Delta Obscura Meetup - #1

Added: 2026-05-20

[00:00:04]I'm just uh trying to see if the recording works. And uh I'm going to wait until 400 p.m. It's not yet 400 p.m. So I have to wait, let's see, 10 minutes at least.

[00:00:23]So until then, I'll just be adjusting everything, ensure everything is okay.

[00:01:56]So I think now my screen is being shared as well and it's recording. So I assume that both my uh my camera and my screen is being recorded.

[00:02:14][snorts] It's uh my first time using Google Meet for this sort of stuff. So, I'm still learning the ropes.

[00:07:20]We are 3 minutes until we get started.

[00:07:23]I'm not sure how many people will join, but since the meeting is going to be recorded, well, oh, my microphone is right here.

[00:07:32]Since the meeting is going to be recorded, um I don't think a lot of people need to join for this video to be beneficial.

[00:07:40]Oops. What happened?

[00:09:39]So, I'm going to get started now. And I'm not sure if the people will be able to join or do I need to give them permission to join because sometimes I think that's the case with some platforms where you have to give permission and people wouldn't be able to join without it.

[00:09:59]So the purpose of this video is going through several um issues such as uh let me just um show this to you.

[00:10:24]We have meetings and I think we also have a calendar over here.

[00:10:32]Let me find it.

[00:10:37]I think I've gone blind. I don't see my calendar here. Oh, right. It's here.

[00:10:45]So, where did you go? Okay, there we go.

[00:10:49]So this video is about CV hunting escalating a variety of XSS and HTML injection to achieve RCE remote execution and more. So the techniques we are going to discuss is going to be state changing get requests, state changing post requests, converting gate to post. Oh actually it's uh post to get my bad converting post request to get request. Filling forms and mimicking user clicks. Stealing other cookie values other than just document cookie.

[00:11:22]Triggering post request with HTML forms.

[00:11:25]Exploring image iframe and SVG payloads.

[00:11:29]chaining multiple requests to achieve RC and uh this the credit goes to Muhammad Tahan or Marshall, one of our members of Delta Buscura.

[00:11:41]So this video is presented to you by Delta Viscura. We have uh cyber security meetups every month.

[00:11:50]So you can get involved by going to meetup.cscyber.ca.

[00:11:56]You can join our Discord server or watch our YouTube channel. Let me see someone has joined.

[00:12:05]Hey, welcome guys.

[00:12:16]And the three vulnerabilities, the three CVS that I'll be going through in this video is this CVE that was found by me and Han Marshall. So this is CV 2025 11027.

[00:12:35]And this is basically a chain of vulnerabilities, a chain of excess plus CSRF that leads to rce. So this is um quite clever vulnerability by Han Marshall and it's the one I'm going to demonstrate first and then later I will demonstrate um the vulnerability on Frappy. I'm just going to call this Frappy. I'm not sure if it's called FRAP or FRAP. I'm just going to call Frappy LMS. So, Frappy is a framework. It's written in Python, but they also have a LMS. It's a vast ecosystem of different software. They have ERP, they have LMS, they have I think accounting software, they have all sorts of things. And uh we identify several vulnerabilities on their platform. And this is the vulnerability that I'm going to showcase to you where I'll be escalating a variety of uh simple excesses to mimic user collects and create a back door account which gives me administrator access.

[00:13:45]The other one is CS sort of uh vulnerabilities on instance CMS and this one is where you will learn how to convert post to get request. how um HTML injection or basically using I frame or image tags can be useful to you uh by you know um escal escalating so variety of these vulnerabilities from something like alert one to something that matters.

[00:14:18]So um I think I have explained everything and now it's time to jump on the vulnerabilities. So these are the things that we will be discussing and these are the targets that I'll be showcasing. I'll be showcasing one CV from every target and that will basically cover everything that's written in here and then more.

[00:14:39]So I've already set up these applications. If you want I could possibly share the setup code though it's not something private because uh the version of web that is vulnerable the first software that we are going to test is called VV web and the version of it that is vulnerable is 1.0.7.2.

[00:15:02]So you can basically get that from GitHub and install it and you're good.

[00:15:06]You can test the same vulnerabilities as we do and learn. But okay, >> now um that I've already installed it, I don't need to reinstall it again and I'm already logged in as administrator. But to test this vulnerability, we will be creating another backend user, another admin user through which we can upload an image or create a product. So basically I'm going to create users and I think the the vulnerability details tell us which uh which of these people can upload something and vendor can create and manage products and I think he can also upload a picture which is bas basically a picture for a product. So we are going to see this and I'm going to show this from the perspective of someone who is new. For example, if you're watching this for the first time and you're trying to learn CV and thing, you probably probably don't know or probably get confused by this whole interface. And I want you to think u from a developer perspective.

[00:16:22]Um if you have developed any type of web applications in your life you probably understand that all web applications are about crude or create update delete and read operations. So basically there's nothing special here because look at this you have delete option you have a data option you have API tokens but you also have create option this is create you have delete create read update delete that's basically crude or cr U it's a very famous type of operation literally every web application or most applications on the planet have these operations so let's not waste some let's not waste time and just edate this. This is the vendor account. This is the vendor's username. And uh let me see.

[00:17:10]I think they added this bio thing. Not sure if it was here before or maybe it's in this version and not in the version that I usually get with Docker. So, I'm going to click active for this. And for the password, I'm just going to set it to something that works.

[00:17:28]And also, I wanted to show you this. So this is how I keep track of things that I hack or pentest. I use obsidian in this format so that you can get an idea.

[00:17:38]I use hack for the process of hacking something. I use install for the process of tracking how the installation went, how to reinstall it, what are the credentials and all sorts of things. So let me go right here. We have web and this is the password and we are going to reuse the password because it doesn't matter it's a containerized installation reusing the password here means nothing.

[00:18:09]Let me see.

[00:18:26]All right. So, so far there's only one person there.

[00:18:34]Okay. The admin panel is admin.

[00:18:38]This is vendor password login.

[00:18:45]And from here we have access to products. We can go to products. we can create a new product and basically the featured media. This is where we can upload um SVG image. So there are numerous types of images. There is JPG images, PNG images. Um there's G, JP, EG, SVG, WEBP.

[00:19:11]All these type of things are images.

[00:19:14]So uh SVG is a type of image that can contain XML code inside it and also it can contain HTML uh JavaScript handlers or event handlers like onload on click these sort of things so that if you click on a um SVG payload it gets executed. If a SVG payload loads on the page that you're going to visit, it's going to trigger um JavaScript code that's going to execute malicious code on this on the target. So, I'm just going to create test and I think I need to turn on the proxy because it's not on right now.

[00:20:01]What if I just minimize that? Okay, it works.

[00:20:05]So we have 8080 but I think 8080 is used by another software. So I'm just going to turn this to 7070.

[00:20:15]Then I'm going to go to suit go to proxy proxy settings and I'm going to change the IP in here from 80 uh the port from 8080 to 7070.

[00:20:27]That's it.

[00:20:32]So let me see. Okay, it works. It can capture everything and that's okayish.

[00:20:44]So, uh we are here and the exploit basically tells us what type of SVG payload to upload and it tells it also tells us exactly how to upload it.

[00:20:59]For example, this is the bypass that Han Marshall came with came up with. Uh so basically you can upload the SVG payload with SVG with a trailing forward slash.

[00:21:11]The reason that he used this bypass is because we had reported I reported a similar vulnerability to this where I was was able to upload monitors SVG file and it was executed on the server which led to admin to cover. So we have the forward slash um as a way of uh bypassing the security protection that's in place. And basically this helps us to upload SVG files. But the files that we upload are not going to have the SVG extension. It's not going to end with SVG. So I'm just going to show this to you.

[00:21:52]Let me see message here.

[00:21:58]Hey, welcome.

[00:22:01]>> Hey man, how how you doing?

[00:22:06]>> How are you?

[00:22:07]>> Yeah. Okay, thanks. Sorry, I got the GMT, Pardon me, um GMT time wrong on the um group, which I think is probably why a few people haven't joined yet. Um, oh, I think we both put the time wrong and then I told everyone that it was confirmed it was nine today. Oh, and then I saw on the calendar it was like event started. I was like, what?

[00:22:28]>> It's all good. I'm sure people join.

[00:22:31]>> Oh, okay. There was one person, but I think they left.

