├── liveoverflow_transcripts ├── EEZ2T5UodVY.txt ├── SJbuSXO4xs0.txt ├── 9CS3q0uG1LI.txt ├── 2LOtBpA7W_M.txt ├── 2sy6aIaoI64.txt ├── hprXxJHQVfQ.txt ├── Jpaq0QkepgA.txt ├── j70AA9arThc.txt ├── ujaBCDaPUm0.txt ├── M0D999KcyHo.txt ├── 6htg9MGMOYE.txt ├── iyAyN3GFM7A.txt ├── kMu1J8QdxE8.txt ├── xCEJfTfhtQc.txt ├── 9NYleo0r4Eg.txt ├── WWJTsKaJT_g.txt ├── Lj2YRCXCBv8.txt ├── f-FbcobQQb8.txt ├── Xml4Gx3huag.txt ├── zXR96jprNcY.txt ├── 2pqHsW3yNlA.txt ├── sm_cgvnzJ5M.txt ├── k4MnqaYZIY4.txt ├── zoyK33-IcD4.txt ├── GSraDuD4ziQ.txt ├── 0exSe-PAhns.txt ├── kMesRjygnRM.txt ├── J2XS3m2Ctuc.txt ├── qMEJ11jhlAc.txt ├── 6pGEVDderN4.txt ├── 6QQ4kgDWQ9w.txt ├── 28JHPOUZvDw.txt ├── N1US3c6CpSw.txt ├── JFIGpRh76XY.txt ├── 3xIj8Xyx1TU.txt ├── VzZi2AGAsOY.txt ├── kUk5pw4w0h4.txt ├── 0TPXvpaiYWc.txt ├── Yfsmc0b8o78.txt ├── hRei9xXRAGE.txt ├── bqaZBeZ4zf0.txt ├── PBvthC7soS4.txt ├── 8ev9ZX9J45A.txt ├── OZvc-c1OLnM.txt ├── DkL3jaI1cj0.txt ├── u_U6F2Kkbb0.txt └── E9kz6RQu9Oc.txt ├── README.md ├── train_ai.py ├── all_videos.py └── yt.py /liveoverflow_transcripts/EEZ2T5UodVY.txt: -------------------------------------------------------------------------------- 1 | hello quick reminder the cyber security 2 | challenge germany is still going on 3 | we are in the second month now we just 4 | released new challenges including a 5 | challenge i made called screenshotter so 6 | go check it out 7 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/SJbuSXO4xs0.txt: -------------------------------------------------------------------------------- 1 | did you ever have RSI or any pain 2 | working typing so much never never a 3 | problem never had something like this I 4 | wonder if it's actually has to do with 5 | my pen spinning stuff because obviously 6 | every time when I have a pen I always 7 | have a pen like laying here I always do 8 | this kind of stuff I wonder if that's 9 | like helps me with my fingers I don't 10 | know 11 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/9CS3q0uG1LI.txt: -------------------------------------------------------------------------------- 1 | hey everyone I just want to quickly let 2 | you know that the video release schedule 3 | will slow down for a little bit because 4 | as you can see I'm moving and it's a bit 5 | more than I anticipated 6 | um my whole studio is already 7 | disassembled and my editing PC as well I 8 | don't have internet yet at the new place 9 | so I cannot work on new videos I cannot 10 | edit videos I cannot record new videos 11 | so everything will you know be a bit 12 | delayed sorry about that 13 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/2LOtBpA7W_M.txt: -------------------------------------------------------------------------------- 1 | I thought it would be cool to tell you about 2 | a typical day as a pen-tester. 3 | Especially if you consider it as a career 4 | I think you might appreciate the insight of 5 | how this kind of job really looks like. 6 | So welcome to my desk, I work from home. 7 | And this is also where I edit my videos. 8 | Usually I start by opening my laptop, login, 9 | get pen and paper to take notes and then start. 10 | Sometimes I really have to focus and think 11 | of my next steps. 12 | But then I usually get into the flow. 13 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/2sy6aIaoI64.txt: -------------------------------------------------------------------------------- 1 | for example we were looking at you know 2 | the the patch for Ping and we asked 3 | about what is the definition for the 4 | struct IP like let's compare how do I 5 | find this struct definition in Google 6 | struct IP definition and then this is 7 | probably my best guess find this here 8 | and then I see in here uh okay code so 9 | where exactly does t where's it now 10 | exactly distract so I press Ctrl F try 11 | to find it struct IP ah there it is it's 12 | in the middle of this file and now oh my 13 | God it's like depending on the byte 14 | order now I have to think about like I 15 | don't know like there's some if defines 16 | this stuff while I just type it here can 17 | you show me the struct IP definition and 18 | it just like told me even where it's 19 | from it starts explaining it as well 20 | what is the size of struct Ip it just 21 | told us it's 20 bytes even with example 22 | code how you could figure it out if you 23 | don't trust it you could also copy and 24 | paste and verify this now 25 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # yt_statistics 2 | 3 | This repository contains various data from the LiveOverflow YouTube channel (`liveoverflow_videos.jsonl`) and other security creators (`all_videos.jsonl`). 4 | Data was last pulled on 15.03.2023. 5 | 6 | ```json 7 | { 8 | "channel_id": "UClcE-kVhqyiHCcjYwcpfj9w", 9 | "video_id": "MS7WRuzNYDc", 10 | "thumbnail": "https://i.ytimg.com/vi/MS7WRuzNYDc/hqdefault.jpg", 11 | "date": "2022-10-21T15:55:18Z", 12 | "views": "260530", 13 | "tags": ["ip address", "leak", "..."], 14 | "title": "I Leaked My IP Address!", 15 | "description": "How bad is it to leak your IP address? VPN providers..." 16 | } 17 | ``` 18 | 19 | Each `video_id` in the `liveoverflow_videos.jsonl` has a corresponding `liveoverflow_transcripts/.txt` file: 20 | 21 | ``` 22 | Is leaking your IP address really dangerous? It  23 | seems like many people think so, because because 24 | when I released my minecraft hacking video  25 | series, I kept leaking my personal IP, 26 | as well as the IP of other players (oops sorry?).  27 | After that I got tons of worrying messages telling 28 | ... 29 | ``` 30 | 31 | Feel free to use the data to create some statistics, or train a LiveOverflow script writing AI (but pls let me use it too :P) 32 | 33 | The file `500_metadata_finetune.jsonl` contains a partial attempt at [fine-tuning](https://platform.openai.com/docs/guides/fine-tuning) GPT-3. It's incomplete because I used openai to generate questions about paragraphs of the video transcript, and I blew threw my credit before going through all videos (see `train_ai.py`). -------------------------------------------------------------------------------- /liveoverflow_transcripts/hprXxJHQVfQ.txt: -------------------------------------------------------------------------------- 1 | A regular expression, in simple terms, is 2 | a pattern that can match a string of characters. 3 | For example /abc/ would first look for an 4 | A, then a B and then a C. 5 | You could also draw this pattern as a finite-state 6 | automaton. 7 | This is the kind of theoretical stuff you 8 | would learn when you study computer science. 9 | So we start here, then we can move to the 10 | next state when we see an A, to the next when 11 | we see a B and to the last one when we see 12 | a C, which means we match the string. 13 | And obviously if our string would have been 14 | A,X,C instead, then we would find the A and 15 | move forward, but there is no path for the 16 | X. 17 | So our pattern doesn’t match the string 18 | AXC. 19 | And if you think about regexes as these graphs, 20 | all the other features of regex become very 21 | clear. 22 | So it’s really helpful to draw this, if 23 | you find a more complex regex you don’t 24 | understand, or if you want to come up with 25 | a regex yourself maybe start drawing a finite-state 26 | machine instead. 27 | And then translate it into the text version. 28 | There is this really awesome website called 29 | debuggex which basically does exactly that 30 | for you. 31 | And I use it all the time because regex are 32 | often used to validate input, and it can be 33 | really helpful to see if you can somehow get 34 | malicious input through. 35 | Here just as an example a simple mail regex, 36 | and while you type you can observe here the 37 | pink cursor that shows you what characters 38 | you are allowed to use next. 39 | Until it matches 40 | And if it doesn’t match you can easily explore 41 | where it happened. 42 | Now debuggex is not the only service for this, 43 | you can find plenty of regex debugging tools 44 | and they are all cool and sometimes a regex 45 | is better visualized by one of the others, 46 | I just happen to use debuggex mostly. 47 | No particular reason. 48 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/Jpaq0QkepgA.txt: -------------------------------------------------------------------------------- 1 | With the all the information that you are 2 | being bombarded with when auditing, testing, 3 | reverse engineer and so forth, it’s important 4 | AND natural to look out for patterns. 5 | For example a lot of web applications encode 6 | data in base64. 7 | Sometimes in cookies, sometimes in APIs. 8 | And one thing I immediately notice in base64 9 | strings is “ey!” 10 | Look at this string. 11 | Does it tell you anything? 12 | Well maybe you already can recognise that 13 | it is base64 without having to attempt to 14 | decode it, but anything besides that? 15 | Anything about the data it encodes? 16 | Without having to do a base64 decoding I KNOW 17 | this is going to be JSON data. 18 | You see, JSON starts with a curly brace and 19 | a quote, and that results in e, y 20 | And being able to see that saves time, and 21 | allows you to quickly find interesting data. 22 | Same with debugging binary exploitation challenges. 23 | When you look at a hex memory dump, it is 24 | very overwhelming when you start out. 25 | So many different values. 26 | But eventually you start to learn to see here 27 | patterns. 28 | That is a stack address, I know that because 29 | it’s very similar to the stack pointer and 30 | something you see a lot when doing this stuff. 31 | But also here this fairly random looking data, 32 | I don’t even have to decode values from 33 | it, to see what it is, it is clearly ASCII. 