Cloudflare CDN CSP - XSS Bypass / HackTheBox Cyber Apocalypse CTF

Рет қаралды 42,505

2 жыл бұрын

If you would like to support the channel and I, check out Kite! Kite is a coding assistant that helps you code faster, on any IDE offer smart completions and documentation. www.kite.com/get-kite/?... (disclaimer, affiliate link) Obligatory disclaimer to appease the vocal minority: this is NOT a Cloudflare (lowercase F) vuln, this is a CTF challenge showcasing a Content Security Policy bypass through Cloudflare (lowercase F again)'s CDN.
Moving your first steps into hacking? Start from HTB Academy: bit.ly/3vuWp08
Hungry for more hacking training? Join Hack The Box now: bit.ly/331nQCl
For more content, subscribe on Twitch! / johnhammond010
If you would like to support me, please like, comment & subscribe, and check me out on Patreon: / johnhammond010
PayPal: paypal.me/johnhammond010
E-mail: johnhammond010@gmail.com
Discord: johnhammond.org/discord
Twitter: / _johnhammond
GitHub: github.com/JohnHammond

Пікірлер: 70

@_Karlsson 2 жыл бұрын

You keep apologizing, but it's kind of nice to see that you're not fluent on EVERYTHING. =)

@dedkeny 2 жыл бұрын

Many things were learned today from Javascript & XSS to video-editing, thanks John!

@sumedh1678 2 жыл бұрын

Let’s give a moment of appreciation for the amazing walkthrough. Thanks John.

@hamzabettache497 2 жыл бұрын

I just like how you talk with your self and make actions :D it helps a lot : ) thanks for your videos, keep them ON.

@teddybear9152 2 жыл бұрын

another video and another day of learning for me, thanks again John for all your hard work. Kudos to you for doing all this for us and still doing a day job and "life"!

@CyberAbyss007 2 жыл бұрын

Thank you! I'm actually starting to get this stuff! Appreciate that you show how hard this stuff is and how much patience is required.

@xAngoryx 2 жыл бұрын

Just found your channel and really loving your content

@anonymousmokona8541 2 жыл бұрын

This video series got me to finally start learning pentesting - I always perceived it as something arcane and intimidating, but seeing how you struggle with node got me thinking that there is no shame in sucking at stuff.

@dennismunyaka6537 2 жыл бұрын

watching john work is like watching myself hack. I would've however given up, the live learning, googling and also building of payloads gives your channel an authentic human touch. as opposed to all other channels just regurgitating payloads from writeups. kudos

@timothybadenach2411 2 жыл бұрын

good to see that a security professional with 10 plus years can still struggle getting up the hill, so to speak. Gives guys that are learning motivation to keep going

@businessgoose8605 2 жыл бұрын

Like last year when I subed to you, you had like 80k followers. Keep going bro!

@jannikmeissner 2 жыл бұрын

Yes, I had fun! Another great video that made my day

@kaihuang5420 2 жыл бұрын

38:08 is starting of the dulpicate of previous content till 51:58. hope you can fix it! But great job!!!! John Thanks a lot for suffering for us non-javascript fanboys.

@peterchari3839 2 жыл бұрын

This is amazing. We learn new things everyday!!!!!!! CSP, fetch

@maballshurt 2 жыл бұрын

30:31 made my eyes struggle on watch that

@giusepperandazzo5357 Жыл бұрын

I like your approach...it's is similar to a software engineer daily job...read, understand, try, fail repeat and so on...

@blackjackdealer204 2 жыл бұрын

I pace around my room when John releases content..

@alandonaly457 2 жыл бұрын

I always learn a lot from you , thanks!

@diddyman1958 2 жыл бұрын

I understood very little of that but it was great to see you get the flag in the end.

@jacobsilva421 2 жыл бұрын

I love the videos where there is 5 minutes left and he's still pulling his hair out. Just knowing he's about to find the one little mistake borking it up.

@mukundbhuva 2 жыл бұрын

Hey, seems like the video is duplicated from 38:08. Love from India ❤️.

@theisoj 2 жыл бұрын

I noticed the same thing. I think that John made a mistake accidentally.

@algerienizer 2 жыл бұрын

this is great, thanks!

