Wow just wow, watching You and Ippsec hosting HTB battlegrounds tournament event tomorrow will be the best thing i could have hoped for. I am so hyped up to see it tomorrow :)
anyone else who has a nice subwoofer with their sound system, listen to those words that start with the letter "P"... now those are some hits in the LFE range.
Man... I understood about 30-35% of what was going on in this video. but a year ago that would have been more like 1-5%. can't wait to see where I am a year from now!
I believe the password is being sent through as a regex expression that is telling the db to match the first character only. the caret symbol (^) in regex means "start of line", so that query is asking the db to match only the first character of the password.
Am I'm missing something or why does a backend service/DB connector answers with a success message if I post a part/single character of a PW that happens to be the beginning of the real PW?
Sounds like a bad implementation of user passwords. Shouldn't it fail until full password string is provided? Password hash would be completely different once a letter has been changed :) And shouldn't there be login time-out, bolck of IP's for too many attempts?
@@ArthursHD Idk to be honest. For me it seems like the passwort check is doing a ".beginsWith(input)" check and we brute force our way into it. I fail to see how this is an blind NoSql Injection, because under a (No)Sql Injection I understand to either modify data or gain access to data that should not be accessible to you, not bruteforcing a admin password. But this just seems to be a easy mode brute force attack, because even normal brute force attacks require you to send the complete password, not parts of it. Maybe I'm missing something that Mongo does to inputs and how it handles stored data access which would explain why this strange brute force attack worked. But in that case I didn't catch the explanation for it, even after 3 rewatches.
@@GiQQ Okay after reading a bit about the python % strings and understand how mongo handles search "queries" I get what happens here. in short we put a mongoDB regex lookup into the post request as password parameter. Which then causes mongo to look for a user named "admin" where the regex matches true. So we could have logged in way earlier (like the first C) if we get a token in response. I feel like this part could have been explained a bit more/better in 2- to 3 sentences, like I did above. But maybe that happened in other videos he made before and mentioned and he didn't wanted to repeat himself. Which is understandable but is also making them harder to be standalone learning videos. Because I found his video from a google search for "MongoDB NoSQL injection" But this attack wouldn't work on any even half asses login system, as the DB would not store plain PWs and would only use the hash of the request payload and compare it with the hash that is stored in the DB (+ hopefully some salt). So the cool regex would be just a long hashvalue and would always return false, even if you give the correct password string into the regex, because the word regex itself would cause the hash to be completely of. It could however work for other plain data fields. But then my question would be, how do we sanitize user input for which I need to query? Are there inbuild functions in mongo adapter for the corresponding platform (e.g. mongoose)? There is not a lot in the web for MongoDB input validation/NoSql injection. At least way less than what Sql Injection offers.
@@GiQQ but if my backend logic is to insert userinputs into my hash function and then search the hash in my hasshed-PW-DB I would also hash the '{"regex": "....." }' part, because that is what my request has as value for the password key (inside the payload) and which will get pumped into my hash function
I'd be very curious to see the api code that allowed for this injection to take place. I'm assuming it's located in the "routes" folder somewhere (which you can see included in the express code on line 17). Very informative video, thank you sir!
Guys im really curious about something and i dont know where to ask when you do the challanges in try hack me kind of websites you need to be connected to it so how does hackers in russia for example hack servers in other countries?
Im still somewhat new to THM and HTB (about 2 months in - daily), but I am a bit confused by what went on at the beginning of this video. Is there a place someone could direct me to so I could understand what was happening here as it seems so different than the usual challenges? Docker, downloading all the source, etc... Thanks!
hey man i love your videos but there is a proplem i am having i installed kali on virtualbox and i am learning the from INE but when i try to connect to their vpn i get tcp (not bound ) and when i tried try hack me vpn file it gave me udp (not bound ) as well i will be thankful if you could help
As a beginner programmer and database analyst, these videos truely facinate me. I love your content John!
You could have checked the folder „routes“ for the route implementation :) - awesome vid!
Wow just wow, watching You and Ippsec hosting HTB battlegrounds tournament event tomorrow will be the best thing i could have hoped for. I am so hyped up to see it tomorrow :)
Seeing you do all this help me understand it all in real time thanks john
You woke me up this morning lol. Great Video!
You should put this quote on a t-shirt, “Can I do weird stuff with it?” -time stamp 6:05
anyone else who has a nice subwoofer with their sound system, listen to those words that start with the letter "P"... now those are some hits in the LFE range.
Lots of Blind SQL, very interesting concept! Appreciate the video John
Man... I understood about 30-35% of what was going on in this video. but a year ago that would have been more like 1-5%. can't wait to see where I am a year from now!
Big fan John Hammond 🙏
Mr Robot Easter egg at the beginning - sysadmin
I just about followed this. I'm getting better!
"(SYSADM) - Elliot Anderson"
Hello friend :_)
Everytime i join back into one of these with you john my brain gets better 🥰
lol can relate
Sir I really appreciate your videos more helpful for bigger
This was really helpful! Good video :)
John Hammond is a Legend
The video i ve been waiting for. Finalllyyy.
Thanks so much ! It's really good !
This is art bro your using the keyboard by your head
Genius John Hommand
Making my sacrifice to the youtube algorithm.
Great video by the way
Why is the response returning OK for each char tho?
I believe the password is being sent through as a regex expression that is telling the db to match the first character only. the caret symbol (^) in regex means "start of line", so that query is asking the db to match only the first character of the password.
That script was so freaking rad!
