Wow! What a crazy technique, mad props to the folks who wrote the ASCII only jar, that's mental

I can explain part of this! The reason that your uploaded jar got corrupted is because of the way String works in Java. Unlike a string in e.g. C++ or Go, String in Java represents a sequence of Unicode codepoints, much like the str class in Python. When you uploaded your jar, the bytes of your query had to be converted to a String at some point before the «GARBAGE BEFORE + data + GARBAGE AFTER» step. So your input bytes got interpreted as UTF-8 sequences, but because most binary data is just going to be invalid UTF-8, it all got replaced with � (which is then encoded back to UTF-8 as EFBFBD when the file is written). The pure-ASCII zipfile is an ingenious workaround.

AHA! FINALLY afters years understanding nothing but "Bahnhof" of your videos, I as a java dev, understand a tiny bit. Feels good.

What a genius guy,wish one day i could get even close to you

this video was dope. thanks for taking the time to make this content, much love!

I have to watch your video multiple times just to appreciate all the details you give to audience. It's fenomenal

As a java developer, just ❤️ this one. My first thought for that replace chat was that neck slash wasn't excluded, so maybe \u123 like tricks could play a role. Did not see the ASCII only zip file coming. Just how do you create that... Magic 🤣

This is the kind of cyber security expert I aspire to become......just so much dedication

insane, i would not figure this out in my entire life if you gave me that time

This was the most interesting CTF video I've ever seen. Normally, I don't understand shit, but you explained everything so well.

That is a crazy exploit, well done!

CTF challenge vids are one of my favorite types of videos on this channel!

How are you creating content that will forcefully put the viewer to watch the whole video without skipping any part? Its 100% amazing. Superior content btw. Loved it😍

solving this must feel great, but creating such a challenge.... you must be a wizard...

This guy's a genius

I just know basics programming stuff but the video made me watch this like I knew everything what he said ... Magic ✨

Great video!

Well done sir

love the new glasses.

what a rollercoaster :D

A bunch of this flew over my head but I loved it. Props to you and your team for the great work!

It's an amazing ctf!

Thanks for the video

Beautiful solution. I genuinely don't understand why Apache regularly does stupidly insecure things with class loading.

Java web challenges are always good !!!!

I don't understand anything at all but this is interesting af! Thanks for uploading

Crazyyy technique! 😵

So what do we learn from this? Tomcat's applicationScope object is read-write instead of read-only, which is a bad idea.

The ascii only zip is really interesting

On glasses in a stream nicee

10:16 "..and it was private static final anyways." This shouldn't be a problem. First, the `final` only protects the reference to the array from changing, not the array itself. In C++ terms, `final` is the equivalent of `T * const`, Java has no concept of `T const *` or `T const * const` unless T is defined to be always immutable. Sure Strings are immutable in Java, but arrays are fair game. Next, the fact that it's `static` could be helpful, not a hindrance. This means that there is no overall object reference for `ParamUtil` to find, there is only one instance of the `SPECIAL_CHARS` in the whole program. This should be findable with reflection. Lastly, the `private` should be no problem if you're using reflection. Reflection does not care about member visibility. I'm not sure what reflection you could have pulled off, given the challenge's constrained jsp; so maybe this would still end up being a dead end. I just wanted to share some Java technicalities. 😎

Nice video - quick comment from my side: I have found JADX being superior to JD-GUI, since the latter has issues with a few class files and the other has not.

the thing is i dont know any bit of coding , still I am watching it and having fun , and can safely say yeah this field is for me I need to take it in colleague as majours even if I need to compromise a better colleague for the subject.

You are amazing

all in >

Just a note on the URL class and the "fix it plz java" note - there's nothing to fix, that's an immutable object and it's supposed to be like that. You want a new URL - you create a new instance of that class.

So cool…. As a web dev this scares me lol

new video lets goo

Could you please describe how you make valid jar file with ascii-zip?

🔥🔥🔥

Dude,,, I understand only parts of what you were explaining... but I couldn't stop seeing.... great job.... and avoid Java!!! ;-)

Just wondering if the start was anything like that early scene in Blue Streak where he says "What is the first thing you do? You check if it's open." Only, in this case, you check if it's log4j vulnerable. ;)

Thats a nice video. Can you please make a video on exploitation on vulnerable version of jetty.

Hey what about the STÖK glasses? haha

looking closer and closer to vitalik buterin by the day.

glassesOverflow

badass

I know little about the Java wepapp world. Decompille a class is regularly needed because the documentation is bad or fix a bug of a used software. A servlet to upload files gives actually control of OS running tomcat. What I dont understand how you get access to the .war file from a running Webapp in the net?

this ascii-zip crafting made me cry ... #ctflife I think

Why did you put angle brackets on your head and disable your glasses for the thumbnail? I'm confused. But great video!

Very interesting video! I really like to watch your CTF videos. Aaaand ive got a question: how is your vscode theme called?

*me just nodding to everything he says with a wistful expression, whilst trying to understand it*

What system do you run in this video?

Nice

im waiting for the minecraft log4j vid xd

Hello please can you explain the doc exploit other thing I discover thing before when you type a

Ooh no. Jemes kittle explain how to exploit this bug in his template injection talk

on yaaaa

If you click the number it will display on your video that video ended is ended like 51 minutes why ? Please can you explain and thanks

welcome to the blind gang

🔥🤯🤯🤯🤯😱

13:11 Stupid Question: Couldn't you have just made a StringInterpreter Compatible class and then call do your arbitrary code execution from the constructor since its instantiated immediatly?

3:47 I thought the top file said something else for a second...

You Joined My MC server without the web address or ip how did you do that ?

Stupid question : In these CTF's do they provide the web-app source codess ? for you guys to figure the prblm on local machine.

I understand 1% of this, i think i learning 🌭

Love your work but I fear your arms are going to snap in half

Maybe a dumb question, but would using a " " worked to remove the garbage on the beginning of the string? "GARBAGE" + " something else" + "GARBAGE" ?

How did you work out 0xfffff number of hashes ?

Video minute that it is even not in the video it display for you in example

DO U USING KALE LUNIX BRO❓

dark lighting makes you sad old dev, not the bright excited mind you were before

About halfway through, my approach would be to upload a .class or jar file with remote shell in perhaps a static initializer field, then change the class path and execute the code from there. Let’s see if that’s the way you did it :D

uh oh

ASCII ONLY JAR? WHAT. HOW IS THAT POSSIBLE

Is it just me or is he really looking like Ed-Sheeran :D

Hey man. Someone recently logged onto my Minecraft server under the name Zaafir_Zuberi. He ran some long command, apologized for spam, then left. He linked his channel which led me here. What exactly did you do, and should I be concerned? I tried to find the acc but they must have changed the name or deleted it. Would appreciate a response.

56 secs ago???

Let's fix what broken for 5 years now.

Yu gained weight! Good yu look gewd!

Does this mean that Tomcat is not secure?

Nice i couldn't understand a shit:)

That’s for all genius hackers - you‘re the heros right now 🇺🇦❤️

first?

The way you pronounce "interpreter" drives me crazy

bro use vim to sort, instead of VS code,

thumbnail makes me not want to watch this video sorry