@_DeProgrammer 2 жыл бұрын

Using an editor like vim with bracket highlighting would prevent painful mistakes like this. Brutal! Good video tho.

@neilthomas1907 2 жыл бұрын

ngl !! lowkey better than netflix rn

@Grommish 2 жыл бұрын

An Ide or setting Sublime for the context you're languaging on would help. Would make the inevitable formatting errors stand out

@JuanBotes 2 жыл бұрын

thanks for making the content. \o/

@viv_2489 2 жыл бұрын

Nice content as usual...

@ankurverma1157 2 жыл бұрын

Waiting for the video ❤️

@mossdem 2 жыл бұрын

This has been me trying to wrap my head around 'self' the past few days in Python lol

@kadensharpin2156 2 жыл бұрын

my eyes struggled to watch John struggle through the JS

@mahmutivanov1204 2 жыл бұрын

Keep it up,

@tg7943 2 жыл бұрын

Push!

@choleralul 2 жыл бұрын

Cool!

@cair0_ Жыл бұрын

holly molly

@gtdt5666 2 жыл бұрын

that was cool :)

@chriss8825 2 жыл бұрын

I am no JS expert, but in my experience JS is good at breaking itself and proceeding lines of code. I kept thinking you should just look at the browser console, or even even just copy paste known working attack to confirm nothing is borked. Not sure if this would have worked (ive only played with node with one small app), tho the way I would have approached getting the final data: Either sending it all to the console, or injecting it all into an element in the list page, or perhaps the easiest is just alert the data with something like match('CHTB.{50}') .

@SabrinaSays 2 жыл бұрын

Really awesome video! I'm just confused as to how the flag was decoded. And if we already had the coded version of it from /alien, then why did we need to fetch it through the terminal? Sorry if this is a stupid question.

@aryangurung3401 2 жыл бұрын

sheeeeeeeesh

@BilelBM 2 жыл бұрын

Looking at the browser console would ve helped you debug the fetch regex problem. GG

@vater7841 2 жыл бұрын

realy exiting when you post a video,i hope someday you can teach how to investigate crypto scam with hacking skill like how they code or something else,thank you

@cletusmugane 2 жыл бұрын

i love you too

@0x8badf00d 2 жыл бұрын

I've been screaming punctuation at the screen: "CHTB\\{.*\\}" You kept escaping the asterisk. Probably just needed to double the backslashes when using normal strings.

@jonharper5919 2 жыл бұрын

Hah I was saying the same thing. Why are you escaping the *??? On the other hand he does everything else much better than I could ever do

@Lacsap3366 Жыл бұрын

I dont't really understand why the javascript alert popup only opens two times if there are so many XSS payloads on that site.

@cherifxtitou6822 2 жыл бұрын

i hope if one day i will have skill like y have am very jealous

@anonanon1400 2 жыл бұрын

PS1 var in .bashrc could help to fix that long pathname problem.

@azeesabdul2674 2 жыл бұрын

How to review code to find bugs

@Zebby2013 2 жыл бұрын

Who the heck downvoted this only a few min in to the Premier?

@nathanpope8322 2 жыл бұрын

A dumbass hater. Haha! They obviously don’t know who this man is. Hahahahaha! The world is so lucky we all took an oath.

@hocmuong28tv89 2 жыл бұрын

💋💖💖💕

@randomnickname00 2 жыл бұрын

hey

@bhagyalakshmi1053 11 ай бұрын

How many times also spending master season 9 times also collection anyone 29 test collection master in the past for collecting 2 nc .lnc ......X collection master in the

@georgehammond867 2 жыл бұрын

regex is some nightmare>

@vineet1 2 жыл бұрын

24:15 . 1 hr break lol

@iliaschymas1851 2 жыл бұрын

i dont want to be that guy but in 4:18 i think he is ironing a humam suit not a actual human

@udhavkansal3426 2 жыл бұрын

Sirr big fan ❤ I want ur guidence. Plzz help And also, luv from india 🇮🇳

@fordorth 2 жыл бұрын

LEARN node!

@fordorth 2 жыл бұрын

I remember when I first started watching your videos you at one point said you should not use scripts if you don't know what they do... now you just go out and grab scripts for everything and fight with them to make them work.!?