I really love this video! Watching you pick up a new technology that you really haven’t touched before and use off the shelf readily available tools to leverage exploits and create reverse shells is totally fascinating and as an Infosec voyeur, incredibly educational!
Did this for WordPress years ago at my agency. Not on the server, but we would compile it with Gulp then upload those files to the server. There was a Gulp plugin that allowed us to use PHP with it flawlessly.
Currently learning pentesting on my own. Even if I don’t understand everything on screen, there are concepts I’ve studied that are starting to build upon themselves. Thank you for providing up to date content 💙
Good stuff as always - do you know if Snyk allows bring your own data store yet? We were looking at it but found that we couldn't host our own data store - or at least keep it in Canada.
As a programmer it drives me a little nuts when you just copy and paste exploit code without understanding really how it works. Sure, you're getting it from places you trust, but it's important to understand the nuances of how it works sometimes. For example, nodejs exec call does not wait for the called process to exit, which is why you had problems getting output or sleeping. You'd have to use a callback or event handler to get that stuff (which wouldn't help in this template anyway). You'd want execSync to get the pause or output you're looking for. Also I am a bit mystified why you were hunting for exploits right off the bat. In the challenge pug is clearly being used in an unintended way (processing templates provided by users instead of the developer) so there's a potential security hole right there. So I would look for ACE functionality built right into pug (which you did find). Pretty cool snyk could figure that out just by looking at the code though. Tracing how variables are set and used through a program's source code is not trivial.
I understand where you come from but being a hacker requires you to think quickly and come up with solutions even if you do not have a lot of knowledge so...
@The MAZZTer basically, on converting to HTML, the following should give id's output right? doctype html head title #{function(){localLoad=global.process.mainModule.constructor._load;sh=localLoad("child_process").execSync('id')}()} If yes, it's the same with execSync as it was with exec. There's no output. The sleep command works fine though. But can't we output anything at all?
Why do you, as a security expert, use google chrome? I really hope someone responds to this; this truly boggles my mind how you use spyware for your browser
Yep, Im not a hater, but I try to stay away of these exotic frameworks amap, since these projects are ripe for CVE. Try to review your packages, sometimes all you need is in one file or method, just copy that over, do your changes and use it as your own, just dont forget to credit the original sob who worked hard to write that. the beauty of oss...
I really love this video! Watching you pick up a new technology that you really haven’t touched before and use off the shelf readily available tools to leverage exploits and create reverse shells is totally fascinating and as an Infosec voyeur, incredibly educational!
You are the best cyber security content creator.
Great video JH. I've been working on exploiting SSTI on a hackthebox machine and came here to see an example of the process. Thanks a bunch!
Did this for WordPress years ago at my agency. Not on the server, but we would compile it with Gulp then upload those files to the server.
There was a Gulp plugin that allowed us to use PHP with it flawlessly.
This video is very helpful for me in solving a CTF challenge.
I love how you searched pug and google giving cute little dogs.
Great video John, love the web app security content
missed these THM series sooo much😍
Well this is awkward 👀....
Fantastic work John! I love the part in some of your videos where you show how and where one could look for potential security weakness.
Currently learning pentesting on my own. Even if I don’t understand everything on screen, there are concepts I’ve studied that are starting to build upon themselves. Thank you for providing up to date content 💙
Awesome content as always John. Keep it coming 🙏🙏🙏
Yeah nah
Good john, love nodejs
My bad I watched thinking pug was a dog my bad.🤣
you can use ad blocker for blocking ads
ublock origin (browser extension)
OMFG!!! sO mUcH aDs 🤣🤣
Nice work!
Good stuff as always - do you know if Snyk allows bring your own data store yet? We were looking at it but found that we couldn't host our own data store - or at least keep it in Canada.
Really Cool!
Its amazing how teenagers make us learn all this stuff 😅
how would you find out if a server was running pug.?? love your videos btw...
do you recommend us any book to further our cyber knowledge study ?
I'm new in this i wanted to know "how do we get to know what js lib does an web app is using?"
What shirt is that?
Translation souto form synk ?
As a programmer it drives me a little nuts when you just copy and paste exploit code without understanding really how it works. Sure, you're getting it from places you trust, but it's important to understand the nuances of how it works sometimes. For example, nodejs exec call does not wait for the called process to exit, which is why you had problems getting output or sleeping. You'd have to use a callback or event handler to get that stuff (which wouldn't help in this template anyway). You'd want execSync to get the pause or output you're looking for.
Also I am a bit mystified why you were hunting for exploits right off the bat. In the challenge pug is clearly being used in an unintended way (processing templates provided by users instead of the developer) so there's a potential security hole right there. So I would look for ACE functionality built right into pug (which you did find).
Pretty cool snyk could figure that out just by looking at the code though. Tracing how variables are set and used through a program's source code is not trivial.
I understand where you come from but being a hacker requires you to think quickly and come up with solutions even if you do not have a lot of knowledge so...
@The MAZZTer
basically, on converting to HTML, the following should give id's output right?
doctype html
head
title #{function(){localLoad=global.process.mainModule.constructor._load;sh=localLoad("child_process").execSync('id')}()}
If yes, it's the same with execSync as it was with exec. There's no output. The sleep command works fine though.
But can't we output anything at all?
❤❤❤
me using ejs instead of pug now I am using reactjs for frontend
Looks like server side template engines are the latest attack surfaces in town. RIP to devs that thought “Regex is good enough”
Why do you, as a security expert, use google chrome?
I really hope someone responds to this; this truly boggles my mind how you use spyware for your browser
I wouldn't consider myself a security expert, but what browser would you like me to use instead?
@@_JohnHammond One that isn't proven to be spyware
Ungoogled chromium would be a good start for you
pug
Sir php website injection tutorial
Yep, Im not a hater, but I try to stay away of these exotic frameworks amap, since these projects are ripe for CVE.
Try to review your packages, sometimes all you need is in one file or method, just copy that over, do your changes and use it as your own, just dont forget to credit the original sob who worked hard to write that.
the beauty of oss...
starts @10:00 mins!