[00:22:36]>> Okay. Uh, oh, yeah, yeah, yeah. Oh, yeah. That's Were you presenting to yourself, Hammy?

[00:22:44]Uh, well, basically this is recorded, so it doesn't really matter.

[00:22:48]>> Oh, sorry. I'm ruining I'm ruining the recording here.

[00:22:52]>> Uh, yeah, >> that's cool.

[00:22:55]>> Everything is recorded, so don't say anything illegal.

[00:23:00]>> I don't do anything legal. I'm I'm above all.

[00:23:03]>> Okay. Okay.

[00:23:04]>> Apart from the drugs that I sell sometimes. What?

[00:23:09]All right.

[00:23:14]So, as I was saying, I'll be um basically showcasing the the CPE that Marshall found and I uh where he used the trailing forward slash after SVG name to basically bypass the protection that was in place for SVG payloads. Uh let me do this.

[00:23:36]>> So, was it was it a blacklist for SVG then? Yeah, it was a blacklist.

[00:23:42]>> Crazy.

[00:23:46]>> Let me see.

[00:23:47]>> That's a good That's a good lesson for developers to to to use whitelists, not blacklists, because there's always going to be ones you forget.

[00:23:54]>> Oh, yeah. Our own website was also vulnerable. So, [laughter] yeah, I finally >> Yeah, I finally did implement um a type of white list on the top of Scura. So now we only accept certain type of extensions.

[00:24:13]That's awesome.

[00:24:17]>> Is it client side validation or does it send it to the server and then check and then come back?

[00:24:23]>> Uh I think ours is both.

[00:24:27]>> Very good. Hi impressed.

[00:24:32]It's still worth some testing because I'm not really sure if uh we are really secure. So feel free to hack us.

[00:24:41]>> In fact, anyone who that is interested, there's a there's a bug bounty, isn't there? Or in a hall of fame on Delta.

[00:24:48]>> Uh definitely we pay $20, which is nothing, but it's still something.

[00:24:56]>> $20 more than you had before.

[00:24:58]>> Yeah.

[00:25:03]So, let me see.

[00:25:07]I'm just going to reproduce this a little because I think the way that Marshall did it was different than the way I I plan to do it.

[00:25:18]So basically he created multiple servers because um the goal was to first create an admin account then he used the admin account to download a malicious plugin then he uploaded the plugin then he activated it. Well basically that's how he got a shell.

[00:25:42]So that's basically what we are going to be doing.

[00:25:46]I'm going to create this And I think the test plugin was deleted, but we can replace it with any other type of plugin and it will work just fine.

[00:26:36]What else do we need to do?

[00:26:39]Okay, we need to turn on the core server. First thing first, I mean, can you possibly um can you zoom in at all on on your screen or not?

[00:26:58]>> Uh, let me see. I think I can zoom in the terminal.

[00:27:02]>> Yeah, definitely. Yeah.

[00:27:05]Yeah.

[00:27:05]>> Yeah, that would be good. And maybe if anything you're running with Python or not.

[00:27:10]>> Let me see. I think I can zoom in the viewer or the Let me see.

[00:27:17]>> Yeah, that's good.

[00:27:23]>> Yeah. Zoom in. Control shift plus.

[00:27:28]>> Okay. Control.

[00:27:30]How about this?

[00:27:32]>> Nice. Can you see everything now?

[00:27:35]>> Looks great. Yeah.

[00:27:37]>> Okay. And the browser. I think I need to do this.

[00:27:42]>> That's good. I know. I know. I I get it though because um when you have a wide screen, you can have the smaller resolution, but on it's harder to see on screen, I think.

[00:27:52]>> Oh, yeah. Yeah. Good point, man. Because every time people complain that they can't see anything on my screen.

[00:28:00]>> Yeah. Is it I assume you got a wide screen, right? Big big screen.

[00:28:05]>> Oh, yeah. That's the course of a 4K screen, I guess.

[00:28:09]>> Oh, 4K. Oh, now we're at >> Okay, let me see if we need any uh modules. Nothing. Okay, so everything works.

[00:28:28]So, this is running. We need netcat on port 20,000 8,000. Yeah.

[00:28:43]>> Okay. Net cap within the docker container. You're on >> Yeah.

[00:28:48]>> Well, let's 6,0001. And then I'm going to just change the source code for the whole thing. [snorts] >> Yes.

[00:28:58]So there's this running.

[00:29:02]What else do we need to do?

[00:29:15]Hey, how are you doing?

[00:29:19]Hey bro.

[00:29:27]Nice.

[00:29:34]>> So, we're just setting up the demo. Um, for a vulnerability that I think one of the other members found. Is that right, Hammy? This is yours or or Marshall's and other members? It's um it's a collaborative find, but the >> the part where he where Marshall just put everything together to achieve access to RCE, that was his idea.

[00:30:03]>> Awesome.

[00:30:09]>> So, we have course we have one listener for callback beacon. This is not entirely necessary but it just it's just used for confirming that our admin account is created. The other is for test plugin.zip.

[00:30:23]It has to be inside.

[00:30:26]And I think um somewhere here is our code. So this is all the code that we need. And I need to edit this.

[00:30:39]So this this code is the SVG code, is it that you planted on the app?

[00:30:44]>> Yeah, this is the one.

[00:30:46]>> Okay, very good. Oh jeez. Yeah, proper proper fetch request.

[00:30:55]No.

[00:30:58]>> So let me see. Where's 48,000?

[00:31:02]Oh, >> what a what a crazy exercise.

[00:31:06]>> Yeah, it's definitely a lot.

[00:31:08]Yeah, it's a lot of code. I'm trying not to even understand what it's doing. So, it's creating an admin account, right?

[00:31:14]Account takeover exercise.

[00:31:17]>> I can basically if I get a sec, I could just um ask, you know, um what's the name of that thing? Groc for some help.

[00:31:27]But I don't think we will need that for now.

[00:31:31]Yeah. Yeah. No, you got it. You got it.

[00:31:41]So basically we just uh need a mal uh one of the plugins so that we can download it and then modify it. I think I have one here. Let me see what's so vet is the application.

[00:32:00]>> Yep.

[00:32:01]Are you uh uh this one's not bad? Not that one.

[00:32:09]Hey, that's good. Now you can uh now you can take over the the I know it's it's on VW's GitHub domain. Never mind. I thought you could take over the GitHub domain and find Now you found a vulnerability live, but yeah.

[00:32:24]>> Oh, yeah. I get what you're saying, but I can't do that. Let me see. Let me see if this guy has this test plugin somewhere in here because that's really what Marshall use. I don't know if what I'm going to use is going to work or not.

[00:32:39]>> Okay. Yeah.

[00:32:42]>> If it doesn't work, it doesn't work.

[00:32:44]>> Should have got Marshall in. Can't tell us which plugin where you got the plugin.

[00:32:51]You message me on Discord.

[00:32:54]Um, where is it? All right.

[00:33:03]Oh, I'm getting lost on my own computer.

[00:33:08]This complex. Okay.

[00:33:10]>> Easily done. Easily done.

[00:33:15]>> So, basically we just um extract this thing over here. Then we go inside the plugin. I think not inside it.

[00:33:25]Wait, where? Which part that Marshall did inside it?

[00:33:32]>> Um, so this the test plugin.

[00:33:41]Yeah, it's the same place. So basically we're going to plug in the PHP and we are going to create this little payload somewhere. Let me see what's the best place to add this. I think after the admin menu >> that would be the best place to add it.

[00:34:12]It's I mean I can't believe he created all this like like like like such a complex SVG or excss payload.

[00:34:22]>> Uh well I didn't create the SVG payload that's all thanks to Marshall.

[00:34:30]>> Yeah but even understanding it is difficult. So >> yeah yeah yeah like what well it's obviously what Marshall I mean I'm impressed that he he made it all >> oh how you doing man feel free to unmute if you want if you're on nice here um yeah just setting up Look at how many networks I have here.

[00:35:07]>> Editing on this video now skip the bit when you were setting up all the model. Oh, hey me.

[00:35:20]Nice.

[00:35:22]Let me see. Uh is everything okay here?

[00:35:26][snorts] So we have port 6,000 for 601 for the reverse shell. We have that.

[00:35:34]We have course which runs on port 1 2 3 4. We have 444 which is for reverse shell I guess and I think everything is modified now. So we can just package the whole thing.

