NahamCon CTF 2022: Web Challenge Walkthroughs

Рет қаралды 7,574

Күн бұрын

Video walkthrough for some of the Web challenges from the NahamCon (CTF) competition 2022; Jurassic Park, EXtravagant XML, Personnel, Flaskmetal Alchemist, Hacker Ts and Two for One. Topics covered include XML external entity (XXE) injection, SQL injection (SQLi), Regex injection, Cross-site Scripting (XSS), Server-side Request Forgery (SSRF) and 2FA (OTP) bypass. We'll use burp suite, Firefox devtools and ngrok. Write-ups/tutorials aimed at beginners - Hope you enjoy 🙂 #NahamCon #NahamCon2022 #NahamConCTF #CTF #Pentesting #OffSec #WebSec
↢Social Media↣
Twitter: / _cryptocat
GitHub: github.com/Crypto-Cat/CTF
HackTheBox: app.hackthebox.eu/profile/11897
LinkedIn: / cryptocat
Reddit: / _cryptocat23
KZfaq: / cryptocat23
Twitch: / cryptocat23
↢NahamConCTF↣
ctftime.org/event/1630
ctf.nahamcon.com/challenges
/ discord
↢Resources↣
Ghidra: ghidra.re/CheatSheet.html
Volatility: github.com/volatilityfoundati...
PwnTools: github.com/Gallopsled/pwntool...
CyberChef: gchq.github.io/CyberChef
DCode: www.dcode.fr/en
HackTricks: book.hacktricks.xyz/pentestin...
CTF Tools: github.com/apsdehal/awesome-ctf
Forensics: cugu.github.io/awesome-forensics
Decompile Code: www.decompiler.com
Run Code: tio.run
↢Chapters↣
Start: 0:00
Jurassic Park: 0:15
EXtravagant: 3:07
Personnel: 6:42
Flaskmetal Alchemist: 11:45
Hacker Ts: 22:42
Two for One: 31:46
End: 42:23

Пікірлер: 50

@MantisSTS 2 жыл бұрын

Another awesome video dude! Really great "writeup" of all the challenges!

@_CryptoCat 2 жыл бұрын

🙏🥰

@sahilpawar5152 2 жыл бұрын

Man I had seen a challenge similar to the last one in some CTF but I couldn't solve it and weeks later, I forgot name of the CTF so I couldn't search for its writeup 😅. But now I found challenge similar to it. Thanks man really appreciate your efforts ❤️.

@_CryptoCat 2 жыл бұрын

thank you 🙏🥰

@jonathanhoyos8191 2 жыл бұрын

I did enjoy. Keep posting more interesting CTF-Web challenges solutions :D

@_CryptoCat 2 жыл бұрын

thanks mate 🙏🥰

@migo369 2 жыл бұрын

Awesome man! Really enjoy your videos, keep it up.

@_CryptoCat 2 жыл бұрын

thanks mate 💜

@ca7986 2 жыл бұрын

Amazing walkthrough

@_CryptoCat 2 жыл бұрын

ty 🙏🥰

@jorgevilla6523 2 жыл бұрын

great video thanks

@_CryptoCat 2 жыл бұрын

💜

@desade2696 2 жыл бұрын

I was just able to do prisoner haha. When see you do it, becomes so easy. But i learn a lot from your video's. Spend hours on that Jurassic Park, now i learn about robot.txt! Next goal is next time reach top1500 or so haha. Really love to know how solve Degradation. Enjoy how you explain things as well. Have great weekend!

@_CryptoCat 2 жыл бұрын

thanks mate 💜

@khalilbouzidi8432 2 жыл бұрын

Thank you for sharing very informative, hope to see some buffer overflows

@_CryptoCat 2 жыл бұрын

Thanks mate 🥰 No pwn challs from this CTF but there's *a lot* already on the channel 😉

@khalilbouzidi8432 2 жыл бұрын

@CryptoCat yes already did watch them (good content === new subscriber :D), i did know this channel when i was trying to do babysteps challenge, still couldn't solve it 🙃

@_CryptoCat 2 жыл бұрын

@@khalilbouzidi8432 there was a few ways to solve babysteps, i just used ret2libc which comes up a lot in CTFs although this was 32-bit, which is less common: github.com/Crypto-Cat/CTF/blob/main/ctf_events/nahamcon_22/pwn/babysteps.py

