This is why you don't trust filenames of uploaded files. Instead you should generate your own local filename when storing to disk - a string of random characters or at least a guid/uuid. Then you can store the local filename and the uploader's filename (without path) to a database to tie them together, and just use the uploader's filename for display purposes and in the Content-Disposition header when allowing the user to download the file again. This is basics. It's just like how there are particular file formats which you never store on the server as the same file which was uploaded, such as image files and PDFs - you load/parse them and then resave them in order to sanitize them.

@foxbeans1509

4 ай бұрын

You don't even need to write them to the disk, you can just open a pipe to the stdin/stdout of dos2unix and read it that way.

@twirre

4 ай бұрын

@@foxbeans1509 In this case you don't even have to make a trip to the server. This could totally be done client side.

@okie9025

4 ай бұрын

This works until you consider something like image backup software, where conserving the file names and the actual folder structure is more important. If the user wants to download all of the images in the exact same way they uploaded them, you don't need to take a round-trip to the database to fetch the original file name for potentially 10s of thousands of images - you just send the images as-is.

@v12alpine

3 ай бұрын

Then they can just use SQL injection instead assuming there's still no sanitation or escaping.

@darekmistrz4364

3 ай бұрын

@@twirreHow do you want to run Linux binary on the browser?

*stands out of chair and throws roses at computer screen* BRAVISSIMO SIGNORE

This is so out of my abilities but I kinda understood what he did. Amazing teacher.

@trustedsecurity6039

5 ай бұрын

It is simple command injection, he just used python to make the job and that make it totally unclear for beginners.

He cant keep getting away with it!!!

@joelanzo

5 ай бұрын

He is not a cyber criminal, just raising awareness

@ZENUX_EDITS

5 ай бұрын

He co-hosted the damn event he can do anything he want lmao 💀

@mollthecoder

5 ай бұрын

Quick, we need to stop him, before it's too late!

@osintplayer6624

5 ай бұрын

bro some of these people OMDS it was a joke...

@SK-cd9kk

5 ай бұрын

@@joelanzo💀

Hey man, I'm an automation engineer and I mainly work with PLC's and other industrial hardware. Just wanted to share videos like these motivate me to practice more on the real software wide. Thx my guy, have a good one

@Slangs

5 ай бұрын

I am the exact opposite lol, any idea where to start if I don't have engineering background?

@norliegh

4 ай бұрын

​​​@@Slangsget a computer, open a terminal & start typing. if you don't understand something, google it with a "what/why". almost all commands have manuals so do "man " in the terminal. this way you can read the manual for that command. that's it.

@OhertRasmus

4 ай бұрын

​​@@SlangsI'd recommend just googling what certain code languages are capable of doing. Search projects other people have done, and see what languages they've used. If you're interested in making diy robots/machines, then I'd recommend Python (or ROS) for the raspberry pi and C++/C for the Arduino. I've studied automation for 5 years, and Python is my daily driver. Python is a good and easy starting point for automation type tasks.

@fearlessmailbox7347

4 ай бұрын

@@Slangs I'm not entirely sure. Most hardware lies behind very expensive licenses, so it's a bit harsh to get into on your own

Dude! Such a cool attack. Also, pretty amazing that SNYK finds the -debug mode enabled vuln AND command injection vuln (I guess they are linked, but still... cool). I also loved the panic that set in when dosbox was blasting your screen, hahaha (meaning it's nice to know I'm not the only one who panics :)

Congrats on 1 Million 🍾

amazing content as ever love your little python exploits

This is a completely crazy vulnerability. 🤣 I challenge you to do the same on a Django environment !

16:03 brain buffer overflow

Best explanation on the internet!

This is a great example why security can have many levels. You can still use this code "securely" if you host it on ephemeral environment where access like this isn't a dealbreaker. If this would be hosted on AWS Lambda (or Lambda+S3) with proper timeouts then attackers are wasting their time. I'm not a cloud advocate, I don't even like AWS. You can use whatever function/lambda/serverless platform that you want to. But for a web application like this, where file access from public internet is possible, it's a good practice to keep it contained in a safe sandbox. If you would want, you can even set it up so that each session is handled by different docker container with a lifespan of 1 minute or something similar. It's a bit more advanced setup but still doable with mostly opensource tools and without "serverless" bs

I'm sorry Orange flavoured John but all that amazing information went right through me because I couldn't stop noticing how you're gripping the mic while it is on a very nice armature. 👀

Damn 1m subs congrats mate.

gr8 content, slight note i dont think ive ever heard someone pronounce /etc other than 'et-see'

7:49 filenames with spaces can add arbitrary shell commands, and filenames can contain dots so they may be written to outside the upload folder.