[00:35:51]>> See how it works.

[00:35:54]AR. So this is so it's from a student to an admin is the is the attack, right?

[00:36:01]>> Basically it's um XSS payload inside SVG that if an admin visits it, the browser basically sends a full request.

[00:36:12]>> Yeah. Yeah, >> the server with the cookies and everything >> and well we get admin back door account gets created and then the back door account is automatically used to get shell.

[00:36:27]>> Yeah. Insane. So this is like um that's quite that's quite an so so it's almost just like a fancier proof of concept to like a staged payload to stop stop you having to log in manually. You just get a shell. Yeah, instead of >> Yeah, thanks. Instead of Yes. All thanks to Marshall. And then instead of just, you know, doing this all manually, it will be very difficult because you have to chain multiple things together. It's a lot of headache.

[00:36:56]>> Yeah.

[00:36:57]>> Instead of doing all that, you just do this. So, let me see how much of this thing is going to work because I'm not really sure. I didn't do this um preemptively partially because I wanted to see how I would do it under a scrutiny or pressure because this is going to look like a real world pentest.

[00:37:20]>> Yeah, that's cool.

[00:37:23]>> So, we need to remove replace this this plugin.

[00:37:29]Bit of pressure is fine.

[00:37:33]file manager.

[00:37:38]>> Yeah, it's a very this is a very it's a cool vulnerability. It's taking something quite b quite sort of I don't know standard and packaging it into something quite exciting. Um and I guess and I guess the next question is is the um the SVG which triggers the JavaScript which which makes the admin account is that doing it via an API call?

[00:38:01]Um it's it's calling multiple post requests. One of them is this one >> for >> Oh, it's localized.

[00:38:11]>> Yeah.

[00:38:13]>> And then there's the other is plugin upload plugin >> include. Yeah. And then it's saying okay. So it's including Yeah.

[00:38:25]>> So it must be API. Yeah. It must be an API request then.

[00:38:29]Yep. So the report URL is something where the report of the entire payload is going to be sent. Port 60001 is where the reversal is at which is basically a plugin.php.

[00:38:45]It connects to port 601 and port 1234 is where the core server is located at. So basically let me just map this 444 right here. The report file server 1 2 3 4 1 2 3 4 is on the same. This is the core server that serves the file >> and it serves the file manager.zip file.

[00:39:16][snorts] >> Very cool.

[00:39:20]>> Let me see if it's going to work or is it going to pain me a bit? No.

[00:39:28]Good luck. If it works first time, I will I will go mental. I will I don't know, send you a tenner. There's just no chance. These things never work first time.

[00:39:39]>> Yeah. Let's see. Um >> where's where's the type? I think there's a certain content type here.

[00:39:53]>> I'm just going to copy paste this. I'm lazy.

[00:39:56]It's fun.

[00:40:00]>> Uh, bingo.

[00:40:02]Oh, 4034 by then. [laughter] >> Okay, let's see what happened here.

[00:40:10]>> Yeah, >> permission denied.

[00:40:12]>> Did you have to put Oh, you put the forward slash after SVG. Are you sure it's not patched, Tammy? Is this >> um No, it's not the patch version. We just need to have upload uh upload permissions and we don't have that. So I need to get that um >> you need to >> uh so it's a student profile that's being given upload permissions. Correct.

[00:40:39]>> Uh yeah. So I'm just going to get a new payload for this. I'm going to temporarily Oh yeah, temporarily um cancel screen sharing because I need to go fetch the payload for this. It's going to be a little different.

[00:40:57]>> Okay, >> let me see what's happening.

[00:41:04]Stop figuring.

[00:41:06]Yeah. Okay, I'll be back. Just need to get the payload, right? Yeah, fine.

[00:41:14]All good.

[00:41:16]Um, this is a good moment to grab a cup of tea [laughter] to drink in your country of choice. All we drink here is tea, of course. I've got my got my mug here. A nice little L gray. Thanks for asking. [laughter] My favorite goose mug. Check that one out.

[00:41:38]>> Oh, yeah. That looks cool.

[00:41:41]>> For the boys.

[00:41:43]The boys. When I left my uh last work, they they for my leaving gift, they gave me >> brilliant.

[00:41:53]Not like I was there six years. You smug anyone? I'll take it.

[00:41:59]>> Well, it was a free cup. I think it's expensive and they [laughter] one cup more than I had before.

[00:42:08]Can't complain.

[00:42:12]this webcam man's dodge dodge.

[00:42:16]So, here's the big news though. My my workplace now, I told them that I don't have a monitor, external monitor. It's just the small talk that I'm making while you sort your problem. And um and they sent me this 34 inch monitor today.

[00:42:33]Your your face is like lifesize, Hammy.

[00:42:37]And that's only a quarter of the screen.

[00:42:39]Unbelievable.

[00:42:42]Can't make this up.

[00:42:49]Let's see. I think I got the real payload. The one that doesn't need all the jumping through hoops like a monkey.

[00:42:57]But let's see.

[00:43:02]Uhhuh. I think my payload the diff the only difference between my payload and uh Marshall's payload is that mine doesn't have all those requirements. But let's see.

[00:43:21]Um, why are we using um Google Meet Hammy? It's my next question. Why not the Discord chat?

[00:43:28]>> Um, the quality of recording on that is very low. That's >> recording. Yeah, I imagine it would be >> actually I couldn't find it. The payload that I found it was the same as this one. So, we are going to suffer through this for now.

[00:43:52]>> Um, by the way, I think there's something about permissions.

[00:43:58]Actually, yeah. Um, I need to find the permission thing. Wait, >> that's fine. The reason that I need to pause and I can't show the screen is because I'm using something like this for one of my CDF challenges that I've contributed to an event. So I cannot really show everything >> like the fund for those while you're selling your commissions.

[00:44:21]>> Yeah, they need to suffer through the hard way of doing the CTF otherwise they won't learn anything. So I'll be back. All right.

[00:44:53]So basically we need to give this user the permission to upload files and I think we do that by modifying roles.

[00:45:04]So basically we go here we manage the roles we manage the role of vendor and we give it permission to create files. Wait what happened media media upload.

[00:45:26]Yep. I think now we have everything in order. So, we should be able to upload files. Let's see. Oops. Not not again.

[00:45:40]See again.

[00:46:00]for them. Okay, maybe I need to log out and login again.

[00:46:12]Oopsie.

[00:46:30]Oh yeah, now the file is uploaded. So we do have uh file upload permissions. And I'm going to just select this test test. Save it. And [snorts] now I'm going to here just delete this because we don't need it.

[00:46:51]create another product. I'll test with SL test. And in here, I'm going to select an image that I'm going to intercept and then change the type of the image.

[00:47:06]Uh crap.

[00:47:30]Okay, we got it.

[00:47:32]Or we can just copy this beautiful thing and send it from here. Oh, it didn't work. So I think we need to send this to repeater. Drop it. Drop is basically our way of dropping the request. It's not going to be sent anywhere. So can we zoom that in at all?

[00:47:53]The Buite window or make it slightly bigger.

[00:47:57]>> Oh Jesus. Uh sorry. What did you say?

[00:48:00]>> Can we make the Burpuite um window slightly bigger or so?

[00:48:05]>> Let me see.

[00:48:07]So, damn it. Come on.

[00:48:12]>> A lot of Yeah, I'll try, but I'm not sure if it will work.

[00:48:21]Yeah, now files do get uploaded.

[00:48:24]And um size of birth suit. I'm not really sure if I can do that. Let me see. We don't have anything like size in here, >> but don't worry about it. All right. All right. So, we have our beautiful payload over here.

[00:48:46]This was successfully uploaded. So, let me try to upload this payload and everything is fine. I I guess I'm not sure.

[00:48:58]It really doesn't matter. SVG.

[00:49:03]What was the type? image just plus XML, right?

[00:49:16]Send. Yep.

[00:49:20]Think file type not allowed. Success false file. Okay.

[00:49:25]I'm not sure if I'm working with the patch version or the unpatched version at this point.

[00:49:32]I'll try.

[00:49:46]Did um did he did you need to change the mine type or something?

[00:49:49]>> Yeah, I did change that properly, but I'm not sure what's happening.

[00:49:54]>> What's on the right?