34 | These bytes are in the ascii range. 35 | You can generally see that based of the first 36 | nibble. 37 | Ascii really only goes from around 2-something 38 | to 7-something. 39 | 20 is a space. 40 | You might also see soem null bytes and obviously 41 | A or D also for new lines but most characters 42 | are in this area. 43 | So over time your brain develops this intuition 44 | to quickly judge if most of these values look 45 | like ascii. 46 | And so looking for and learning patterns like 47 | this will help you to be much more efficient 48 | when researching something. 49 | -------------------------------------------------------------------------------- /train_ai.py: -------------------------------------------------------------------------------- 1 | import openai 2 | import os 3 | import json 4 | import string 5 | import time 6 | 7 | openai.api_key = "..." 8 | 9 | def get_detail(video_id): 10 | with open('liveoverflow_videos.jsonl', 'r') as f: 11 | for line in f.readlines(): 12 | if video_id in line: 13 | print(line) 14 | return json.loads(line) 15 | 16 | 17 | files = os.listdir("transcripts") 18 | i = 0 19 | for fname in files: 20 | transcript_file = f"transcripts/{fname}" 21 | video_id = fname.split('.')[0] 22 | i += 1 23 | print(f"{i}/{len(files)}") 24 | 25 | paragraphs = [] 26 | with open(transcript_file, "r", encoding="utf-8") as f: 27 | text = f.read() 28 | paragraph = "" 29 | for line in text.splitlines(): 30 | paragraph += line+" " 31 | if line.strip(): 32 | if line[-1] in string.punctuation and len(paragraph) > 500 and len(paragraph) < 1500: 33 | #print(paragraph) 34 | details = get_detail(video_id) 35 | prompt = f"""Video metadata: 36 | Title: {details['title']} 37 | Tags: {", ".join(details['tags'][:20]).strip()} 38 | Description: 39 | ``` 40 | {details['description']} 41 | ``` 42 | 43 | Video transcript: 44 | ``` 45 | {paragraph.strip()} 46 | ``` 47 | 48 | Write a technical question that can be answered by information in the video transcript: 49 | 50 | """ 51 | print(prompt) 52 | response = openai.Completion.create( 53 | model="text-davinci-003", 54 | prompt=prompt, 55 | temperature=0.7, 56 | max_tokens=300, 57 | top_p=1, 58 | frequency_penalty=0, 59 | presence_penalty=0 60 | ) 61 | ai_data = response.choices[0].text 62 | with open('500_metadata_finetune.jsonl', 'a') as f: 63 | f.write(json.dumps({"prompt": ai_data.strip(), "completion": paragraph.strip()})+"\n") 64 | paragraph = "" 65 | print(ai_data) 66 | time.sleep(1) 67 | #input() 68 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/j70AA9arThc.txt: -------------------------------------------------------------------------------- 1 | So as you know, each YouTube video has an 2 | ID in the URL. 3 | It identifies the video. 4 | It’s unique for each video and it’s determined 5 | randomly when you upload the video. 6 | So… how is it possible, that I know, that 7 | this video has the ID ? 8 | I hope you are intrigued now! 9 | 10 | Randomness is interesting, especially for 11 | computers because there is not necessarily 12 | anything random about them. 13 | We tend to think about them as being deterministic 14 | machines. 15 | So in terms of security, for example in cryptography 16 | it’s a huge challenge to get a good random 17 | source. 18 | If somebody could predict a random output, 19 | then that often breaks cryptography. 20 | Now the YouTube ID is not cryptographically 21 | important but it’s a nice proof of concept. 22 | So did I predict the ID? 23 | Actually no, I abused something else. 24 | So one day I noticed that the ID is actually 25 | known during your upload. 26 | You see it right there and you see it in your 27 | videos overview. 28 | So the files are not yet all uploaded, but 29 | you already know the ID it is assigned. 30 | And this allows us to perform a small switcheroo. 31 | I have basically taken a youtube upload code 32 | example that uses the google API to upload 33 | a video. 34 | And I modified the source code of that in 35 | order to switch out the file whenever I want. 36 | This means I can start out with the intro 37 | of this video, let that upload very very very 38 | slowly, and in the meantime I look up the 39 | ID it got assigned, and quickly record and 40 | edit this ID into a short clip. 41 | I render that, and I specifically use the 42 | mpg video container because it’s not a very 43 | complicated file format and it allows you 44 | to concatenate videos simply by concatenating 45 | the raw bytes of the file. 46 | You don’t need to run a special algorithm 47 | that merges the video files. 48 | This way I can just at some point tell the 49 | modified script to switch out the file and 50 | let it continue upload the new file that contains 51 | the known ID. 52 | Pretty neat, huh? 53 | I thought that’s a pretty cool trick. 54 | If you are interested in programming and it-security, 55 | I can really recommend you to subscribe and 56 | checkout some of my playlist. 57 | For example I think the Pwn Adventure 3 series, 58 | where we hack a game that was built to be 59 | hacked, is really fun. 60 | Bye bye. 61 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/ujaBCDaPUm0.txt: -------------------------------------------------------------------------------- 1 | after my previous video where I was 2 | showing a typical day of me pen testing 3 | I wanted to show you how to get into it 4 | so typically a lot of people think that 5 | the easiest trick to learn is this one 6 | in some sense it's easy because you just 7 | pass the pen from in-between fingers to 8 | the next one but mastering it to make it 9 | very smooth is extremely difficult even 10 | me with a fairly heavy pen can't do it a 11 | much easier trick is this one here and 12 | that is super easy all you have to do is 13 | hold the pen on one side like this see 14 | how I roughly have my thumb and index 15 | finger in the middle of the upper half 16 | and I placed the middle finger in the 17 | middle of the pen a common mistake I see 18 | is that people start holding the pen 19 | with index and thumb in the middle but 20 | that won't work 21 | hold it in the upper half then make sure 22 | your hand and wrist is kind of straight 23 | while the pen is pointing down 24 | diagonally then you just have to release 25 | the pen by removing the index finger and 26 | at the same time push it with the middle 27 | finger not hard just enough to give it a 28 | push but also not too weak and look how 29 | stable my wrist is another typical 30 | mistake is that you turn the wrist and 31 | some kind of reflex to go after the 32 | flying pin to catch it so don't do it 33 | keep your hand and wrist not moving at 34 | all keep it straight we are to hold the 35 | pen is actually more based on that after 36 | half a turn the middle of the pen should 37 | be on your thumb so that's why we have 38 | to start with the pen more to the other 39 | side when you push it and it flies 40 | around the middle point is where the 41 | thumb is and then it finishes the 42 | rotation another typical mistake is that 43 | the thump is put down and that can be 44 | actually used for another trick to let 45 | the pen spin on top of the thumb though 46 | for this easy trick you just want to 47 | keep it up of course you don't want to 48 | get cramps in your hand so keep it 49 | relaxed just enough force to hold the 50 | pen in place and enough force to push it 51 | around the thumb 52 | also the heavier the pendants the easier 53 | it is with a very light pencil it's also 54 | easy but not as easy so just put some 55 | heavier caps on both sides of a pen like 56 | i mothered this one here and then it's 57 | perfect 58 | [Music] 59 | [Applause] 60 | [Music] 61 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/M0D999KcyHo.txt: -------------------------------------------------------------------------------- 1 | Hey! 2 | This is just a quick announcement video to 3 | tell you about Gynvael’s Winter GameDev 4 | Challenge 2018/19. 5 | Gynvael is also CTF player who is doing videos 6 | and livestreams on YouTube about security 7 | and hacking, however he also likes to challenge 8 | creativity through various GameDev challenges 9 | he has organized in the past. 10 | Checkout the cool footage of games from previous 11 | rounds. 12 | I really liked this, so for this round I joined 13 | him. 14 | Together we ramped up the prices and I will 15 | help him judge entries. 16 | The great thing about a GameDev challenge 17 | like this is, that you can win prizes, you 18 | are given a deadline and some other constraints. 19 | So you have a competitiveness that can motivate 20 | you, and constraints that allow you to be 21 | creative. 22 | In this particular challenge you are given 23 | the following premise of the story. 24 | You have to create a game where the player 25 | is a space marine technician, or hacker, who 26 | helps a squad of space marines while they 27 | are exploring an abandoned space station. 28 | And the idea is that you are supposed to create 29 | an “unrealistic” hacking simulation. 30 | Think of movie hacking scenes. 31 | I mean you can be realistic, or totally crazy, 32 | in the end all that matters is that it looks 33 | like crazy hacking and is FUN TO PLAY. 34 | You also have some other constraints, for 35 | example the game must run in 1080p and you 36 | must use this overlay for your game. 37 | Essentially this simulates two screens of 38 | a computer. 39 | We are currently working on a nicer overlay 40 | graphics that makes it look like a cool hacking 41 | screen terminal computer, so check back a 42 | bit later to see the final graphic. 43 | But we hope having only these two screens 44 | available for the actual game, it leads to 45 | some interesting gameplay mechanics. 46 | So think of something cool. 47 | You also must make this game with client-side 48 | web technology. 49 | Meaning javascript, css and HTML. 50 | You can also do web assembly, or straight 51 | javascript, whatever. 52 | And if you have never done that, it’s a 53 | perfect opportunity to start learning some 54 | javascript. 55 | Protip, look at previous submissions and get 56 | inspired by their code. 57 | But don’t worry so much about the code. 58 | Remember we are not judging your code quality, 59 | all that counts is the game itself. 60 | Anyway, please checkout the exact rules, constraints 61 | and frequently asked questions and how it 62 | all works on gynvael’s blog I linked below, 63 | and I really hope you participate. 64 | We are looking forward to your submissions! 65 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/6htg9MGMOYE.txt: -------------------------------------------------------------------------------- 1 | Oh my gosh, I can’t really believe it. 2 | We have only one challenge left, in Pwn Adventure 3 | 3… 4 | Overachiever. 5 | Which means we have to get all the Achievements 6 | available in the game, but throughout the 7 | episodes we got most of them. 8 | Only First Blood and Killing Spree is missing. 9 | Both are related to PVP. 10 | In the first episode, the casual let’s play 11 | we already discovered a key that enables PvP. 12 | Oh, enabling PvP in... okay so if you press 13 | V you start PVP 14 | But how can we win this, if I’m playing 15 | alone? 16 | Well… we do the easiest hack of all. 17 | We make a second account. 18 | There is “asd”, and we enable PvP and 19 | then just kill him. 20 | Shoot… and fail… eh… gread hitboxes. 21 | Ehm… there we go. 22 | First Blood. 23 | Now we just have to repeat that 9 more times. 24 | We can do it with a few different weapons 25 | and magic spells that we have acquired throughout 26 | the game. 27 | Ahh… the memories… 28 | Last one… 29 | Boom. 30 | Killing Spree. 31 | Acquired Flag of the Overachiever. 32 | Unable to get flag contents? 33 | You do not own this flag? 34 | Try again later? 35 | WHAT THE HECK? 36 | That is what you see when you tried to cheat 37 | yourself a flag item on the client, but the 38 | server hasn’t given you the actual flag. 39 | What did we do? 40 | Did the admins of the game detect that we 41 | were abusing a second account? 42 | Just kidding. 43 | I don’t know why this happened. 44 | So I reconnect. 45 | LiveOverflow, 7 Flags. 46 | AWESOME! 47 | So that looks good. 48 | Let’s drop into the game, inventory. 49 | Flag of the Overachiever. 50 | Amazing. 51 | There is the key. 52 | “Achievement Unlocked, Red Ring of Death”. 53 | An XBox reference. 54 | What a journey, I really enjoyed this series, 55 | but it was also a ton of work. 56 | I’m so happy that I completed it. 57 | I hope you enjoyed it too… 58 | One last, very important thing. 59 | There is an amazing credits outro song for 60 | Pwn Adventure 3, by Fuzyll, Azsyka, Don’t 61 | Panic and Lightning. 62 | It’s a parody on the Portals 2 credit song 63 | and the lyrics are just great. 64 | Please lean back and enjoy: 65 | So awesome. 66 | My favorite line was: “Tomcr00se just solved 67 | it all. 68 | And now leads the scoreboard. 69 | It’s such a shame the same will never happen 70 | to you”. 71 | What a sick burn. 72 | outch! 73 | But… this is not quite the end of our journey. 74 | There are a few things I’d like to play 75 | around with, because things like LD_PRELOAD 76 | do not exist on Windows and I really want 77 | to checkout how it could be done there. 78 | But I probably need help from some Windows 79 | experts, because I have no clue. 80 | So stay tuned for that. 81 | -------------------------------------------------------------------------------- /all_videos.py: -------------------------------------------------------------------------------- 1 | import yt, json 2 | from datetime import datetime 3 | 4 | channels = { 5 | "codingo": "codingo", 6 | "LiveOverflow": "UClcE-kVhqyiHCcjYwcpfj9w", 7 | "PwnFunction": "UCW6MNdOsqv2E9AjQkv9we7A", 8 | "JohnHammond": "_JohnHammond", 9 | "IppSec": "UCa6eh7gCkpPo5XXUDfygQQA", 10 | "NahamSec": "UCCZDt7MuC3Hzs6IH4xODLBw", 11 | "STÖK": "UCQN2DsjnYH60SFBIA6IkNwg", 12 | "InsiderPhD": "RapidBug", 13 | "The Cyber Mentor": "TCMSecurityAcademy", 14 | "HackerSploit": "HackerSploit", 15 | "Bug Bounty Reports Explained": "BugBountyReportsExplained", 16 | "GynvaelEN": "GynvaelEN", 17 | "Alex Chaveriat": "AlexChaveriat", 18 | "c0nd4": "c0nd4", 19 | "247CTF": "247CTF", 20 | "Farah Hawa": "FarahHawa", 21 | "PinkDraconian": "PinkDraconian", 22 | "0xdf": "0xdf", 23 | "zSecurity": "zSecurity", 24 | "DerekRook": "DerekRook", 25 | "CryptoCat": "_CryptoCat", 26 | "Lupin": "0xlupin", 27 | "Stefan Rows": "StefanRows", 28 | "Hacksplained": "Hacksplained", 29 | "Reconless": "reconless1983", 30 | "hakluke": "hakluke", 31 | "stacksmashing": "stacksmashing", 32 | "Low Level Learning": "LowLevelLearning", 33 | } 34 | 35 | with open("all_videos.jsonl", "w") as f: 36 | 37 | for channel in channels: 38 | 39 | videos = yt.list_videos(channels[channel]) 40 | for video in videos: 41 | title = video['snippet']['title'] 42 | video_id = video['contentDetails']['videoId'] 43 | thumbnail = video['snippet']['thumbnails']['high']['url'] 44 | published = datetime.strptime(video['snippet']['publishedAt'], "%Y-%m-%dT%H:%M:%SZ").date() 45 | print(f"{title} - {video_id} - {thumbnail} - {published}") 46 | channel_id = video['snippet']['channelId'] 47 | 48 | details = yt.video_details(video_id) 49 | print(details) 50 | if 'tags' in details['snippet']: 51 | tags = details['snippet']['tags'] 52 | else: 53 | tags = [] 54 | print(tags) 55 | title = title.replace(",", " ") 56 | date = video['snippet']['publishedAt'] 57 | views = details['statistics']['viewCount'] 58 | likes = details['statistics']['likeCount'] 59 | if 'commentCount' in details['statistics']: 60 | comments = details['statistics']['commentCount'] 61 | else: 62 | comments = 0 63 | f.write(json.dumps({ 64 | "channel": channel, 65 | "channel_id": channel_id, 66 | "video_id": video_id, 67 | "title": title, 68 | "thumbnail": thumbnail, 69 | "published": video['snippet']['publishedAt'], 70 | "tags": tags, 71 | "views": int(views), 72 | "likes": int(likes), 73 | "comments": int(comments) 74 | })+"\n") 75 | 76 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/iyAyN3GFM7A.txt: -------------------------------------------------------------------------------- 1 | Welcome to LiveOverflow. 2 | Here you can find videos about computer internals, 3 | with a focus on hacking and security concepts. 4 | I also record myself solving hacking challenges 5 | - it might be a bit boring to watch, but if 6 | you always wondered how other people work 7 | and think, it might be interesting for you. 8 | Now let me tell you a short story about why 9 | I am doing this here. 10 | I was too young in the 90s and didn’t exist 11 | in the 80s to be part of the seemingly golden 12 | age of the hacker culture. 13 | When I was a teenager I loved taking apart 14 | electronics and looking at the green circuit 15 | boards wondering with what kind of magic it 16 | is imbued with. 17 | Once my dad brought home our first computers 18 | and we got access to the internet, I found 19 | myself being fascinated with “hacking” 20 | and wanted to learn more about it. 21 | But all I found was crap, people trying to 22 | sell old information or fake products. 23 | So I never got into hacking until much later. 24 | I started programming in Visual Basic and 25 | made my first websites with html. 26 | Eventually I moved on to php and other programming 27 | languages. 28 | Some years pass and I moved out to another 29 | city to go to university. 30 | One day I was sitting in front of my computer 31 | coming across this hacking game by stripe. 32 | A CTF where one level was to exploit a buffer 33 | overflow. 34 | I knew what a stack was. 35 | And I was able to read simple assembler code 36 | from university classes. 37 | But not until I saw the shell popping up, 38 | my mind being blown and struck in awe, I realized 39 | I was at a position in life where I can pursue 40 | a dream I had as a kid. 41 | And I still wear the T-Shirt I got from the 42 | stripe CTF with pride. 43 | At the same time I had the opportunity to 44 | join a hackerspace where I met so many intelligent 45 | people and I went down a rabbit hole. 46 | Not many years have passed since then. 47 | And I still feel I have only explored a tiny 48 | fraction of what is out there. 49 | The content I am creating here is an attempt 50 | to give anybody who want’s to understand 51 | the world better, an opportunity to start 52 | somewhere. 53 | I want to give to others, what I wish I found 54 | when I was a teenager sitting in the basement 55 | typing into google “how to hack”. 56 | At the same time I see more and more people 57 | making tutorials on how to use certain hacking 58 | tools, rather than explaining the underlying 59 | concepts. 60 | I understand that it looks cool, and that 61 | you can feel very powerful. 62 | But there is more to hacking than that. 63 | Understanding concepts, understanding how 64 | your phone and laptop do stuff, understanding 65 | on a technical level how you are able to watch 66 | this video right now. 67 | That is amazing. 68 | There is so much awesome stuff to discover 69 | and break. 70 | So I invite you to join me on this adventure 71 | and “Hack the Planet!”. 72 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/kMu1J8QdxE8.txt: -------------------------------------------------------------------------------- 1 | Fuzzing is a technique to automatically test 2 | input to some software to see what happens. 3 | This could be a crash or just general errors 4 | or interesting behaviour. 5 | Whatever you are looking for. 6 | Now fuzzing is not easy. 7 | There are a lot of different challenges like 8 | speed, scalability, detecting errors or whatever 9 | you look for, but also how do you even generate 10 | these interesting input test cases in the 11 | first place? 12 | that’s basically the whole art of fuzzing. 13 | For example if a software wants an integer 14 | as input. 15 | What kind of fuzzy tests would you like to 16 | do. 17 | Other numbers, leading spaces, small numbers, 18 | large numbers, larger numbers, leading zeroes, 19 | negative numbers, floats, text, long text, 20 | arbitrary bytes? 21 | There are so many options. 22 | Now if you need a simple but fairly powerful 23 | general-purpose fuzzer, then check out radamsa. 24 | Radamsa is a test case generator for robustness 25 | testing, a.k.a. a fuzzer. 26 | It is typically used to test how well a program 27 | can withstand malformed and potentially malicious 28 | inputs. 29 | It works by reading sample files of valid 30 | data and generating interestringly different 31 | outputs from them. 32 | The main selling points of radamsa are that 33 | it has already found a slew of bugs in programs 34 | that actually matter, it is easily scriptable 35 | and easy to get up and running. 36 | Let’s revisit our example about this fictional 37 | program that wants an integer. 38 | And then we use radamsa by giving it one example 39 | number, by piping it into the standard input 40 | of radamsa. 41 | And radamsa then prints a potential fuzzing 42 | test case. 43 | Now here it returned a huuuuge number. 44 | Next it actually returned nothing. 45 | So you would test an empty input 46 | Then it returned a small number 2. 47 | Then 256. 48 | Now echo also adds a newline after the number 49 | we pass in, so for this testcase radamsa simply 50 | decided to remove this newline. 51 | A few test cases later radamsa even introduced 52 | some unprintable characters. 53 | You see radamsa is pretty smart in generating 54 | good fuzzing input. 55 | It tries really hard to create useful input 56 | that is not just random bytes but actually 57 | has hopefully some meaning for the targeted. 58 | Let’s even try it with a simple HTML string. 59 | An svg tag with an onload javascript alert 60 | attribute. 61 | You can for example see here a testcase where 62 | radamsa seems to be aware that that’s a 63 | number and changed it, and here added some 64 | arbitrary bytes before the equal sign, it 65 | also constructs invalid HTML by repeating 66 | opening or closing tags. 67 | Now see we never gave it an empty opening 68 | tag, but for some reason it still used one. 69 | If you have an XML parsers this is really 70 | good test input that stresses the hierarchical 71 | structure of XML or HTML. 72 | Radamsa is pretty smart and powerful but it’s 73 | also so easy to use that you can rapidly prototype 74 | a fuzzer for some software you want to test. 75 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/xCEJfTfhtQc.txt: -------------------------------------------------------------------------------- 1 | do you know how a buffer overflow really 2 | works have you ever wondered what goes 3 | into these amazing memory corruption 4 | exploits have you ever really try to 5 | understand modern XSS attacks that abuse 6 | JavaScript sandboxes the world of 7 | security vulnerabilities is amazing 8 | behind each exploit is a story of 9 | creativity and incredible knowledge and 10 | I want to help others appreciate this 11 | form of art 12 | [Music] 13 | welcome to life overflow this is a 14 | channel where we don't just use exploits 15 | because it makes us look cool 16 | transfer to tourism but we actually want 17 | to understand how they work I want to 18 | explain underlying concepts and ideas 19 | about insecurity and not just show how 20 | to use a tool this means I will 21 | demonstrate technical stuff from 22 | low-level hardware to high-level web 23 | apps as well as talking about abstract 24 | ideas such as weird machines and 25 | language security I know how boring 26 | introduction tutorials can be so I try 27 | to do it differently the videos are 28 | highly condensed and cover way more than 29 | just the obvious on this channel you can 30 | find a binary exploitation course that 31 | introduces buffer overflows formats 32 | during exploits heap corruptions 33 | networking and much more there's also a 34 | web security course and I also cover 35 | real-life exploits where we actually dig 36 | deep to understand how they work 37 | no [ __ ] upper management summary I 38 | also love to play security capture the 39 | flag competitions where you have to 40 | exploit challenges and collect Flags I 41 | got hooked on security after 42 | participating in a CTF organized by 43 | stripe in 2012 so you will find several 44 | video walkthroughs of challenges 45 | covering many different kinds of topics 46 | including pawning reverse engineering 47 | crypto web and more I also like to play 48 | around with some hardware though I still 49 | have to learn more about that but why 50 | don't you come with me on this journey 51 | if you like what you see please 52 | subscribe on YouTube to always get 53 | notified of new videos if you want to 54 | get started from the beginning check out 55 | the playlists I've created for the 56 | different series or you can use the 57 | website life overflow comm to browse the 58 | video courses in case the playlists are 59 | a hassle I know my English is not 60 | perfect so almost all of my videos have 61 | subtitles available which should make it 62 | easier to follow when I mumble thanks 63 | for watching my introduction video I 64 | hope I was able to convince you to give 65 | it a try if you have feedback for me let 66 | me know about it I always love to hear 67 | from people watching my stuff there's a 68 | subreddit where you can engage with 69 | others from the community feel free to 70 | post and discuss anything remotely 71 | related just keep DPS and snake-oil 72 | stuff out you can also follow me on 73 | Twitter where I post new videos and 74 | occasionally retweet cool stuff I hope 75 | to see you as a subscriber 76 | and heck the planet 77 | hyped up again 78 | [Music] 79 | you 80 | [Music] 81 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/9NYleo0r4Eg.txt: -------------------------------------------------------------------------------- 1 | I have already made a video a long time ago, 2 | which is part of the binary exploitation course 3 | where I talked a little bit about signed and 4 | unsigned integers. 5 | And I just wanted to give a little bit more 6 | context for the video where we abused an integer 7 | overflow to kill Magmarok in Pwn Adventure 8 | 3. 9 | So let’s say you debug some application 10 | and there is a 32 register and you see 0x44434241. 11 | What does it mean. 12 | As you know hex values are super cool to represent 13 | binary values, because 4 bit correspond to 14 | one hex digit, so there is a really nice 4:1 15 | match which makes it super clear. 16 | Anyway, if the binary value is just converted 17 | to decimal it’s 1.1 billion. 18 | But you could also say, no I want to interpret 19 | this byte by byte as ascii text, for example 20 | if opened in notepad. 21 | Then it would be the etxt “ABCD”. 22 | So there is interpretation going on, for the 23 | CPU it’s just bits, but based on the context 24 | where this value is used in, it could have 25 | different meanings. 26 | And that’s the same way with negative numbers. 27 | As you may know, a negative 1, -1 would be 28 | in 0xFFFFFFFF, or all bits set to 1. 29 | Which might feel weird but it has an awesome 30 | property. 31 | Actually we abuse here an integer overflow 32 | in a useful way. 33 | You see if we would like to calculate 3 - 1 34 | or rewritten as 3 + (-1), then we could calculate 35 | 0x00000003 + 0xFFFFFFFF. 36 | And you would think that doesn’t make sense, 37 | because in decimal that would be a super huge 38 | value, so the result would be even larger, 39 | but because we are confined to 32bit in this 40 | example, the result would require 33bit. 41 | And thus we lose the first bit. 42 | The result kind of wraps around and we end 43 | up with 0x00000002. 44 | So we did indeed calculate 3 - 1. 45 | And that’s the awesome property of it. 46 | And because a binary number can be interpreted 47 | in this signed or unsigned way, especially 48 | for things like comparisons, the CPU has to 49 | have a way to understand this context. 50 | And this is why we have instructions that 51 | specifically are used if the data is signed 52 | or unsigned. 53 | And if you just search for “signed” in 54 | the official Intel Architecture manual, you 55 | see loads of instructions that have signed 56 | and unsigned versions. 57 | And of course this can lead to security issue 58 | when such an overflow was not intended, for 59 | example when we want to add 3 billion + 3 60 | billion, then it doesn’t fit in 32 bit and 61 | overflow. 62 | If we continue to use the result for anything 63 | important, then that’s really bad. 64 | So that’s why it’s so important to be 65 | very careful when mixing signed and unsigned 66 | values. 67 | But also that numbers don’t grow too big 68 | or too small and they overflow. 69 | And in the Magmarok video you can see how 70 | there are two issues related to that. 71 | First there is a larger number subtracted 72 | from a smaller number, causing an overflow, 73 | which should be now a negative number, but 74 | it’s compared with a unsigned comparison, 75 | so suddenly that number was interpreted to 76 | be super large. 77 | And the other issue allowed repeatedly to 78 | add values to a signed integer, until it grew 79 | so large, that it suddenly wrapper around 80 | and became negative. 81 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/WWJTsKaJT_g.txt: -------------------------------------------------------------------------------- 1 | Something funny happened to me. 2 | I wanna tell you a story how I got a free 3 | Burger when I ordered food. 4 | And use it to explain what injection vulnerabilities 5 | are. 6 | So last night I was super lazy, didn’t wanna 7 | cook so I ordered food. 8 | I ordered food there before so certain fields 9 | like the address were already filled out. 10 | But also the comment field was still filled 11 | out. 12 | And on the previous order, in the comment 13 | field I requested a different sauce for one 14 | of the Burgers. 15 | I didn’t realize that and just continued 16 | and paid online. 17 | A little bit later the delivery guy shows 18 | up and told me that he changed the sauce for 19 | the Country Burger as I had requested. 20 | Country burger? 21 | I didn’t order one? 22 | He said: yeah, you did. 23 | Look here on the receipt. 24 | And I look at it and I realized what happened 25 | the comment I wrote was printed just above 26 | the other items that I actually ordered, I 27 | used capital letters to emphasize my request 28 | and I didn’t notice that it just made it 29 | look like it is one of the ordered items. 30 | And so he actually thought I ordered a Country 31 | Burger and the comment after it was just my 32 | modification request. 33 | I mean looking at it now everybody would say 34 | it’s pretty clear that it’s not an Item 35 | I order. 36 | There is no price on it and it’s not bold. 37 | But this is a fast food restaurant and those 38 | guys have a lot to do, it has to go fast and 39 | maybe comments are also not a common thing. 40 | I can totally see how it happened. 41 | I offered to pay for the Burger, but he said 42 | it’s fine. 43 | So that’s how I got a free Burger through 44 | an unintended Burger Injection or unintended 45 | social engineering attack. 46 | So what does this teach us about injection 47 | vulnerabilities in software. 48 | You see, programs are just acting on instructions 49 | that they have been given. 50 | Like a guy in a restaurant has instructions 51 | he gets from the order that gets printed out. 52 | And in this case data, or this comment, was 53 | mixed together with business critical information. 54 | And whoever created and printed out this order 55 | didn’t make it clear to the entity that 56 | processes this data, that this is just a comment, 57 | not an order instruction. 58 | The bill could have been structured differently 59 | so that it is very clear. 60 | And this is always what happens with injection 61 | vulnerabilities. 62 | Let’s take SQL injections. 63 | A programmer writing code that builds an SQL 64 | query and doesn’t make it clear that this 65 | user data is just a string, by wrapping it 66 | in quotes and making sure that no quotes can 67 | appear in the data by escaping them, then 68 | whatever processes the query can be fooled. 69 | Or cross site scripting. 70 | The programmer writes user data into a surrounding 71 | HTML document without explicitly marking this 72 | data to just be plaintext without special 73 | characters. 74 | Thus somebody can inject HTML tags like script 75 | tags and perform a XSS attack. 76 | And obviously there are many many cases in 77 | security where the underlying security issue 78 | is an injection. 79 | Yes SQL injections and XSS have a very different 80 | impact and are very different, but only at 81 | the surface. 82 | The underlying principle is exactly the same. 83 | So whenever you place data into some other 84 | structure that gets then handed to another 85 | entity for further procesing, may this be 86 | a webserver, a database server, a browser 87 | or a fast food employee, you have to make 88 | sure your data is clearly marked as what it 89 | is. 90 | Just data. 91 | Not an instruction meant for that entity. 92 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/Lj2YRCXCBv8.txt: -------------------------------------------------------------------------------- 1 | So I was browsing reddit, and this new CTF 2 | for beginners popped up. 3 | Obviously I had to check it out and directly 4 | head to my favorite category, the binary exploitation 5 | stuff. 6 | And of course there is a server you can connect 7 | to as a regular user, and when you exploit 8 | a challenge you will elevate privileges to 9 | another user to gain access to the secret 10 | flag. 11 | But the biggest challenge of all, and I couldn’t 12 | find rules that would forbid this, would be 13 | to gain root. 14 | So let’s do that. 15 | Remember my dirty cow explanation video? 16 | Let’s use the proof of concept exploit that 17 | we had there and test if it works on this 18 | server. 19 | So we can simply copy this code to a file 20 | in tmp and compile it. 21 | To test if we can overwrite files that don’t 22 | belong to us, without overwriting critical 23 | root owned files, we log in as another challenge 24 | user on the system, create a file with some 25 | content. 26 | And then we go back to the first user, execute 27 | dirty cow on that file and attempt to write 28 | some other characters to it. 29 | And when we check, we can see that it works. 30 | At this point I wrote the author a message 31 | on reddit to inform him that the server is 32 | vulnerable and he should quickly update. 33 | But now we need a plan what root file we could 34 | overwrite to become root ourselves. 35 | Our restriction is, that we have to overwrite 36 | something in a file, we can’t append or 37 | prepend anything. 38 | The first obvious idea would be a setuid binary, 39 | but the issue is that in order to write a 40 | backdoor shell to the binary, we would have 41 | to parse the elf file format and figure out 42 | where the entry point is. 43 | An easier strategy is to overwrite data in 44 | a text file. 45 | And I chose /etc/passwd. 46 | You can see here the user id of the users, 47 | and if we would change the uid of the pwn1 48 | user to 0, we would login as root. 49 | So. 50 | The dirty cow proof of concept writes to the 51 | beginning of the file. 52 | So first we have to figure out the offset 53 | inside of /etc/passwd. 54 | We can use hexdump for that and count a little 55 | bit. 56 | So pwn1 user is at offset hex 4c0 plus a little 57 | bit. 58 | I use python as a caluclator and modify the 59 | exploit code to write to a fixed offset. 60 | I think here would be a good plan. 61 | And you have to be very very careful with 62 | choosing these offsets and choosing what to 63 | write, because you can screw up the whole 64 | system if you don’t. 65 | So I copy /etc/passwd to try what I want to 66 | do before doing it to the real binary. 67 | And of course, my first attempt would have 68 | wrecked the system. 69 | So adjusting the offset a bit and also appending 70 | a newline at the end is finally successful 71 | and I write to the real /etc/passwd. 72 | Now when we switch to pwn1 or ssh login to 73 | pwn1, we get a root shell. 74 | Then we can read out all flags. 75 | Once we are done, we revert back /etc/passwd 76 | to the original state. 77 | Some important notes. 78 | Be very very careful what you overwrite with 79 | an exploit like this. 80 | Just one byte miscalculated, and you might 81 | destabilize, crash, DoS the system or simply 82 | lock yourself out. 83 | Also if you find a server vulnerable, think 84 | about the impact or context you are in. 85 | This small private CTF server project, that 86 | is intended to be hammered is different from 87 | a webserver you exploited from some random 88 | company. 89 | So don’t go around and try this if you have 90 | no permissions or you could cause a lot of 91 | damage. 92 | Make an ethical decision. 93 | Be aware of the risk you are taking. 94 | And thanks to maro for being cool about this 95 | and allowing me to make a video about it. 96 | Good luck with your plattform. 97 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/f-FbcobQQb8.txt: -------------------------------------------------------------------------------- 1 | Hey, 2 | I’m LiveOverflow, and I’m the inventor 3 | of security.txt 4 | NO! 5 | GET OUT OF HERE! 6 | I’m LiveOverflow, I’m the inventor of 7 | security.txt. 8 | Let me explain what it is. 9 | Security.txt is a proposed standard which 10 | allows websites to define security policies. 11 | The security.txt file sets clear guidelines 12 | for security researchers on how to report 13 | security issues. 14 | 15 | Security.txt is a simple text file that you 16 | can find on many websites in the .well-known 17 | directory. 18 | But before we talk more in depth about security.txt 19 | - my invention - I wanted to quickly talk 20 | about the .well-known directory. 21 | I would actually be surprised if you didn’t 22 | know, because this directory is actually “well 23 | known”. 24 | There is even a standard for this. 25 | And of course as computer interested people 26 | we read ALL standards for fun. 27 | So this is old news for you. 28 | But because it’s so much fun, let’s check 29 | it out together again. 30 | This memo defines a path prefix for "well-known 31 | locations", "/.well-known/" 32 | Many of you probably know the robots.txt file. 33 | Which provides easily accessible policy information 34 | about how a bot accessing the website should 35 | behave. 36 | So this file provides useful metadata information 37 | for bots. 38 | Now you could imagine that there are many 39 | other cases where such a file could be useful 40 | for other kinds of … things. 41 | And you could maybe endup with tons of these 42 | files in the root directory. 43 | so at some point there was this suggestion 44 | to place these files into their own URI path 45 | called .well-known. 46 | Now you shouldn’t just place any file in 47 | there, because it should be a well known useful 48 | file, so there is a procedure to register 49 | well-known URIs. 50 | Basically send a request for registration 51 | to the wellknown-uri-review mailinglist. 52 | So security.txt is such a policy informational 53 | file, which registered a well-known uri. 54 | Let’s check it out. 55 | We can go to the mailinglist archive and see 56 | here other requests. 57 | let’s search for my request…. 58 | Oh… not found? 59 | I’m sure I registered it. 60 | Am I going crazy? 61 | Ah. 62 | I forgot. 63 | I’m a smarty pants. 64 | We did it over IANA in 2017. 65 | This will get done as part of the RFC publication, 66 | no need to track separately. 67 | Security.txt is not an RFC yet. 68 | So security.txt is not a full standard yet. 69 | It’s still in the process of becoming one. 70 | But what is it actually about? 71 | Security researchers and bug bounty hunters 72 | have often been very annoyed at finding the 73 | correct contact to report security issues. 74 | Some people simply try to write an email to 75 | security@.com but that’s just 76 | a guess. 77 | Some have bug bounty programs, but you frst 78 | have to find the correct page. 79 | There is not an easy clear place to find this 80 | information. 81 | And so this is where security.txt comes in. 82 | This text file describes a standard to help 83 | organizations define the process for security 84 | researchers to disclose security vulnerabilities 85 | securely. 86 | Here is for example the file from our domain 87 | securiytxt.org. 88 | If you want to report a security issue for 89 | this domain, you can contact me here. 90 | And here is my PGP key for encryption. 91 | It’s that simple. 92 | Simple, but very useful. 93 | And what is awesome, we are already see wide 94 | adoption. 95 | For example here on Dropbox, Facebook and 96 | even Google. 97 | I’m so proud of my invention. 98 | And so now it’s on its way to becoming an 99 | actual internet standard. 100 | it could become a real RFC within this year. 101 | Anyway. 102 | Hopefully MY INCREDIBLE INVENTION makes the 103 | life of bug hunters and security researchers 104 | easier. 105 | And maybe you even adopt it in your company, 106 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/Xml4Gx3huag.txt: -------------------------------------------------------------------------------- 1 | Google offers a ton of services. 2 | There is google search, youtube, gmail, drive, 3 | but they also offer a cloud platform. 4 | And one of the services there is BigQuery. 5 | BigQuery is a fast, fully managed enterprise 6 | data warehouse for large-scale data analytics. 7 | BigQuery can scan Terabytes in Seconds and 8 | Peta Bytes in minutes. 9 | A lot of buzzwords but what is it good for? 10 | So it basically is a big data platform and 11 | service anybody can use. 12 | This is something nobody can do on their personal 13 | computer and BigQuery allows you to do stuff, 14 | that generally would require some big machines. 15 | So here is how it works. 16 | You have a question you are looking to answer 17 | and so you write an SQL query for a big dataset. 18 | You let it run and get the result back. 19 | It’s not much different from your phpmyadmin 20 | or your small school exercises, the difference 21 | is just, this can run on Terabytes of data. 22 | And the other cool thing is, BigQuery comes 23 | already with public datasets that you can 24 | use. 25 | There are huge databases with data on baseball 26 | games, census data, crimes and so forth. 27 | You can find some really cool examples to 28 | play with out of curiosity, or even use it 29 | for a research project. 30 | I got really excited when I saw that BigQuery 31 | had a public github dataset. 32 | For example somebody ran a query to check 33 | how many files use spaces or tabs for indentation. 34 | So i thought about what I could do, and I 35 | was thinking, people leak their passwords 36 | and ssh private keys on github, maybe they 37 | also fail with bitcoin wallets, their private 38 | keys. 39 | Maybe that’s my way into a luxurious life! 40 | So I checked again how a bitcoin address looks 41 | like and built a regular expression for it. 42 | Basically they all start with a 5 followed 43 | by a HJ or K and then followed by other base58 44 | valid characters. 45 | And to not match this in random text, I made 46 | sure that before this match there is either 47 | the start of a line or NOT a regular character. 48 | So spaces or quotes or colons would be fine. 49 | Same thing for after the key, just with line 50 | ending. 51 | Then I looked up some examples that people 52 | have done, because I’m doing it for the 53 | first time. 54 | And so I just modified this here a bit. 55 | You can also investigate how the datasets 56 | look like you want to query. 57 | The fields they have, some details like the 58 | size, this is important for what the query 59 | will cost, and you can also preview the data 60 | to get an idea what you will get. 61 | So here is what I came up with, we first query 62 | all contents, so all file contents where this 63 | regex matches, and return those matches together 64 | with an id. 65 | And then we join this resulting table with 66 | the files database, which contains the repository 67 | name, and the file name or actually file path. 68 | The result will be a table with hopefully 69 | bitcoin wallet keys and where they were from. 70 | It takes a few seconds to run those 2TB of 71 | data, but returns very quickly a result with 72 | over 10.000 matches. 73 | Isn’t this crazy, we just queried over 2TB 74 | of data in a matter of seconds with a regex. 75 | TWO TERABYTES. 76 | Anyway. 77 | I took the result, downloaded it as CSV, wrote 78 | a simple script using a python module to get 79 | the bitcoin address for the wallet private 80 | key, if it was actually a valid private key, 81 | and then we use the blockchain.info api to 82 | see if there are any funds available. 83 | Buuut. 84 | As it turns out, they are mostly empty. 85 | Some had some movements in the past, and there 86 | was even one with around 5 $ cents on it, 87 | but when you look where they are from, they 88 | are well known public private keys, they are 89 | like examples from projects and so forth. 90 | So unfortunately, my luxuries life has to 91 | wait. 92 | And actually this cost me around 5$, because 93 | while the first terabyte is free, each additional 94 | terabytes costs 5$ and this dataset had 2 95 | Terabytes. 96 | Oh well. 97 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/zXR96jprNcY.txt: -------------------------------------------------------------------------------- 1 | Hey, 2 | You are probably watching this video because 3 | you know that I create educational videos 4 | about IT security, and you are thinking about 5 | supporting this project. 6 | For that already I want to say thank you. 7 | But let me explain everything. 8 | So the first problem is to decide between, 9 | monthly, or a per video/per creation, support. 10 | That’s why I decided to go with both. 11 | On youtube you can find the Join button which 12 | allows you to support me with a fixed monthly 13 | amount - it’s roughly 5$. 14 | On Patreon on the other hand you can pledge 15 | money per video, but you also have the option 16 | to set an upper LIMIT per month. 17 | Both options have advantages and disadvantages 18 | which I want to quickly explain. 19 | With a monthly pledge you provide some income 20 | stability. 21 | Much more like a regular job. 22 | With this I also hope I could receive ongoing 23 | support if for example I get sick or just 24 | need a break, or want to take more time for 25 | a really good video. 26 | On the other hand we have patreon with a per 27 | video support. 28 | Certain dollar amounts per video sound high 29 | but you can intelligently use the monthly 30 | limit to clearly communicate what you want. 31 | For example. 32 | You could pledge like 2$ per video, but set 33 | a 10$ monthly limit, which means you like 34 | to just see more videos, up to five a month. 35 | That means less effort, but more output. 36 | For example basic tutorial series. 37 | But if you would pledge 10$ with a 10$ limit, 38 | then you clearly tell me: “take your time, 39 | I rather would have one single high quality 40 | in-depth video per month”. 41 | So this allows me to clearly justify how many 42 | days of work should go into a particular video. 43 | Up until now I think I have never skipped 44 | a week for a video. 45 | Not during any holidays, crazy work weeks, 46 | vacations or when I got sick. 47 | AND there were weeks with bonus videos. 48 | So it’s understandable that you as a monthly 49 | supporter might expect I deliver every week. 50 | But. 51 | I have dealt with this stress for a long time 52 | now, and I actually would like to not feel 53 | this stress anymore. 54 | So keep in mind that a video every week is 55 | not a guarantee. 56 | However with a per video pledge I would only 57 | receive money if I make videos, so then it’s 58 | no problem. 59 | And this leads me to expectations in general. 60 | when somebody pledges 5$ per video, and then 61 | I publish a video about a boring topic, or 62 | I cut a CTF video write-up into multiple parts, 63 | they might feel cheated out of 5$. 64 | So… this is very important. 65 | before you support me in any way, be it monthly, 66 | or be it per video, I want to make it clear, 67 | please don’t have any expectations. 68 | I’m already extremely stressed out by trying 69 | to balance what are essentially two full-time 70 | jobs. 71 | I really cannot add more stress in my life 72 | by having possibly hundreds of people with 73 | even more expectations. 74 | So please only click on the Join button if 75 | you think the LiveOverflow channel has retroactively 76 | qualified for your support, by having released 77 | hundreds of videos in the past. 78 | And please go check them out, I think there 79 | are a many great ones that so few people have 80 | seen because they are older. 81 | So… whatever you will decide, thanks for 82 | even considering supporting LiveOverflow. 83 | Oh and also, if you are a student or you don’t 84 | have the means to spend a few dollars, that 85 | is totally fine and that’s why I try to 86 | keep videos free in the first place. 87 | However if you are an overpaid security professional, 88 | sysadmin or developer and my videos have helped 89 | you in your job or career, you know… it 90 | would be nice. 91 | To summarize, sorry for the underwhelming 92 | rewards structure. 93 | What an amazing sales pitch, right! 94 | Bit I just don’t want to promise anything 95 | and then disappoint. 96 | So let’s see how this goes, this is an experiment 97 | for me and I’m sure things will evolve and 98 | change over time. 99 | -------------------------------------------------------------------------------- /yt.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import os 3 | from youtube_transcript_api import YouTubeTranscriptApi 4 | 5 | 6 | headers = { 7 | "x-origin": "https://explorer.apis.google.com", 8 | } 9 | 10 | KEY = os.environ.get("KEY") 11 | 12 | # return YouTube channel id via handle or False if failed 13 | def scraping_get_channel_id_from_handle(handle:str): 14 | url_channel = f"https://youtube.googleapis.com/youtube/v3/search?part=snippet&maxResults=1&q={handle}&type=channel&key={KEY}" 15 | response = requests.get(url_channel, headers=headers) 16 | j = response.json() 17 | if 'items' not in j: 18 | return False 19 | return j['items'][0]['snippet']['channelId'] 20 | 21 | 22 | def get_captions(video_id): 23 | try: 24 | YouTubeTranscriptApi.list_transcripts(video_id) 25 | transcript_list = YouTubeTranscriptApi.list_transcripts(video_id) 26 | transcript = transcript_list.find_transcript(['en']) 27 | transcript_text = transcript.fetch() 28 | except: 29 | return 30 | 31 | transcript_filename = f"transcripts/{video_id}.txt" 32 | with open(transcript_filename, "w", encoding="utf-8") as f: 33 | for t in transcript_text: 34 | f.write(t['text'].strip()+"\n") 35 | print(transcript_filename) 36 | 37 | def get_captions_api(video_id): 38 | url_captions = f"https://content-youtube.googleapis.com/youtube/v3/captions?videoId={video_id}&part=snippet&key={KEY}" 39 | response = requests.get(url_captions, headers=headers) 40 | j = response.json() 41 | if 'items' not in j: 42 | print(f"cannot get captions: {video_id}") 43 | return False 44 | caption_id = None 45 | for item in j['items']: 46 | if not caption_id: 47 | caption_id = item['id'] 48 | if item['snippet']['trackKind'] == 'asr': 49 | caption_id = item['id'] 50 | if not caption_id: 51 | print(f"cannot find captions: {video_id}") 52 | return [] 53 | url_caption = f"https://youtube.googleapis.com/youtube/v3/captions/{caption_id}?key={KEY}" 54 | response = requests.get(url_caption, headers=headers) 55 | j = response.json() 56 | print(j) 57 | 58 | 59 | def list_videos(channel_id, **kwargs): 60 | if not channel_id: 61 | return [] 62 | part = "snippet,contentDetails,statistics" 63 | url_channel = f"https://www.googleapis.com/youtube/v3/channels?part={part}&id={channel_id}&key={KEY}" 64 | response = requests.get(url_channel, headers=headers) 65 | j = response.json() 66 | if 'items' not in j: 67 | print(response.text) 68 | print(f"cannot find channel: {channel_id}") 69 | return list_videos(scraping_get_channel_id_from_handle(channel_id)) 70 | playlist_id = j['items'][0]['contentDetails']['relatedPlaylists']['uploads'] 71 | 72 | videos = [] 73 | pageToken = None 74 | while True: 75 | url_playlist = f"https://content-youtube.googleapis.com/youtube/v3/playlistItems?maxResults=50&playlistId={playlist_id}&part=contentDetails%2Csnippet&key={KEY}" 76 | if pageToken: 77 | url_playlist = f"https://content-youtube.googleapis.com/youtube/v3/playlistItems?maxResults=50&playlistId={playlist_id}&part=contentDetails%2Csnippet&key={KEY}&pageToken={pageToken}" 78 | print(url_playlist) 79 | j = requests.get(url_playlist, headers=headers).json() 80 | if 'items' not in j: 81 | print(response.text) 82 | print(f"cannot load playlist: {channel_id}") 83 | videos += j['items'] 84 | if 'nextPageToken' in j: 85 | pageToken = j['nextPageToken'] 86 | else: 87 | break 88 | return videos 89 | 90 | def video_details(video_id): 91 | video_url = f"https://content-youtube.googleapis.com/youtube/v3/videos?part=snippet%2CcontentDetails%2Cstatistics&id={video_id}&key={KEY}" 92 | response = requests.get(video_url, headers=headers) 93 | j = response.json() 94 | if 'items' not in j: 95 | print(f"cannot find video: {video_id}") 96 | print(response.text) 97 | return None 98 | return j['items'][0] 99 | 100 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/2pqHsW3yNlA.txt: -------------------------------------------------------------------------------- 1 | Over the course of 4 videos we have reverse 2 | engineered the key verification algorithm 3 | implemented in Pwn Adventure 3. 4 | Now we know all steps involved to verify it, 5 | and we simply have to implement it in reverse 6 | order. 7 | There are two major algorithms that we have 8 | to reverse. 9 | One is the custom base32 decoding, but that 10 | should be fairly simple, it’s just encoding. 11 | And the other one is an RSA decryption. 12 | And reversing RSA, or getting the private 13 | key is usually not possible, but in this case 14 | a very small key size is used for RSA, so 15 | we are able to get the prime factors of the 16 | modulus easily. 17 | Which means we get p and q and then are able 18 | to recover the private key. 19 | We have done this in the hardware video so 20 | check that one out for more details. 21 | So in the final loop we compare the rsa decrypted 22 | result with the buffer combined out of the 23 | string PWNADV3 and 4 bytes. 24 | Those 4 bytes were from our user input. 25 | So basically the first 12 bytes of our input 26 | are being decrypted, and they have to decrypt 27 | to PWNADV3 + the 4 remaining bytes. 28 | This means we start by choosing 4 bytes, combine 29 | it with the PWNADV3 string and encrypt that. 30 | The RSA encryption result will be the 12 first 31 | bytes of our input, and the last 4 bytes are 32 | the 4 bytes that we chose. 33 | And then that buffer is base32 encoded with 34 | our custom base32 encoding and alphabet and 35 | that is our key. 36 | Pretty simple basics, right? 37 | But there are a few details we still have 38 | to figure out. 39 | For example one byte of the 4 bytes taken 40 | from our input, is actually and 0x3, and also 41 | the 4 bytes are then being shifted to the 42 | right and then xored with 0x2badc0de. 43 | Also the 4 bytes and the 12 bytes are obviously 44 | overlapping by one but yeah. 45 | So here I wrote the keygen in JavaScript. 46 | I reimplemented the whole RSA encryption, 47 | or to be more specific, I reimplemented the 48 | modulus exponentiation with the same algorithm 49 | the assembler code in last episode used. 50 | Including the add and subtract and so forth. 51 | So if you had trouble to understand those 52 | algorithms last time, you can use my javascript 53 | implementation and add debug outputs and play 54 | around with it. 55 | Anyway. 56 | So here we generate the 4 random bytes. 57 | This buffer is the “PWNADV3” string and 58 | we combine those two. 59 | Then we have to apply the xor and the shift 60 | and pass that to the RSA encryption. 61 | Afterwards we have to combine the result with 62 | the 4bytes from the beginning and we are almost 63 | done. 64 | To repeat myself for the tenths time or so, 65 | this is the buffer that will be split up, 66 | the first 12 bytes are being decrypted with 67 | RSA, and the last 4 bytes will be combined 68 | with PWNADV3 and compared to the decrypted 69 | result. 70 | So, here we have the output, which we now 71 | just have to base32 encode, with the custom 72 | encode function and then also calculate the 73 | checksum. 74 | Here you can see the base32 encode and decode 75 | function. 76 | And you can also see the divide by 8, modulo 77 | 8 and bit shifting that was implemented in 78 | assembler. 79 | So maybe you can understand it better seeing 80 | this in code. 81 | After all that we just have to print it. 82 | That’s it. 83 | So like I said, I have implemented this in 84 | JavaScript, so you can find the website here 85 | to generate keys! 86 | Let’s get a key and submit it. 87 | We copy it. 88 | Enter your unlock code below and BOOM. 89 | Acquired Flag of the Pirate! 90 | We also got a ROP Chain Gun. 91 | 1337 Machine Gun. 92 | The Ridiculously Overpowered Chain Gun is 93 | especially effective against stacks of enemies. 94 | Smash ‘em and stack ‘em 95 | And here is the Flag of the last real challenge. 96 | Flag of the Pirate. 97 | The key is “Avast! 98 | Ya got my arr es eh. 99 | Awesome. 100 | We have now completed almost all challenges. 101 | Only one left. 102 | “Overachiever”. 