@vnc.t

3 ай бұрын

yes, i was thinking you just set filename to " || "

To be fair, this is a pretty blatant vulnerability, even the most basic code review should catch it. Even LLM based code reviews. That said, nice video, well done.

@darekmistrz4364

3 ай бұрын

Also this should be running on ephemeral environment where access like this isn't a dealbreaker. If this would be hosted on AWS Lambda (or Lambda+S3) with proper timeouts then attackers are wasting their time.

Great Video 🎉 I‘m a little bit confused about the ordering of the entries in files list within the write_file function. I thought first Parameter after the -n -f flags is input file, thus I would have swapped the ordering of entries in files list. But maybe I overlook something😅

@Slangs

5 ай бұрын

me too, I am still very confused about this, no idea what happened there

@Ebiko

5 ай бұрын

Could you add a timestamp ? Cause the order is correct from my quick glimpse. First input, then output parameters The file list looks correct in ~ 17:00

@dennisk4813

5 ай бұрын

@@EbikoYeah sure! I meant the files list at 25:00 The list at 17:00 looks also good to me 😊

@1vader

4 ай бұрын

The upload doesn't have anything to do with dos2unix, it's just the functionality of the app. You upload a file before it's passed to dos2unix. It's definitely pretty confusing in the video, you don't need the -f or -n or anything like that for uploading.

@rbalfanz

4 ай бұрын

Same. Will watch that section a third time now after reading these comments to understand what I’m missing.

thanks with love from: PCA - Philippines

even before you asked I thought about unsanitized filename inputs. path traversal attacks maybe. maybe reverse shell with a really funny spoofed POST

Once you got into the reverse shell, and that you had sudo access, wouldn't you be able to do the "sudo cat /root/flag.txt"?

@Sk-oh7rv

5 ай бұрын

When using sudo -l command, you list the possible things that you can run (along with info such as if you need to put the password of the user, etc). In this case, you could only use sudo to execute /usr/bin/dosbox, so you can't do "sudo cat". That's why you have to find a way of escalating your privileges within the context of using dosbox, since it maintains the root privileges while the program is running.

Not sure if that was just an accident but you don't have to declare global variables with "global" to read them in a function in Python and I'd say it's pretty bad style to do it. You only need to do that to write to them since Python will assume you're trying to declare a new local variable otherwise.

we need a full course on Udemy :)

really awsm... love the way you explained

I am a bit confused, shouldn't the script write the input to the output and that's how you read /etc/passwd? how did you replace /etc/passwd and it just wrote to it?

@nothanks39

4 ай бұрын

in app,py it tries to save each file to upload_folder/filename. i think that when doing read_file("/etc/passwd"), app,py fails to save to /etc/passwd, then ends up doing dos2unix -f -n /etc/passwd output.txt, which writes to output.txt the unchanged passwd file. when write_file("/app/app,py, ...") happens, app,py overwrites itself when it saves all the files to upload_folder/filename. app,py can write to app,py because the crlf user (who is currently running app,py) has owns app,py, but can't write to /etc/passwd since that needs sudo/root

@25:49 I don't get how it goes to writing files, shouldn't the output filename become the '/app/app.py' value so it reads the source from bad_app and writes that to the app's source code file? Am I missing something?

@Halorocker101

5 ай бұрын

Yea I don't understand why it didn't just write bad_app to output.txt.

@Euronauts

5 ай бұрын

@@Halorocker101 So I watched it again and I missed at 5:55 the function that saves the file. So he only uses the output.txt file to get to the right path but actually the source file gets already saved when you upload it. At 8:46 he points out that the sanitized filename (filename var) is never used, that's where the vulnerability starts. Guess I should be less tired when watching John's video haha

@MP3Martin

5 ай бұрын

​​@@Euronautswait so by uploading a file named "/temp/test.txt" with the content "hello" will create a file in "/temp/" called "test.txt" with content "hello"? if not then i understand everything except the write_file function

@Euronauts

5 ай бұрын

yes indeed. Just by uploading a file you can escape the upload directory because the function never sanitizes the filename,@@MP3Martin

@MP3Martin

5 ай бұрын

@@Euronauts thanks

Man will never move the webcam view.

