can you hack this screenshot service?? - CSCG 2021

2021-08-19

[public] 13.9K views, 6.22K likes, 16.0 dislikes audio only

I made a web hacking challenge for the Cyber Security Challenge Germany (cscg) 2021.

Grab the files: https://github.com/LiveOverflow/ctf-screenshotter

Cyber Security Challenge Germany: https://www.cscg.de/

00:00 - Introduction to screenshotter app

00:58 - Setup the challenge

01:38 - First overview of functionality

03:07 - Review application architecture

03:51 - The chrome service

04:19 - The main app service

05:07 - Chrome service IP leak

06:22 - The app secret

06:54 - Methodology: go for complex features

09:22 - The flagger/admin service

11:30 - First attack idea: XSS

11:55 - Reviewing flask templates

13:09 - Useless self-XSS?

13:38 - Bypass demo restriction

15:45 - Using the Chrome SSRF?

17:00 - Leak websites of other users

18:31 - THE EXPLOIT!

22:04 - Outro

-=[ ❤️ Support ]=-

→ Support: https://liveoverflow.com/support

→ per Video: https://www.patreon.com/join/liveoverflow

→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join

-=[ 🐕 Social ]=-

→ Twitter: https://twitter.com/LiveOverflow/

→ Website: https://liveoverflow.com/

→ Subreddit: https://www.reddit.com/r/LiveOverflow/

→ Facebook: https://www.facebook.com/LiveOverflow/