nicely explained, but the bonus solution does not work, because even if race condition exploit succeeds and purchases 100 gift cards, it will still take away 1000 dollars, meaning the gift cards have no use in buying the leet jacket, if you redeem all cards, you will get back to the point you were in first.
Hey, so in the official solution we add a gift card and then exploit the race window to swap the gift card with another product (leather jacket). My idea was instead to exploit the race window to swap the quantity of the gift card from "1" to "1000". Therefore you get charged $10 but you have $10,000 worth of gift cards which you could use to purchase the jacket 🙂 I'm still pretty confident this should work 🤔
Been trying this since yesterday lmao. I got to the point of doing the first Pointer but then when I search for the second value nothing shows up :( I am beyond confused lmao and suffering hahahaha
Double-check the steps in the video but if you are testing cave crawler, also remember that I recorded this a while ago and every update to the game could change instructions/expected pointers so the solution might looks slightly different to when I recorded it.
@@intigriti Ok, the game is on steam, is a silly game nothing too crazy, Research story and I was trying to make something to have the stamina never decrease but I get two results in double and it's just a freaking pain. I am just not doing it hahahahahha
If the assembler instruction doesn't have anything between a '[' and ']' then use another item in the list. i dont understand this part where i need to find '['and']' what does exactly mean?
I've been wanting to learn how to do more than a basic search and find for things. This is the first time I've found a tutorial broken down enough that my caveman brain can understand. Thanks!
This means you are not logged in as the user, could be many things that went wrong. I'd recommend double-checking the steps in the video and/or the official portswigger solution.
The payload you put in actually worked because the actual sequence required to escape is `}]}`. You just accidentally changed the sequence from `}]}` to `]}}` at 7:37. That's the reason why `]}}` didn't work but your final payload `}]}}` used to escape worked in this case. Because the first three chars match up which are enough to escape in this case
I get access violation when i tried to change the value of the pointscan result. Its a local game, so idk why xd. Nice video. Edit. I restarted my pc and now I was able to change the value. It works! I dont have to do the same proccess everytime I open the game, nice.
You can manually try for common ones or look for wordlists of common paths, files etc.. Here's one I picked at random: github.com/Karanxa/Bug-Bounty-Wordlists
I missed this one, sorry mate. Shame because DUCTF always has some great challenges! They publish all their solutions and source code here btw: github.com/DownUnderCTF/Challenges_2024_Public
@@intigriti thanks a lot brother🔥🔥🔥 Btw waiting you for participating in more ctfs and more web challenges walkthroughs:D Ofc if its possible for you🙌🏻
Interesting satuff! I literally just got into all this stuff yesterday, super conplex but I'm determined to work it out as I really want to hack into my favourite childhood game and make it more replayable! So I got hold of the address that stores my money and I can modify it etc, the address doesn't change between sessions so all good but when I set my money to say a value of 15000 then buy something, the value is then capped back again at 9999, I'm guessing in the function it's comparing to a max value then capping it, how would you go about trying to track that max money cap variable down? Thanks so much for your time mate!
You could simply try to freeze the pointer after you change the value (ticking the little box) so that it doesn't decrease. If that fails, future episodes in the this series will look at injecting (patching) code logic 😉
@@intigriti thanks for the reply mate! Yeah could definitely do that although I'm not actually looking for infinite money I just want to raise the max money cap so I can earn more in game legitimately lol also the cap is a signed 16 bit integer it seems as I tried to raise it past 32000 and it just goes into negatives, is all this stuff possible to change? Also looking forward to the next in the series! Thanks man!
mate...your rapid mouse movements are anoying =/. make them plz clear, because i look each time to dont miss something id you try to explain. rotate slowly over that region would also works and dont took too much attention from us. thx for your great videos :)
I noticed this recently actually! I tried a similar challenge and couldn't get this solution working in burp, ended up just using jwt_tool and it worked fine 🤷♂️
Hey, some of the techniques used in these videos (e.g. Frida hooking) can be used for SSL cert pinning bypass, check this: infosecwriteups.com/hail-frida-the-universal-ssl-pinning-bypass-for-android-e9e1d733d29
@intigriti I don't get why reset_token was added to the field parameter? field=reset_token. Aren't they both parameters? What is the logic behind this?
The "field" is indeed the parameter, but since we saw "email" was a valid value for the field parameter, it makes sense that other form fields on the page would also be accepted ("reset_token" in this case).
hey bro it seems my jwt editor extension is not working. whenever i try to resign with the key i generated it just doesnt get resigned. i found another way to solve this.
It's been a while since I looked at this challenge but I'm guessing the api_friends function in app.py is most interesting for you.. Let me know if you want to see more! @app.route('/api/friends') def api_friends(): query = request.args.get('q') email = users.find_one({'username': query}, {'email': True, '_id': False}) if email: user = users.find_one({'$where': f'this.email == "{email["email"]}"'}, {'username': True, 'friends': True, '_id': False}) return json.dumps(user) else: return []