Excellent teaching video. Btw I'm speaking with over 3 decades being in the field the - in the ASCII world is dash; ; . Tack is a military used term. Basically used for the same thing but as people left the military in the field it was taught to others and that's how it got introduced into the field but never entered into the ASCII table description. Look up an ASCII table. It will by hyphen-minus.

The standard voice is back!!!! ALRIGHT :)

A great explainer . ❤❤❤

Hello, I think that Flask debug mode is not known for being secured, is this exploit working on a production env? Do you have recommandations to prevent those backdoors or Flask is simply dangerous? Thanks for this great video.

@sorenkirksdjfk7310

5 ай бұрын

flask is fine, he created a scenario that left out a vulnerability, it wasnt flask's fault.

@saarza9991

5 ай бұрын

​@@sorenkirksdjfk7310 flask: 😢

Great challenge! I can understand why it's your favorite, these 'HackTheBox like' challenges with multiple steps are always so satisfying to solve. A perfect challenge to develop an efficient post-exploitation workflow while sharpenning your observation skills!

Why did you have to do global url in the function wouldn't it be automatically global scope being declared already above?

@1vader

4 ай бұрын

Yeah, there was no reason he had to do that, I think he just got a bit confused.

This man needs a raise!

Someone’s got to stop him

In the first min I was thinking. Wait.. how did you copy and paste a file from your host to your virtual machine and how did you zoom in with the terminal?

@aeghohloechu5022

5 ай бұрын

If you have the vm guest extensions set up properly you can actually copypaste between host and vm. And Ctrl+"+" for zooming in

@scary34

5 ай бұрын

Ctrl + scroll down to zoom

TIL debug mode is dangerous :o

Love his channel

what is he using for the terminal autocomplete or predictive text or whatever it is?

@Sk-oh7rv

5 ай бұрын

tab key

3:57 IANAH... is this going to be as simple as piping in another command? :D

CR is just called carriage return, not carriage return, line feed (CRLF)

If you're in a position to know you need a CRLF convertor, aren't you probably in a position to know either how to do it or how to look up how to do it with whatever editor you're using?

@Zer-ei4co

5 ай бұрын

Good point lol. I assume he just used that site for demonstration purposes because it's simple.

Moral of the story, don't run shell commands with user provided data. And is it really needed to use that command to convert the file? Like you could done that with simple replace all or even don't use uploading and just convert this files in place using js in users browser

@WolfrostWasTaken

4 ай бұрын

JS in place is underrated. No need to call any server, the app will even work offline and it will be faster.

@arjix8738

4 ай бұрын

​@@WolfrostWasTakenit is not underrated, it is actually overrated but for the wrong reasons lol

@darekmistrz4364

3 ай бұрын

@@WolfrostWasTaken Great! Please share your javascript code that has no problem running any linux binary. I have so many of this converting web applications that it would save me a lot of hassle with ffmpeg and all sorts of custom c++ binaries

My guess is the vuln is in the filename parsing.

you should stop the lizard overlords help the resistance

Great video but the grabbing of an already mounted mic gives me a weird anxiety. 😅

1:58 yea welll u know 'Encoding' 👀 I mean we had the same job until it was illegal 😎

Why would a website like that even need a backend haha , should just do all of the transformation locally

@upsxace

4 ай бұрын

So you can keep people's data 🤫

nice t-shirt :)

Beautiful 💓

If you had access to sudo, why couldn't you just do sudo cat /root/flag.txt? Or am I misunderstanding something about the challenge?

@antiandrogen

4 ай бұрын

Sudoers allows you to control both which commands a user/group can run and with what level of authentication. In this case the app's user had access to run dosbox as root without a password, and no sort of access to any other command

I love when you try to get privilege escalation you accidentally open a portal into the 5th dimension

0:22 so thats why all my text files end in an empty line that I cannot figure out how to rid of

very enjoyable.

Great video! My question is, why doesn’t the server need to be restarted after the bad app code is injected?