[00:49:57]>> SVG plus XML. Yeah, we do have that file names. SVG forward slash. We have that as well. [snorts] And it says file type not allowed. But I think the version of web that I have installed is the correct one. Just not sure why this not working.

[00:50:26]Where's the picture of the Burpuite payload on his write up? Maybe that will look different.

[00:50:31]>> Um, let me see. Let me just send it to you.

[00:50:35]>> Oh, sorry. I could see it on your on your screen there. It was four left at the end. Yeah, strange. Have a look at this.

[00:50:57]If it doesn't work, I'm just going to move on to the next type of payload.

[00:51:02]>> Yeah.

[00:51:02]>> Um, we have had several problems with this uh version of web. I installed it on Docker and on Docker this payload wouldn't work. So, I listened to Marshall and I installed it without Docker. But still it doesn't work. I'm not sure if I'm using the correct version or something else is going on.

[00:51:25]>> Um yeah, form data name files.

[00:51:34]Did you have the form data with the name files um as well on the purpose?

[00:51:42]>> Yeah. Well, the version of uh web is the wrong one. It should be 1.0.7.2, but it's 1.0.8. So, >> you're on the path.

[00:51:53]>> Yeah, that's a problem. I'm on the latest version instead of being on the current version.

[00:51:58]>> So, so what you're what you're now looking for is a bypass for the for the fix.

[00:52:06]>> Oh, no. I can't bypass that right now, but I'm trying to get the vulnerable version. I thought I didn't install it.

[00:52:16]It just doesn't install. I guess >> I wonder if client side it shows what the blacklist is now. Maybe we can add a null bite at the end or or preempt it before and then bypass the patch and then you can get a new CV live on stream.

[00:52:31]>> Let me see.

[00:52:33]>> That's how the pros do it. This guy >> not allowed. Why? Why did this uh print this error twice? Let me see.

[00:52:41]>> Good question. Great question.

[00:52:45]Watch this. Watch this.

[00:52:46]>> Yeah, I see the null bite is doing something super weird.

[00:52:51]>> Yeah.

[00:52:52]>> Oh my gosh. [laughter] >> Am I going to get my next CV now?

[00:52:57]>> Yes, for real, man. There's something there's something doing there's something weird happening.

[00:53:02]>> Yeah. Let me see. So, we are looking for SVG blacklist bypass.

[00:53:09]>> Yeah. Well, there's load. Well, are they still using a blacklist?

[00:53:14]>> Uh, I think Gonz developer is using a blacklist, but I'm not sure. I could probably look into the code and see the fixes that he made to our perviews vulnerabilities to see what type of fixes he implemented and then >> we'll look at it.

[00:53:30]>> Yeah. Great. Yeah. And then once you find that like what the code change is, then we can um we can start if if it's still a blacklist. Honestly, if it's a blacklist, there's going to be a bypass.

[00:53:43]I'm just saying that right now. If it's a white list, it's going to be more complicated, but it's not impossible.

[00:53:48]You can still bypass whitel list with with null bytes and stuff like this, but I mean, uh, it will be more complicated, but it's certainly not impossible. Oh, yeah. Look, there he is. Added media upload type check by mime type to avoid by mime type. Now, >> they're doing it by mime type now. Do you see that? Something like that.

[00:54:08]>> Yeah. Yeah, let me see.

[00:54:09]>> Now you need to add a mime header that makes it believe that it's a JPEG and then we bypass.

[00:54:15]>> Okay, so upload deny mime. It denies SVG plus XML application JavaScript.

[00:54:24]>> Yeah.

[00:54:27]>> Okay, let me let me just grab the whole thing. Grab the whole mess.

[00:54:31]>> The potential's real, man. Potential's real. Yeah, you should you should get the actual code block and then chuck it into AI and say what im what what um image types can we use to bypass this white list something like that or something like that.

[00:54:50]This is uh escalated heavily from a demo into live hacking. [laughter] >> Yeah, that's what happens when I can't find my payload, I guess. Imagine.

[00:55:04]Oh, >> for the demo. I needed to rehack it for the demo. [laughter] >> Let me see.

[00:55:13]>> It doesn't get cooler than that.

[00:55:16]>> Yeah, >> find that little piece of the code and just and ask for mine. Yeah, mine by passes.

[00:55:23]>> And well, besides this whole thing, besides this whole clot thing, I could just use clot code. I have the advanced version of this thing for this set to max. So we have this thing set to highest level possible.

[00:55:39]>> Yeah.

[00:55:40]>> And we have the model. We can switch it to oppus.

[00:55:44]>> Beautiful.

[00:55:45]>> The highest one. The highest price model. Module.

[00:55:48]>> Rip your token count, bro. But >> one million context. But thinking on >> and all good [ __ ] And now we are just going to give it the location of the upload.

[00:56:03]So where's the location? It's admin controller. No, it's admin controller media. Let me see. Admin. No, admin controller.

[00:56:15]>> So just to be clear, the reason that we have access to all this is because it's open source.

[00:56:19]>> Yeah, of course. We don't steal the source code. Just so if anyone's wondering how does this how does it work if it's an open source app you can just start feeding some of the some of the code into AI and give you ideas if you've already got ideas in your head >> yeah basically you could basically copy paste this whole path and you can tell AI go find me functionalities or vulnerabilities and it will find it for you but you have to be smart about it you can't just say okay go find vulnerabilities you have to say go find me all the end points that are in this application and I want to understand what functionalities are there that will be helpful.

[00:56:56]>> Absolutely. Yeah, you need understanding of what you're potentially looking for, but um very very interesting to see if there is um I mean yeah, white lists, man. I mean, no, what are they using blacklists?

[00:57:14]>> Um let's just see what happens. I'm not really sure.

[00:57:21]If nothing happens, I guess I will fail publicly, which is one of my greatest habits, failing in the public.

[00:57:29]>> It's good. It's good. Good fear to get past.

[00:57:32]>> Yeah. Sharp.

[00:57:35]You This is a a C live CVE right here.

[00:57:38]This is what >> me, myself, and Muhammad are going to take a 20% cut. Um, just so you know, because we were here on the call, you know, just feel uh >> [laughter] >> I feel like we should have signed an NDA NDA now. Uh, okay. In the chat right now, you Muhammad, you have to just just put like just write just write agreed if you agree not to disclose this publicly or or weaponize it on the dark web.

[00:58:14]Hammy, I've I've signed my agreement.

[00:58:17]Uh, I don't think this is that much of a big issue, but fine.

[00:58:21]>> Mohamad's also agreed now. So, [laughter] it's all above board.

[00:58:28]All right, let's go.

[00:58:30]>> All right, let's see.

[00:58:34]>> This is really cool. Really cool.

[00:58:36]>> The bypass.

[00:58:38]>> Oh, yeah. There's a clear vulnerability >> include SVG, but the rename forms no extension validation at all. attack up this extension. Oh, call the rename end.

[00:58:51]Call the rename endpoint. There's an endpoint you can call to up to to change the file type once it's already stored.

[00:59:01]>> Wait, what is saying? New file call the rename endpoint. Wait, >> are we actually able to call the rename endpoint? I mean, we must be able to, right? So, it's saying upload an image.

[00:59:17]Is that correct?

[00:59:20]There must be there must be an end point.

[00:59:29]Yeah, this is a this is interesting.

[00:59:30]Wow. What a crazy bypass if this works.

[00:59:33]If this works, if this isn't an AI hallucination, you can actually call back a post request. So, upload a PNG with an SVG content. rename it to a uh rename it to SVG via this end endpoint which may or may not exist. Uh and then if it does then we have then we can run we can run it as if it never was a problem. That would be interesting. In fact that would be a very interesting CV. Yeah.

[01:00:03]>> Mhm. Let me see.

[01:00:07]>> Yeah. Let's see.

[01:00:08]>> You're right to push back. Okay.

[01:00:09]>> Yeah. They just craft an HT request directly. Post admin, model media, model. There's a rename. There's a rename endpoint that you can call by post.

[01:00:19]>> What? What? Where's that? Let me see.

[01:00:22]>> It says it. Look, an attacker doesn't need a UN bus and they just craft a they just craft a HTT request directly because there's a there's an endpoint.

[01:00:30]>> What? And it's a post endpoint, Hammy, so you won't see it.

[01:00:35]>> Okay, >> let's try it. Let's try that endpoint.