@khalilbouzidi8432 2 жыл бұрын

@@_CryptoCat I'm trying to learn more about pwn so thanks for the guidance

@SuperSohaizai 2 жыл бұрын

Just when I want to search for write ups, I found this. Perfect timing. Couldn't join the event at that time so will make use of this, thanks! Edit: was going to try dirbuster of some sort, but it is not allowed apparently, at least according to the rules

@_CryptoCat 2 жыл бұрын

Yeh, that's typically the case with CTFs, no automated tools. They normally say that due to the infrastructure though. I think it makes a lot less sense as a rule when each player has their own instance. I guess the challenges are designed to be solved without brute force though 😅

@SuperSohaizai 2 жыл бұрын

@@_CryptoCat yeah I agree with that part. Brute forcing kinda take the beauty out of it to be honest, even though it does make it harder. Not gonna lie, dirb was always on my mind when I was attempting, and have to keep reminding myself haha. Thanks again for the video!

@_CryptoCat 2 жыл бұрын

@@SuperSohaizai It really wasn't needed here, I just thought I'd include it in because it's one of the first things you'd do on a HTB machine, or in a real pentest. Knowing my luck people will do in CTF events now and get suspended for breaking rules: "😮 but I learnt it from CryptoCat?!" 🤣 Thank you! 🙏🥰

@MrFontaineInc 2 жыл бұрын

I definitely need to brush up on Regex. Personnel stumped me and it was so simple.

@_CryptoCat 2 жыл бұрын

that one was cool! don't see it much in ctfs 😊

@BaNguyen-xt9bg 2 жыл бұрын

I wait for pwn sir!

@_CryptoCat 2 жыл бұрын

No pwn this time! I solved a couple of the easier ones but they were very similar to videos I've made before.

@vancaotran7547 2 жыл бұрын

when will you have the pwnable video of nahamcon CTF ? I'm really looking forward to it

@_CryptoCat 2 жыл бұрын

never 😆 it was a great CTF but I don't have time to cover all challenges, especially when there's multiple competitions every week. I typically either: a) pick a category b) solve easy-ish challs from multiple category c) pick 1-2 hard challenges angstrom CTF video is coming later today though, containing a few pwn challs 😉

@0xgodson119 2 жыл бұрын

🤩

@_CryptoCat 2 жыл бұрын

nandri 🙏🥰

@nuridincersaygili 2 жыл бұрын

excellent! anything for babyrsa?

@_CryptoCat 2 жыл бұрын

nope! i normally avoid crypto 😁

@sudoer92 2 жыл бұрын

Nice video i learned alot, did you win the ctf ?

@_CryptoCat 2 жыл бұрын

thanks mate 🥰 i definitely didnt win haha, just did a few challenges 😁

@IlmuGuru 2 жыл бұрын

Auto subscribe , dont take down this vidio

@_CryptoCat 2 жыл бұрын

ty 🥰 i wasn't planning to take down the video but youtube censors be warned!! 😀

@IlmuGuru 2 жыл бұрын

@@_CryptoCat Calm down I've saved it in the gallery🤣

@rehanmumtaz5972 2 жыл бұрын

Can u share the presentation link?

@_CryptoCat 2 жыл бұрын

From the conference? Which presentation? I think they'll be uploaded to kzfaq.info

@rehanmumtaz5972 2 жыл бұрын

@@_CryptoCat i think you open the presentation while solving hacker T's challenge... may be its of defcon i guess

@_CryptoCat 2 жыл бұрын

@@rehanmumtaz5972 oooooo I know what you mean! here it is: docs.google.com/presentation/d/1JdIjHHPsFSgLbaJcHmMkE904jmwPM4xdhEuwhy2ebvo/htmlpresent

@rehanmumtaz5972 2 жыл бұрын

@@_CryptoCat Thanks for sharing btw great explanation of these web challenges ! 💓

@_CryptoCat 2 жыл бұрын

@@rehanmumtaz5972 💜

@kaizensky3399 2 жыл бұрын

Did you forget to add Deafcon?

@_CryptoCat 2 жыл бұрын

nah haha a teammate solved it and i didn't have all that much time. I was just going to pick 1 hard chall.. then couldn't solve any and did a few web instead 😂 I struggled enough with some of the xss ones bc im a n00b 😆

@seif-allahhomrani2169 2 жыл бұрын

@@_CryptoCat it's cool that u mention ur failures and ur successes bro !!

@tlouik 2 жыл бұрын

@@_CryptoCat no, you're pro D: