is very fairly priced, but will probably continue to rise as it becomes more established. I know you mention the price of burp but consider you could: a) Use burp pro 1 month trial b) At least get the benefits of having a year of burp pro, e.g. for bug bounty hunting Up to you though, CBBH is also very good!
If you are using Kali or Parrot OS, there's wordlists in /usr/share/wordlists/ you can also install seclists either using "sudo apt-get install seclists" or download via github: github.com/danielmiessler/SecLists
Thanks! I'm using TerminatorX in ParrotOS with a custom colour scheme. You can check it here: imgur.com/a/gCnvq8A - beware that some tools really benefit from a standard colour profile though, e.g. linpeas, so it's good to create a separate profile that you can easily swap between 🙂
I just do everything in a VM, to keep my personal PC separate from my hacking.. It's not so much for security as it is to keep my main system clean of tools, files or other artefacts. VMs of course provide the additional security too though!
Hey, Very great video. On the issue of Hydra maybe adding "F=Username and/or password incorrect.:" could solve the problem? I can perfectly bruteforce the password using hydra.
hey great video, I just trying to understand why when I pop the address 0x600e48 into r12 and pop 0 into rbx and 1 into rbp it works vs popping 0x600e30 into r12 and 3 into rbx and 4 into rbp it also works. I'm clearly misunderstanding something that is going here.
No series but I have a couple of CTF vids: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-U2OgL66-6BE.html + ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-55jibxjUj3I.html
The video is awesome! I've learn a lot of ideas and skills. By the way, Could you please introduce the script qtunnel that you used to connect the local web service to the public network? I would like to have a useful tool like that.
Thanks! So `qtunnel` is just a bash alias which calls tunnelto (tunnelto.dev) with my specified subdomain and port, while the `webup` command is `python3 -m http.server 80` I use tunnelto because it allows me to reuse the same address, but it has a yearly fee. Previously I just used a free alternative like ngrok (you can run `ngrok http 80` to achieve the same) or requestbin
@@_CryptoCat Thanks for your help. I learned how to use ngrok for Intranet Penetration and achieved the same results as shown in the video. Your patient explanations were very helpful for me as a CTF beginner, thank u again!!!❤❤❤
10:14 fuckin' saaaaaaame. Had to start using java to run apktool. The app I'm trying to mod is frustrating as hell because it gives an infinite loading screen as punishment for installing from outside of the play store (like from backup) and has a ton of checks. I guess I need to learn how to use android studio... Why must it be so huge?
Hey, need a bit of help. Stuck at the reverse shell. I uploaded my php script, and got it to connect back to my box. When i run commands, it just gets stuck with no output. Not sure where to start troubleshooting.
awww wtf, I think you're right. I thought I tried all variations but reviewing the vid apparently I did not 😞 Guess I should of just copy/pasted the portswigger payload 😭
Incredible explanation. Thank you. Very few videos and articles have been able to explain this topic as well as you do. One question though is how could I have used Ghidra or gdb to look for 'pop rdi' and 'pop rsi'? The addresses matched by ropper don't seem to match exacly what I see in Ghidra (or gdb)
Thank you! Glad it was helpful 🙂 Hmmm I've always just used ropper (or pwntools) but check this out: reverseengineering.stackexchange.com/questions/26327/finding-ropper-ropgadget-offsets-in-ghidra-disassembly
Hmmmm double-check each step in the vid, or check the official PDF walkthrough as it might use a slightly different approach. You might find additional troubleshooting steps on hackthebox forums/discord 🙂
I have a question: it is given that you have the source code file and know the key "deadbeef" right? There is no way to know the key without the source code? Thank you for the video 😄
If you had access to the binary but no source code, then you could disassemble/decompile it or step through with a debugger to find the key. However, if you come across a pwn challenge like this in a CTF, the binary you download won't have the same key/flag as the binary running on the remote server 😉
Without reviewing the challenge/video, I think the s3 bucket was on a different subdomain to the php app? In this case, that's achieved with virtual hosting (rather than an actual subdomain).
Congratulations for the amazing step-by-step beginner-friendly tutorials! I just have a small question that might be silly. At minute 4:15, it seems that we have the buffer at the top of the stack, followed by the saved old_ebp (named as local_8 in Ghidra ?) and then we have the return address for the receive_feedback function. So, If I get it right we need to send 68 bytes to overwrite the buffer and then 4 more bytes to overwrite the old_ebp (local_8) value. So we need a total of 68+4=72 bytes. The next 4 bytes will overwrite the return address in the stack. I am a bit confused, since according to your analysis, it looks like we need 76 bytes as padding (and not 72) before we use the next 4 bytes to overwrite the return address. Where do these 4 extra bytes come from ? What am I missing ?
Thanks! Good question.. It's been a while since I did any pwn challs but upon review, this doesn't look correct. The buffer is definitely 68 bytes, then we have 4 byte EBP but ghidra is actually showing `local_8` and reserving 8 bytes on the stack. Perhaps this is just for alignment, inserted by the compiler 🤔
hi ty for ur tutorial, i see that u shared the completion of the challenge cubebreaker on htb, can u help me with some hint? Iescaped the box and bypassed the check for coordiantes, so now i can move free outside the box, but it seems like that the cube outside don’t have collisions, any help?
Thanks for the detailed breakdown as usual. If I may one question. Currently working as a network admin and I am looking to get into pentesting. Most people say that it's easier to get into web app pentesting as there is more demand, however should I still pursue network pentesting as it's closer to my background ?
Thanks mate! Good question, but one only you can answer. I don't think you'll have problem finding work in either field, if you are good at what you do. The most skilled people are generally those who are passionate about the subject, so if you feel more interested in web then don't worry if you won't put your networking experience to best use (I say "best", because even if you move to web, the network pentesting experience will be helpful). On the other hand, if you feel more passionate about networking, don't switch to web just because there might be more work/money. TLDR; work hard on what you enjoy and the work/money will follow. Besides, many pentesting jobs involve a mix of these topics. One client might request a website pentest, another a network, another a mobile app.. or maybe a combination of all 🙂
![Format String Vulnerability - "Floor Mat Store" [INTIGRITI 1337UP LIVE CTF 2023]](/img/0.gif)