[01:00:38]uh ask you to give you a B pay.

[01:00:41]>> Uh >> or a curl. Yeah. Either >> uh let me just copy paste this thing to it.

[01:00:52]>> That'd be so cool, man.

[01:00:56]So, you need to upload a normal file already. You already have actually you got to No, you need to upload a normal PNG with the SVG content.

[01:01:07]This is a This is cool, man. [laughter] >> Let's see if it works. Pray for me.

[01:01:14]>> Yeah. So So it's going to be two post requests then. First you need to upload a PNG and then >> rename.

[01:01:25]>> Yeah. So just in fact in fact Hammy just you can do it manually the um just upload the an SVG with a with a PNG in Burps in in the UI and then ask it for the rename post request that makes sense.

[01:01:40]>> Um I think the post request is not available.

[01:01:46]>> I'm not sure.

[01:01:48]>> No you can do that via the upload Hammy.

[01:01:52]Uh >> you can just upload it with in the UI just upload an SVG file called.png and then then we pull do a real post request to rename it.

[01:02:03]>> Ah hey I'm just going to copy paste this thing. Let me see if it works.

[01:02:09]>> This one is easy. The path of least resistance.

[01:02:12]>> Yeah but they haven't included a post.

[01:02:14]They haven't included um content for for a cookie um XSS SVG in in the uh description of what it said. It just says you need to put a real SVG.

[01:02:29]Um but you need to give it an endpoint for it to send it to, right? You know what I mean?

[01:02:35]>> Uh let me see, man. [laughter] Let me see what it does.

[01:02:40]>> Sorry. jump ahead.

[01:02:44]>> Okay.

[01:02:45]>> So, we create this one. Uhhuh.

[01:02:51]>> This is cool, man. This is really cool.

[01:02:56]Awesome. Prayers and the file. So, that one uh evil.png is created. We have that.

[01:03:10]>> Yeah, it looks good. That looks right. I was just going to pop a an XSS box, but that's a good proof of concept.

[01:03:18]>> This is cool, man.

[01:03:21]This is cool.

[01:03:22]>> What element saved? Template backup was saved. Does it work?

[01:03:27]>> Well, what did what did you post? What did you post, bro?

[01:03:32]What on earth did you post in here?

[01:03:34]What? Uh, >> it says permission denied. So, >> no, you can just do it via the UI instead. Just upload a upload a file.

[01:03:44]>> Wait. Um, >> you know what I mean?

[01:03:46]>> Yeah, I know what you're saying. I know what you're saying. But this, uh, I think this is another functionality that needs to be given to the role explicitly.

[01:03:54]>> So, when you >> Yeah, while you went outside, basically, I had to give vendor the permission to upload files and I just forgotten that.

[01:04:04]So let me see if we need to give the permission anywhere in here. Do we need to give edit permission?

[01:04:15]>> We might need to re we might need to re-record this video. H [laughter] >> yeah, this is messed up now.

[01:04:22]>> Oh yeah, it's cool though.

[01:04:26]>> Oh yeah, >> [ __ ] love that smile. People People will probably watch this later and wonder what did we do.

[01:04:38]>> We lost the plot.

[01:04:43]>> It's a great CV coming soon. [laughter] >> I mean it's great. It's a it's a nice little part really. The upload functionality.

[01:04:52]>> Oh yeah. This is the name functionality.

[01:04:55]So basically we need to provide this rename functionality in there then save it.

[01:05:02]>> Then we need to >> yeah we need to get the hell out of that other session. We need to log out >> log in and get a new session cookie and with that cookie we will be able to do our magic.

[01:05:20]So, here we are. Um, >> bro, this is epic.

[01:05:27]I can't believe.

[01:05:31]>> This should never work, by the way. This shouldn't work.

[01:05:34]>> Yeah, this shouldn't work. But let's see.

[01:05:38]Have you already uploaded the file?

[01:05:41]>> Uh, which file?

[01:05:44]Evil.png?

[01:05:45]>> Yeah. Is it already in the uh b?

[01:05:49]>> Uh, no. It's not uploaded.

[01:05:54]Uhhuh. Let me say.

[01:05:57]Okay. If it works, I'm going to lose my mind. Bingo. Not sure. Shut. What happened?

[01:06:06]Okay. Permission denied. It doesn't work. So, >> why don't you just just do it in the UI?

[01:06:10]Try it and do it in the UI because you know you know that you got upload permission, >> you know.

[01:06:17]>> Yeah.

[01:06:18]>> Working. You might as well just do it manually, right?

[01:06:20]>> Yeah, I'm going to do it manually, but there's no UI for uh changing, you know, the file name. You can just click on it, but there's no place to modify.

[01:06:33]>> Oh, no, the evil one. The one that you actually want to upload, the one that you created. There's an upload.

[01:06:38]>> No, it's not uploaded.

[01:06:41]>> Yeah, but just do it in the UI then with the upload button top right.

[01:06:46]>> Okay. Yeah. You mean upload? Um, but here's the thing. If I upload evil.png, right?

[01:06:52]>> Yeah.

[01:06:53]>> I cannot rename it. Like, how do I rename it?

[01:06:57]>> Well, that post request that you're looking at that you're trying to do there is the upload request. That request is the upload. So, there's no point trying to do that when you can just do it in the UI. So, I would just upload the evil.png, which you already made, in the UI of Veb, and then and then we can mess around with the post requests when it comes to the rename.

[01:07:16]>> Okay.

[01:07:18]So the first goal is uploading evil as Yeah, I think I understand this now.

[01:07:24]>> Which you already made. I think you already saved it locally. Am I right?

[01:07:28]>> Yeah, I did that.

[01:07:30]>> Cool.

[01:07:30]>> Yeah, so I did that. I can just uh browse to it.

[01:07:34]>> And where did I save that thing by the way?

[01:07:37]>> I don't know. [laughter] >> I don't remember where I saved it.

[01:07:41]>> Okay, let me see. I think it's here. And so I test the scripts.

[01:07:45]>> Oh, test scripts. Yeah.

[01:07:47]>> Yeah, it's Yeah. key.png. It's right here.

[01:07:52]>> Okie dokie. Let me see. Let me see. Let me see.

[01:07:58]>> We don't need to do anything. I guess Docker containers.

[01:08:04]>> Um, can you enlist a beginner to infoset? Yo guys, I see you're both doing fantastic job and I'm glad I assisted this representation. Can you please enlist a beginner to infosc 70% procs path? Oh, brilliant. That's awesome. Now to get my feet into research in the session.

[01:08:23]>> File type not allowed. What the hell?

[01:08:26]>> Oh, for PNG.

[01:08:28]>> Yeah.

[01:08:31]>> Ah.

[01:08:35]Really? PNG?

[01:08:38]But you've already uploaded PGs in the past. Oh, try JPG. Uh, I think it's the type. Let me see. Let me try this once again. I think it's the type. It just identifies the type of it.

[01:08:50]>> Yeah, because of the because of the header, the mine header inside the actual payload.

[01:08:55]>> Yeah, probably something like that.

[01:08:58]>> Let let me send you Let me send you Hammy the um Let me send you the piece of code that you can put into the top of the header which will make it think that it's a JPG, but it's not.

[01:09:11]>> Oh, yeah. the magic bites.

[01:09:13]>> Yeah, that's it. It's probably doing it by magic bite, right?

[01:09:17]>> Probably. Let's see.

[01:09:20]>> Why not allowed?

[01:09:21]>> Do you want me to give you send you the magic bites?

[01:09:24]>> Yeah, sure, man.

[01:09:25]>> All right.

[01:09:28]Okay.

[01:09:30]To trigger alerts.

[01:09:37]Um, >> so this worked, but this doesn't. So we can't upload this. Oh, we can upload it.

[01:09:46]So it did work.

[01:09:48]>> You did it. You >> evil.png was uploaded. I'm just going to rename it to evil one.png.

[01:09:55]>> Nice, bro. How did we do it?

[01:09:57]>> I just added a space between them. So it worked.

[01:10:02]>> Oh, really?

[01:10:04]>> Okay. Okay.

[01:10:06]Is it going to work?

[01:10:09]>> Um, >> yeah. Nice, bro.

[01:10:13]>> Okay. The image just go, so it doesn't show.

[01:10:16]>> Oh, sure.

[01:10:20]>> It's trying to render it, isn't it?

[01:10:21]Trying to render it.

[01:10:23]>> Yeah, it's trying to render it, but it's not PNG content, so it doesn't get rendered at all.

[01:10:29]>> But that's that doesn't matter because if we can rename it to SVG, then we've embedded it, right?

[01:10:35]Yeah, if you convert it, it doesn't matter. And if we can look, if we can convert PNG to SVG, we can convert PNG to PHP and get a shell.

[01:10:47]>> Okay. Actually, Hammy, if you've been given rename permissions, then can you literally rename it in the UI? You technically been given rename permissions, right? Can't we right click and just rename instead of trying to do this crazy UI like?

[01:11:00]>> Yeah, I can't. I can't right click, bro.

[01:11:02]Look, look.

[01:11:04]>> But right now, you're trying to upload it. But instead of doing that, could you just go could you go to like wherever the media is saved inside the UI and then just literally just rename? Yeah, >> I have it.

[01:11:16]>> There you go. Can you change the No way.

[01:11:20]SVG.

[01:11:21]>> Uh, we cannot change it in here now.

[01:11:24]>> Edit image and then will >> it doesn't work. Oh, but you've been given permission. I don't know why it wouldn't let you.

[01:11:35]Maybe we need to call that. Maybe we need to do the post request instead.

[01:11:40]>> Yeah, I think the whole thing is just at and from has so we can see it.

[01:11:45]>> Yeah, >> let me see.

[01:11:50]>> If Claude if Claude's post request is actually real, then this then it could work. But we need to we need to rename re um change the file name.

[01:12:06]um to whatever it is.

[01:12:13]>> And it needs to be for slash, isn't it?

[01:12:17]Evil PNG.

[01:12:19]>> Um no, that's for a different payload.

[01:12:23]This is for the one that he Let me see. Oh, >> the one that's already in there.

[01:12:37]43 for doesn't work despite the fact that there is uh permissions for this it doesn't work anyway.

[01:12:49]So we have what where's the roles roles are here we are the vendor role and we do have media media rename permissions >> media media rename is that the endpoint you're calling >> uh this is basically the admin panel where I >> yeah that post request you made is that inside media >> yeah I think so yes media media rename and action equals I wonder if you need to include and action. Maybe it's just rename. You know what I mean? Like the post the upload request you did didn't say action equals upload. It just said forward/upload, didn't it? If you go on number six on repeater might be wrong.

[01:13:36]>> Um, yeah, but you're kind of right. But look at this.

[01:13:41]>> It is action. It is action. My bad.

[01:13:43]>> Yeah. So action has to be the name of this thing. So >> I can't believe it. And then it says admin equals 1. Cookie blah blah admin equals one. Does it your say admin? Damn it. I can't believe it didn't work. Why is it working? You should put the um response that you got back and into Claude and say what the hell.

[01:14:05]>> Yeah, [clears throat] probably.

[01:14:08]>> I'm so sad about that.

[01:14:10]>> Yeah, me too. I'm going to tell Claude how sad I am.

[01:14:15]>> Yeah. And say say it upset me as well, actually for the record. And Muhammad's sad as well. Tell everyone sad. Make it feel bad.

[01:14:29]Ah, I can't believe it. I think we're close. Hammy, there's light at the end of the tunnel.

[01:14:34]>> Yeah, there's definitely a light somewhere.

[01:14:38]This is going to be this is going to be Oh, look at this. This is comprehensive information we're sending to Paul.

[01:14:46]>> Yeah.

[01:14:47]Right. I'm going to answer Muhammad's question while you're um are you in fact first I'll ask you Hammy. Are you going to use this video or are you going to do another one?

[01:14:58]>> It's a bit messy this video.

[01:15:00]>> Uh well, I think we are going to do another video but fine. Okay, fine. I I'll answer uh question then. Oh, hold on. What?

[01:15:10]>> It says adding CSRF to the body.

[01:15:14]>> Invalid CSRF.

[01:15:16]Oh, there we go. It's included a CSRF token now supposedly. Now you can put that in the payload.

[01:15:23]>> What?

[01:15:24]Ah, because it rotated per request.

[01:15:27]>> So, where do I get the CSRF token from?

[01:15:30]How does it know what's which CSRF token I should use? Let me ask this. from the page source. The token is Yeah, it's like >> Oh, really? Got it.

[01:15:40]>> It thinks it got it from the page source.

[01:15:45]>> Oh, yeah. It's right right here. Damn it. I can't see it.

[01:15:54]>> Yeah. Let me just If we can get a CV on this, it's going to be unreal.

[01:15:59]>> Denied again.

[01:16:11]Shame.

[01:16:12]>> Well, I think this video is messed up.

[01:16:15][laughter] Grab a fresh CSR opt. Oh my gosh. You can do a get request to grab a fresh CSR uptake. No, really.

[01:16:33]>> Really? Let me see.

[01:16:36]>> Let me see.

[01:16:37]>> Cannot be real, man. This cannot be real. I think it's lying.

[01:16:40]>> We'll see.

[01:16:43]>> This doesn't look right. Look at this request. It's not even work. But yeah, you can try.

[01:16:51]>> This is hilarious. Did you send it? Hold on.

[01:16:54]>> Yeah, I sent it. But wait, you didn't do a space bar because you didn't do a space. That happens to me sometime >> the space.

[01:17:03]>> Yeah, do enter. Yeah, enough of it.

[01:17:06]>> Okay, >> it gave permission error again. So, >> why is it working? The rename endpoint.

[01:17:16]No, it was such a good idea.

[01:17:22]>> Okay, I'm going to answer that question now. Right, so he said, "Yo, guys, doing a fantastic job on system representation."

[01:17:29]Bro, can you can you please enlighten Let's be honest, bro. It's all cool. Can you please enlighten the beginner to infosct 70% just how I get my be to research at the end? I'll do it now if you if that's all right. I'll have it in your hand. Let me know if you're um let me let me know if you're here still.

[01:17:51]>> The curve token is right here. The curve token doesn't change. That doesn't work.

[01:17:57]So, >> oh, it doesn't change as well.

[01:18:14]You just write one big me. Um, >> yeah, >> yeah, >> that's that's easy.

[01:18:35]I'm just going to bingo login like this and uh >> Oh, I'll just do a fake one. See if it generates a CSR app. Oops.

[01:18:45]>> Yeah, it has to get everything on its own. I don't have time for this.

[01:18:51]Is it got a CSRF? Can you uh >> Oh crap. [clears throat] >> It just needs to go to this page.

[01:18:58]>> Oh, because you need you need an admin CSRF, right? Or an authenticate CSF. I don't know.

[01:19:06]>> Uh let me see. Let me see.

[01:19:09]>> Ignore me.

[01:19:22]Uh, and then this beginner if you're 70% through CPS already. That's awesome. [laughter] >> Well done. The CPS isn't is no joke and the path is a hard work. So, I think I'm only about 90 80 89 90% through. Um, it's taken me ages. So, smashing it. But and then secondly, yeah, to be honest, research is one of the best ways I actually learned how to do that. That was then learning in CTS. So I would say keep going on CTS that will give you all the core fundamentals, right, of like I don't know even stuff like this like XSS um you know part traversal, you know, file upload attacks, etc., etc. And then with research, the best way to get into it, and it's funny you asked because Hammy actually got me into this.

[01:20:13]Um, and now myself and another member of the Discord are trying to teach other people how to do it. Um, that's fine, Amy. Don't worry, I'll um the best way definitely to get into doing your own security research is do basically what Hammy's doing. So, it's open source apps, applications. So, I think um if you're on the discord, I can't remember. Are you on the discord or did you find this from LinkedIn?

[01:20:39]Either way, if you're on Delta Discord, I think Hammy has a list of targets.

[01:20:44]Sometimes we post are from LinkedIn. No way, bro.

[01:20:51]LinkedIn. That's awesome. So, um I would s I would suggest that you get inside the Del Obscure Discord.

[01:20:58]>> Can I send a link? How many of you? Um I'll send the link invite. We also have targets on odin.cscyber.ca.

[01:21:06]>> Yeah.

[01:21:07]>> Yeah. That's a huge list of targets. But I think if you join our Discord server, there's a lot of people you can learn from. There's a lot of people to collaborate with. So >> yeah, there's a lot of people collaborating. Um again, you know, we'll send targets of like open source apps that we're starting to look at. So it's perfectly legal. you're running on your own system, right, via a Docker container, say, and then you're just starting to try out some of any of those attacks that you found on CPTS pathway.

[01:21:34]So, you might start to look for some file upload attacks, which is what we're doing right now. Can I bypass file upload? Um, very pop SVG files to XSS.

[01:21:43]It's a very standard file upload attack.

[01:21:46]Again, like if you start to find things and you're like, oh, might be something, not sure, just post on the Discord.

[01:21:51]there'll be a bunch of people. I'll be happy to to um give you some points of where to look uh you know or maybe how to escalate some of these things. Um and again, yeah, and then um so that's basically the best way to do it. Open source, but jump on the Discord, start asking people questions. I'll be I'd be happy to answer anything DM. Uh I'm sure how you were too. Um busy than I am. And then your next question was did AI s suggest something brilliant or make you get grabbed to be honest mostly rabbit holes occasionally brilliant.

[01:22:25]So, uh, sometimes it'll give you, so you can see right now like we we were trying a, um, file rename via a post request that may or may not work and it's like rabbit holeing. But if people try to learn if if you try to just rely fully on AI, you're going to just hit these and it's going to be very demoralizing. if you've already got the base knowledge that you've learned from doing CPS uh and then you start applying that and then when you hit something that you're not sure about you ask AI and give it all the context from what you understand and I think it's like way more likely that you actually get somewhere with it.

[01:23:01]Um so yeah man, jump in the Discord be great to chat and um this is obviously the first video. It's been a bit of a little bit of a bodgege because we've had a few problems with the had a few problems with the um web app that we're the um application that we're trying and also I think I'd bodgege the announcement. So everyone from GMT thought that this call was starting later.

[01:23:28]So again um we'll have more of these calls. a lot coming. Um, but maybe I'll host the next one or maybe I'll host the next one and um and use just more of what we're doing now which is CV and methodology stuff.

[01:23:45]Um, yeah, hope that helps.

[01:23:50]So I'm trying this one more time and I did generate a shell script for me that basically performs all the upload and stuff but it also checks for permission denied and response text and if it's present it doesn't perform that. So basically this is how it works. It fetches the login page CS sort of login successful fing uh fresh curf again curf token got this. Wow.

[01:24:19]>> Then it uploads malicious SVG as evil 1.png, but upload fails with permission denied.

[01:24:28]>> Yeah, >> but here's the thing. I'm going to try this with the admin's cookie.

[01:24:34]Let's see if that works.

[01:24:36]>> That's a be crazy. Yeah.

[01:24:38]>> Are you running this within the Docker?

[01:24:40]This um terminal command?

[01:24:41]>> Um no, that's not within the Docker.

[01:24:44]It's just me trying to do my thing. If you're making those post requests outside of Docker, do you think it would is that why it's not working? No, I think that's true.

[01:24:56]>> Let me see this with admin.

[01:24:59]Does it work with admin? Yeah, with >> Oh, no way. Rename.

[01:25:05][laughter] >> Let's go.

[01:25:06]>> Let's see. Let's see. Does it work?

[01:25:10]>> Wow, it did work. Fudge. It was uploaded but external parsing error because >> the formatting. Yeah, the formatting is a piece of thing.

[01:25:22]>> It's a proof of concept. You can you can upload and then bypass all of the upload permissions by the rename.

[01:25:30]I mean, this is already a CV right now.

[01:25:32]>> Yeah, this is a CV.

[01:25:35]>> Yeah, got it. [laughter] >> Yeah, we got it. Let's go. Let's go. Let me see. Let's uh let's first get an idea of how to exploit this this work but with a caveat.

[01:25:50]>> No shot, man.

[01:25:52]>> Yeah, I didn't believe it. Me, man. Look at this cloud code that's helping me find zero. This >> you probably the best demo you could have ever joined. [laughter] >> No shot, man. There's no way.

[01:26:09]>> Fix this damn thing for me.

[01:26:12]pick this please.

[01:26:15]>> I can't believe it. [laughter] >> Yeah man. So basically um the reason >> CV mean do you want to just explain what a CV is? What >> common vulnerabilities and exposures basically a way to get a tracking number for a vulnerability so that vendors and people can easily patch it. vendors and users can easily patch it and keep track of it, you know.

[01:26:43]>> So, so this CV that you just found like what the attack path is. I mean, >> uh before >> well what it does what it does right it basically allows you to escalate privilege to administrator but now we are executing this as admin. So basically we need a user with permissions to rename files or upload files and we are good to go mate. I can't believe this unreal.

[01:27:18]>> Let's see.

[01:27:19]>> So this is like this is a great proof of concept. Yeah, do you um open source open source web apps uh sorry open source applications like this um usually not some types but you usually didn't have a bounty program um so usually you find vulnerability like a CV some this is a this is a good example and then we you would submit it to a organization like vol or vol database and then they oh sorry I'm saying it all wrong first you contact the vendor and say, "Hey, hey guys, found this dodgy thing now. Can you fix it?" And they'll go, "Thanks for letting us know." They fix it. Then you report it and then you get a CV assigned to your name. So So why do people care about CVs if they don't get money? Well, it's really good for your resume if you're looking for jobs. I basically got the job I have now just because I had CVs on my resume. I didn't I don't have a single certification. Um but it was just because of what you know learning through Delta and then just hunting for CVs. So um it looks really good in the resume. It holds quite a lot of weight especially if it's a decent one if you know what I mean not just like oh someone's IP league. Um does that make sense? Some companies um quite a lot of companies actually do um also give a bounty with CV with CVs.

[01:28:45]some of the bigger companies like Neta and Microsoft. Um, Microsoft's the only one I've got experience of and I have CVs and sometimes they pay you money.

[01:28:54]They'll always get you a CV if they need to patch it locally and sometimes it'll be an escape for money as well. Um, and then bug bounty just for context. Bug bounty is like the opposite. So, because it's online, they can patch it from their end if you find a vulnerability and it doesn't need a CVE because no one needs to update anything. they go on the website, it's already fixed. So they'll give you money for bug bounty, but they don't give you a CV. Does that make sense? Um, so that's kind of how it works. Um, but this is open source. This is all all CDs. Oh, what's up? Right. Yeah.

[01:29:33]Hope that makes sense. Um, I'll be right back. H just gonna >> uh Sorry, did you say you're going somewhere last time?

[01:29:42]>> Yes, I'll be right back. I've got uh just two minutes. Just have my wife or something. I'll be right back while the So for context I'm just um modifying well I'm not modifying I'm just prompting AI to modify this file because um I want to upload uh files with a random file name and uh file name so that I can upload hundreds of them as many as I Okay. Got this error. Why?

[01:31:22]Mhm.

[01:31:41]Let's see.

[01:31:43]Oh, my >> CV hunting live at 5.

[01:31:55]It's not 5 here. It's like 10 o'clock at night.

[01:32:03]>> Oh, yeah. Uh, let's see. I think we are kind of close. If Marshall was here, we could probably, you know, he is very good with exercise and bypassing stuff.

[01:32:14]>> Yeah. Well, we got the bypass. Now we just need the payloads, right?

[01:32:18]>> Um, yeah, we just need the right kind of payload to get rid of the shitty XML parsing error. Let me see if Marshall's around.

[01:32:28]>> So, I'll just say like right now we could report this right now.

[01:32:33]>> 100% get one. It's just already file upload bypass RC done. You don't even need you don't you would you don't need to prove nothing. It's already been proved or account takeover whatever you want to call it. This is a big this is a big deal. This vulnerability really >> I mean it's a vulnerability but I really need to prove the impact as an an attack impact >> 100%.

[01:33:00]I just want to tell everyone the discord like guys just can I tell everyone that we just found we just founded got a CVE line.

[01:33:12]>> Yeah, sure. I mean that's the point of joining our sessions.

[01:33:17]We find zero days this by mistake.

[01:33:20]>> Yeah.

[01:33:26]>> I don't want to ping Marshall again, but I'm going to ping Marshall again.

[01:33:35]Now I kind of like ah honey you should have been you should have been record you should have um you should now share this video but what you need to do is like chop it up like the interesting part like the bit where you realize you're on the wrong version you're on the patched version might not be still okay and a bit where you find the bypath and then >> yeah well Well, well, this video I think um the original purpose of this video has gone to trash. So, now we are busy.

[01:34:07]>> It's now it's now it's now it's gone 10 times better than it ever could have gone.

[01:34:11]>> Yeah, because uh nothing beats real vulnerability research.

[01:34:16]>> Yeah, >> it's not it's not sanitized, you know.

[01:34:19]It's not like we are doing a CTF. This is real. This was completely unexpected.

[01:34:25]>> It's like double cool. And you know what's going to happen next time? We'll do a demo of this bike pass. We'll be like, "Ah, don't worry guys. This time we're going to do a demo and then you'll accidentally be on the patch version again and then every single time we come on the stream, we'll have to find a new RC a CD bypass." Perfect. This stream is just brilliant. Best one going.

[01:34:55]Let me see. Okay.

[01:35:00]>> It's too funny.

[01:35:02]>> The only thing is I have to go in like five minutes, but >> while type not allowed it's not working.

[01:35:12]>> Is this the upload?

[01:35:14]>> Did someone join us?

[01:35:17]>> No.

[01:35:18]>> Okay.

[01:35:19]>> Yes, actually. No, it's just us three still. Uh, >> it says one guest.

[01:35:28]Okay. No, no way. Join us. Okay.

[01:35:30]>> We're all guests.

[01:35:32]>> Unless someone's in the lobby or something as well.

[01:35:42]>> This is awesome.

[01:35:44]>> I mean, the payload did work, but I think I kind of forgot which one worked.

[01:35:51]>> You have it in your internal, right?

[01:35:56]just go back through the terminal.

[01:35:59]>> Uh yeah, I could go that I could go that route or I could just rewind the code.

[01:36:05]>> Yeah.

[01:36:12]>> Muhammad, did you um did you find this through Ham's LinkedIn post?

[01:36:20]>> Uh were you with me?

[01:36:22]>> Okay.

[01:36:23]Okay. Just wanted to just wanted to clarify that none of my friends on LinkedIn thought it was working. Just wanted to let that sink in live on on stream.

[01:36:45]Oh, this is so funny.

[01:36:47]>> Yeah. I want to see.

[01:36:55]>> Okay. Well, I think the source code that we were checking belong to version 1.0.7.2, not version 1.8 1.0.8. I'm not sure. Let me see.

[01:37:08]>> Right. Okay.

[01:37:14]>> But you went on the page and it said that it was the patched version.

[01:37:18]1.8 now.

[01:37:22]>> I'm not sure >> is the content the Texas version. How >> it says it's 1.0.8.

[01:37:28]I just found it.

[01:37:35]>> Upload a polyot a GIF. That's valid SVG HTML. A GIF eater will make mime type content return a GIF.

[01:37:46]Okay.

[01:37:47]How did you do it before?

[01:37:50]>> It's This agent is really smart. It's really [ __ ] smart. I think it runs multiple agentic AIS at once or it says it does the marketing says it runs multiple >> agents at once. So, I'm going to believe them because it really um it asks the right questions. It says you're running this version of web. I'm going to choose the Docker because I want to see which version you're actually running. And somehow it all already knows that I'm running this on Docker, which is kind of suspicious. How does it know so much?

[01:38:26][laughter] Yeah.

[01:38:29]Let me see. So, I changed things.

[01:38:32]>> Try not to chance to read into that too much, Har. But yeah, >> everything you're doing is being in fact this this AI has already reported this to me.

[01:38:44]Okay, it says file uploaded successfully.

[01:38:47]>> Let's go.

[01:38:48]>> File rename >> to HTML to HTML. Let me see.

[01:38:54]>> Exercise. Is it actually in the >> Wow. Yeah, it Yeah.

[01:39:00]>> There we go. Exercise.

[01:39:04]>> And there's my cookies and everything.

[01:39:10]>> Thank you, Mohammed. Unbelievable.

[01:39:13]>> That is insane that the AI agent was able to >> Yeah. Look, it took a lot of back and forth like it does, >> but it's insane that it produced the whole proof of concept in one in one payload.

[01:39:27]>> Yeah, >> that is unreal.

[01:39:31]>> Yeah. Well, I mean, we could probably pull in source code of WordPress and try to find the CV there as well. Man, >> that that will be too much context for >> stream's already an hour and a half, bro. I mean, I'm not sure.

[01:39:46]>> Yeah, how save some things for the next stream, bro. Okay. If you get all the CVs now, what am I going to talk about?

[01:39:52]>> Yeah, [laughter] >> that's also a thing. So, uh for this uh for this video, I'm just going to pause it here because it's been 90 minutes. I think we have been Well, our first goal was to find was to go through all the CVs that I that our team had found. So the first one was this one the CV the CV on Fab LMS and the CV on understand CMS.

[01:40:21]>> Then I [clears throat] lost the plot. So basically instead of instead of showcasing the vulnerabilities we had already found, >> I accidentally downloaded the latest version of web and instead of downloading the vulnerable version where there was those vulnerabilities and I could show you the CVE.

[01:40:42]So and instead of doing that I just ended up playing with the latest version and suddenly I realized that uh there might be a vulnerability because alas was here he was giving me all these ideas and without without yeah without this questions I wouldn't be here because um I usually give up that's one of my problems. So when I'm surrounded with friends or with like-minded people, I usually come up with different sorts of exploit chains and things like that.

[01:41:15]And there we are. We have um an CVE and this one has a bigger blast radius I think as well. So I'm going to be pausing um quitting this video for today. It's being recorded. It's going to be uploaded to YouTube as well. after I upload um after I >> report this to Ganzee and WB for a CV assignment and after that I'm going to upload this video and uh uh Muhammad I'll appreciate if you don't share the details of this >> you both put agreed in the chat to my statement of NDA so we're we're >> uh yeah well it's uh it's responsible disclosure And there aren't a lot of people in the session. So I would appreciate if you don't share it uh because we are going to record it. And uh thanks man. Thanks a lot. I appreciate that. And there was another question that you asked. So uh let me see if I can answer this. So you said you are doing CPTs and you're already 70% through the path, right?

[01:42:30]So I think uh my last gave you all the details and what you should do. So I did pass the CPTS exam and um from what I can tell you is that the uh exam is it's tough and uh like most people have said it's mostly focused on active directory and the reason that you can understand that without me actually spoiling the exam for you is that all the content that people tell you uh that you need to prepare for CPTs exam almost all of them or 80% is focused on active directory. That's how you know the exam is mostly focused on active directory.

[01:43:14]So it's not that difficult to guess that from inference.

[01:43:19]So yeah uh just do the active directory stuff but if you don't there are some ways that AI can help you. So uh I have coded numerous web suit extensions. This is one CS surface scanner and um these are mostly open for our team members.

[01:43:39]But here's the thing. There was uh extension at coded for solving some of BCP or porc error labs. And the way it worked is that it used a PDF that contains some solutions and also writeups from that uh from every practice test. And then it combine those to analyze every request and response to identify what vulnerability this application might be vulnerable to based on all the information that it had. So Anthropic allows you to upload a file once and then you can reference that file dozens of times and if that file is a PDF or HTML file that contains a lot of information, you can basically just use all of that information to sort things. I think it's called retrieved or augmented uh rag or something retrieve augmented I forgotten what it's called it's actually called rag >> rag yeah >> yeah retrieved augmented generation so basically it's something similar to that rag is more complex because you have to feed all the information to the AI but the version that I have uh proposed using is something that basically AI keeps going through the same file over and over again. So, similar, but it's not the same.

[01:45:08]So, I hope that helps.

[01:45:11]Yeah, it's right.

[01:45:16]Nice.

[01:45:17]Cool. I got to go. Thanks, guys. This be really fun.

[01:45:20]>> Yeah, it was really fun.

[01:45:22]>> We'll do more live next time. It' be awesome. Nice to meet you, Muhammad. And yeah, get in the Discord, man.

[01:45:28]>> All right. Thank you, and thank you, Muhammad. I'll be um pausing the recording and then we are go. We got to go.

[01:45:37]>> Nice.

[01:45:38]Awesome. Right. I'll catch you later.

[01:45:41]>> All right. See you.

[01:45:43]>> Cheers. Night night, guys. Bye, Muhammad.

[01:45:46]>> All right. Bye. Bye.