Great video as always and learning a ton from watching!
I was a bit late to join, just in time to see the conclusion, gotta rewatch later.
Thanks.
love the thumbnail
Am I'm missing something or why does a backend service/DB connector answers with a success message if I post a part/single character of a PW that happens to be the beginning of the real PW?
I'm confused too.
Sounds like a bad implementation of user passwords. Shouldn't it fail until full password string is provided? Password hash would be completely different once a letter has been changed :)
And shouldn't there be login time-out, bolck of IP's for too many attempts?
@@ArthursHD Idk to be honest. For me it seems like the passwort check is doing a ".beginsWith(input)" check and we brute force our way into it.
I fail to see how this is an blind NoSql Injection, because under a (No)Sql Injection I understand to either modify data or gain access to data that should not be accessible to you, not bruteforcing a admin password.
But this just seems to be a easy mode brute force attack, because even normal brute force attacks require you to send the complete password, not parts of it.
Maybe I'm missing something that Mongo does to inputs and how it handles stored data access which would explain why this strange brute force attack worked.
But in that case I didn't catch the explanation for it, even after 3 rewatches.
@@GiQQ Okay after reading a bit about the python % strings and understand how mongo handles search "queries" I get what happens here.
in short we put a mongoDB regex lookup into the post request as password parameter. Which then causes mongo to look for a user named "admin" where the regex matches true. So we could have logged in way earlier (like the first C) if we get a token in response.
I feel like this part could have been explained a bit more/better in 2- to 3 sentences, like I did above. But maybe that happened in other videos he made before and mentioned and he didn't wanted to repeat himself.
Which is understandable but is also making them harder to be standalone learning videos. Because I found his video from a google search for "MongoDB NoSQL injection"
But this attack wouldn't work on any even half asses login system, as the DB would not store plain PWs and would only use the hash of the request payload and compare it with the hash that is stored in the DB (+ hopefully some salt). So the cool regex would be just a long hashvalue and would always return false, even if you give the correct password string into the regex, because the word regex itself would cause the hash to be completely of.
It could however work for other plain data fields.
But then my question would be, how do we sanitize user input for which I need to query? Are there inbuild functions in mongo adapter for the corresponding platform (e.g. mongoose)? There is not a lot in the web for MongoDB input validation/NoSql injection. At least way less than what Sql Injection offers.
@@GiQQ but if my backend logic is to insert userinputs into my hash function and then search the hash in my hasshed-PW-DB I would also hash the '{"regex": "....." }' part, because that is what my request has as value for the password key (inside the payload) and which will get pumped into my hash function
a couple of days ago I solved a ctf like this, it wasn't sqli, it was brute force, I think it was from hacker101
u r awesome John 👍🏼
Awesome videos, keep making em please
I love John Hamond´s scripts 😁👍👍
I'd be very curious to see the api code that allowed for this injection to take place. I'm assuming it's located in the "routes" folder somewhere (which you can see included in the express code on line 17). Very informative video, thank you sir!
here it is
router.post('/api/login', (req, res) => {
let { username, password } = req.body;
if (username && password) {
return User.find({
username,
password
})
.then((user) => {
if (user.length == 1) {
return res.json({logged: 1, message: `Login Successful, welcome back ${user[0].username}.` });
} else {
return res.json({logged: 0, message: 'Login Failed'});
}
})
.catch(() => res.json({ message: 'Something went wrong'}));
}
return res.json({ message: 'Invalid username or password'});
});
Me too, hey, did you find what bad code practice led to this exploit? If so could you share the resource?
great, love your vids. hope that this will be great as well!
This videos are really cool!
awesome stuff man
really enjoyed the stream
Cool stuff John
Well, this is scary
love u man
algorythm!
Hey John ! I'm a huge fan btw. So, I was wondering if it is possible to make the request faster?
How can we attempt these challenges again because now I cant seen to find a place from where I can access it
great
Cool!
Guys im really curious about something and i dont know where to ask when you do the challanges in try hack me kind of websites you need to be connected to it so how does hackers in russia for example hack servers in other countries?
nice one!
Wish this was challenge was available after the ctf ended so we could follow along
I like CTF video!!!
comment for the algorithm!
👍
Sick video :)
Im still somewhat new to THM and HTB (about 2 months in - daily), but I am a bit confused by what went on at the beginning of this video. Is there a place someone could direct me to so I could understand what was happening here as it seems so different than the usual challenges? Docker, downloading all the source, etc... Thanks!
Perhaps this is what you are looking for: hackthebox[.]eu Or at least you find can what you are looking for there :)
Does hashing the password before saving prevent this type of injection?
hey man i love your videos but there is a proplem i am having i installed kali on virtualbox and i am learning the from INE but when i try to connect to their vpn i get tcp (not bound ) and when i tried try hack me vpn file it gave me udp (not bound ) as well
i will be thankful if you could help
Great, but not a good as the secret live stream today. 😜
please make more videos!
i wish i could understand any of this.
Reading the source code before cracking it isn't a little bit cheating ?
Every challenge has a different difficulty level. Some of them provide “downloads” that you are expected to look at
algo comment
you have an exponential algorithm.
try this to speed it up
new_printable=set(string.printable)-set('*+/;\'\\\"')
for c in new_printable:
...
Nod moor explain
só eu que pensei em usar um bloco try catch englobando o if ? kkkk
T finu d codo details coro codo
algorithm_thing.txt
Who saw mr beast in the thumbnail and came here
Hii i want to become a cyber expert if you can guide me sir so, plez reply