@chrissametrinequartz9389

5 ай бұрын

He explained in the video that flask reloads automatically upon file changes

Cool!

"werkzeug" is pronounced "verk-zoig" by the way

It input fields to manipulate the formatting or execute malicious actions in the application like carriage Return (CR - ) and line Feed (LF - )

@Cyberfishofant

5 ай бұрын

umm wot

oh shit i thought it was gonna be put a cmd inside of the filename but this is genius this way u can grab the ssh key

@aidenberzins

4 ай бұрын

and leave yourself a backdoor for later too

I'd never implement it this way.

yup command injection

Using dosbox to privesc is new to me ...

you need `global` modifier to overwrite variable, not to access it

Damn I just got unskipable ads😭

2:30 in... I know where this is going... Edit: And it also looks like there's an XSS vulnerability ;-;

hello bro, Can you make a channel with Russian voiceover? For example, a neural network

Could you add chapters to this video

12:12 Instead of the list of tuples, why don't you use a dict?

paused at 8ish minutes. As a frontend dev who didn't do much python stuff, I did not see anything wrong

crazy...

that's awesome

He thrungs it ☹️

Tac? Tach? Tak? What ? Are you serious? You cant even use the right word for a "-".

What advantage do people find in this challenge to use python? I use it when i need to manipulate the response and do something with it like some decoding, reencoding and send it again but here i dont see any advantage at all.

@aidenberzins

4 ай бұрын

He just happens to know Python its a fairly easy language to pick up especially for red team.

Hackers respect him. Webmasters fear him.

@-ripinpieces-8409

4 ай бұрын

lol

Nice

Stop hacking kids high school projects! I'm serious, those were 'made to be hacked'...

Why the hell are people using Kali Linux

oh yeah. Finally again some seth rogen hacking vid :)

filename

oh... another ctf video, thanks for the misleading title

No wonder anonfiles gone you probably took down

nice gpt flask app 😂

desu desu desu

wow

Que malas vibras me da el chaval. 🤓☝🏻

nwm kurwa o czym to jest a jestem na 22:34

11th comment

nice

first

Is it your real voice or you are using some sort of converter to make it deep? Its not good at all..

You got something wrong, "you typically see on Linux or Mac based operating systems", the default for these is that is not the case, Mac uses or ' ' Linux uses or ' ', windows uses ' '. so please don't lie to people to seem like windows is the one in the wrong they are all different.

@jell0goeswiggle

5 ай бұрын

Mac Classic used , but it's been over 20 years since OSX released, and that uses the POSIX line ending. So he's only incorrect if you're looking at extremely old files. Windows more accurately represents a typewriter (and possibly some old terminals), but I don't believe he called it incorrect, just different. Although in the case of a typewriter, the order of carriage return and line feed doesn't really matter.

😂❤❤❤❤🎉💀💤 Cool ⚡🧃

Non ho capito un cazzo

Why are you shouting?

Shit on other people's hard work. Congratulations what a good thing to do. You are now a FBI agent.

@scorix_

5 ай бұрын

I don't think you get the point of penetration testing. Pentesters like John are employed by companies to test their systems against common bugs and exploits such as these here. After that, they report a full description how they achieved access and the company can fix their loopholes. It is necessary for big companies to have people constantly testing against their systems so hackers cannot compromise them. This video shows you a potential way of exploiting dos_to_unix and how wrong it can go, so pentesters can look for these kind of things when testing. It is never a good way to just "not test your system and close source everything", because hackers will try to get in, no matter what. Better be prepared and have obvious loopholes closed by pentesters. Big companies such as google even give out prices for bugs others find, and they can go into the 100k reaches depending on how bad the compromise gets.

@nomad_swe

5 ай бұрын

It's not someone elses work? He literally mentioned that this is a challenge he himself created for a CTF event. It's literally code that is meant to be hackable if you know what you're doing, that's part of the challenge...

@sophiophile

5 ай бұрын

What are you talking about. He created the website for part of a fun hacking challenge. You are literally the one shitting on other people's hard work, ironically.

thanks for the efforts you put in to deliver awesome knowledge and we hit 1M subs. 2M next --------->>---->>

Thank You @ JohnHammond

Hi man thank u for directions i was able to hack facebook and read my gfs messages

Ultimate 🥏