103 | One last tip. 104 | You can also look at the javaascirpt source 105 | code and play around with it. 106 | Maybe compare it to the equivalent assembler 107 | code to study how this stuff is implemented 108 | in assembler. 109 | See you soon to the finale. 110 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/sm_cgvnzJ5M.txt: -------------------------------------------------------------------------------- 1 | Hey, some of you asked how I make my videos. 2 | So I want to take you along the process of 3 | creating one of my episodes. 4 | I know that some parts could be more efficient 5 | if I would know better tools. 6 | So while I obviously would like to show you 7 | how I create videos, I’m also looking forward 8 | to get some tips and tricks how to do things 9 | differently. 10 | And maybe become more efficient or create 11 | more beautiful videos. 12 | The video creation process can be divided 13 | in 3 big steps. 14 | Write the script. 15 | Record screen footage, fix mistakes in the 16 | script, and then record the audio. 17 | And finally, as last step, edit the whole 18 | video and draw all the graphics. 19 | Ok. 20 | First step is researching and writing the 21 | script. 22 | Usually I start by opening up a google docs 23 | and start writing. 24 | And then I get into a research, try it, write 25 | it - loop. 26 | In this case I make the second episode about 27 | the dlmalloc heap unlink exploit. 28 | Which is heavily based on phrack issue number 29 | 57 article “once upon a free()” and “vudo 30 | malloc tricks”. 31 | In the last video we developed our own exploit 32 | for unlink which won’t work because of null-bytes, 33 | so I thought as a narrative for this video, 34 | it would be cool to just explore what the 35 | researchers back then discovered and expose 36 | my audience to the true heroes from hacking 37 | history. 38 | So I reread what they were writing back then 39 | and try to think about how I could present 40 | it in a video. 41 | The key lesson from this video will be about 42 | setting the size of the heap chunk to a value 43 | that doesn’t contain 0-bytes, which seems 44 | huge at first, but you can abuse the fact 45 | how negative numbers work. 46 | While writing the script I always read it 47 | out loud to see how it flows, and then make 48 | changes to it. 49 | At this point I may also fire up the exploit-exercises 50 | protostar VM and try it out. 51 | Just to make sure I get it right. 52 | Usually I will catch some mistakes in my script 53 | now and modify it. 54 | Once I’m confident I got everything working, 55 | I make notes of the commands I’m going to 56 | use and put them on a second monitor. 57 | For this particular video this first part 58 | of researching, writing the script and trying 59 | it out, took me roughly 3 hours. 60 | Next step is recording the exploit development. 61 | To record my screen I use OBS and a lower 62 | framerate. 63 | Because high framerates are not really necessary 64 | and it makes the files smaller, so easier 65 | to work with and store. 66 | For this particular video there will be quite 67 | a big chunk just explaining stuff with figures. 68 | So the practical part that I have to record 69 | is not too long. 70 | And with my notes and the script it should 71 | be done quickly. 72 | If I make mistakes during recording I either 73 | decide to incorporate them into the script, 74 | because I like to have them as a learning 75 | opportunity. 76 | Or I have to redo the segment. 77 | During recording I realized that I should 78 | change some of the text, so I refine the script 79 | again. 80 | Now I open up my little template that has 81 | the intro and outro in it and record the audio 82 | of the script. 83 | This whole part of recording the video screen 84 | footage and the audio, with refining the script 85 | took in this case maybe 1h. 86 | The practical part was not too long. 87 | Next up is editing the stuff with all the 88 | graphics. 89 | That’s the most tedious part. 90 | After my first couple of videos I really wanted 91 | to add more visuals. 92 | An arrow or a box around something important 93 | goes a long way in my opinion. 94 | You find some older videos of mine where I 95 | tried to do this with editing directly in 96 | Sony Vegas. 97 | But that was super slow and looked crap. 98 | I have not that much experience with video 99 | editing, so the only thing I knew I could 100 | do easily would be to get a graphics tablet 101 | and draw them by hand. 102 | The process is simple, I can take a screenshot 103 | of the current scene in vegas, paste it into 104 | photoshop, draw the overlay on a new layer, 105 | save only that layer and put it onto the video 106 | timeline. 107 | This is what I do with any graphic. 108 | It’s fairly quick and I kinda like the resulting 109 | art style. 110 | After the editing, which in this case took 111 | like 4 hours, I render the video and upload 112 | it. 113 | So creating this one episode took about 8 114 | hours. 115 | Sprinkle some procrastination in there, and 116 | I will be busy a whole day. 117 | See you next time, for another technical video 118 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/k4MnqaYZIY4.txt: -------------------------------------------------------------------------------- 1 | StereoBucket, on twitter, sent me a private 2 | message about an easter egg he found in the 3 | VLC player. 4 | After a video is finished VLC shows the VLC 5 | logo. 6 | But when he watched the Kill Bill movie, after 7 | the film ended, it showed this. 8 | A little Kill Bill easter egg. 9 | It made his day. 10 | But it also made him wonder about the implementation. 11 | He quickly figured out that it works with 12 | any video that has “kill bill” in the 13 | title, so that is a very good information 14 | to narrow down how it could be implemented. 15 | But let’s quickly reproduce it. 16 | So here is a regular video that we can open 17 | in VLC and when we reach the end, we will 18 | get the logo. 19 | That’s the normal logo. 20 | Now simply changing the filename as I do here, 21 | doesn’t work. 22 | It’s still the old logo. 23 | But if we go into the file properties and 24 | edit the metadata Title, and then open it, 25 | go to the end, then we reproduce the easter 26 | egg. 27 | Over my own career in programming and IT I 28 | used to never look at source code of things. 29 | I was scared, or maybe just intimidated by 30 | it? 31 | I never looked into the sources of frameworks 32 | I used, or even programs I used. 33 | Nowadays I do that quite frequently, because 34 | a lot of basic stackoverflow questions can 35 | be avoided if you just read the source code. 36 | So I thought maybe I can help you to lose 37 | some of the fear by showing you a great example. 38 | Let’s start by looking for the VLC source 39 | code. 40 | I’m not sure if I’m just dumb, but I think 41 | the the source code is way too much hidden 42 | here. 43 | Come on, it’s an open source project, be 44 | more proud of your code! 45 | Anyway. 46 | Here is the repository link. 47 | So StereoBucket obviously tried to search 48 | for Kill Bill in the VLC source code, but 49 | wasn’t successful. 50 | I tried to look into memory when vlc is running 51 | and still no luck. 52 | I’m currently trying to find mentions in 53 | the source code, but they either hit it well 54 | or I’m just bad at this. 55 | Nah you are not bad, it’s of course not 56 | easy to quickly head into a large code base 57 | and find exactly what you are looking for, 58 | especially if it’s an easter egg that that 59 | they maybe tried to hide.. 60 | I wanted to see if there’s perhaps more 61 | easter eggs of this kind, or at least find 62 | how they hid it. 63 | That’s a really cool project. 64 | So I quickly use the GitHub tool to clone 65 | the repository, which takes a bit, it’s 66 | quite large and I have here Visual Studio 67 | where I open the cloned folder. 68 | And as you can see, if we search for kill 69 | bill we don’t anything. 70 | Unfortunately I didn’t find the time to 71 | look myself, but a bit later StereoBucket 72 | came back to me and found it! 73 | Here is how he described his approach: 74 | I stopped being dumb and looked for the image 75 | that was used. 76 | See, that’s a clever approach. 77 | The goal is to find the easter egg, and sure 78 | searching for kill bill is one way, but you 79 | could also look for the image instead. 80 | And yeas, we find the filename referenced 81 | here. 82 | Then I just traced the name of the image to 83 | an alias and that alias to the file where 84 | it's mentioned. 85 | And we do the same, follow that alias here, 86 | leads us to this here. 87 | And that’s it. 88 | Initially i just tried looking for any mentions 89 | of kill bill, or kill, or bill. 90 | Which doesn't work since as you can see, they 91 | split the string with comments. 92 | I know, it’s like super simple, right? 93 | But this doesn’t mean me or everybody else 94 | will do that right away. 95 | It also took StereoBucket quite a bit. 96 | And I think that’s just such a great example 97 | of how the mind slowly finds the right approach. 98 | I went as far as compiling vlc myself to see 99 | if it's going to appear then, and then it 100 | hit me, if it's going to appear, obviously 101 | the file is in one of the folders in the source. 102 | Cool… 103 | I really like that. 104 | And he also adds, 105 | Sadly this confirms that there aren't any 106 | other easteregg cones :\ 107 | I guess there aren’t, except of course the 108 | christmas one, but if I remember correctly, 109 | that always appears around christmas. 110 | Nothing hidden. 111 | Now he also tweeted his finding. 112 | I've found the code responsible. 113 | The VideoLan devs split the string, making 114 | it harder to find with naive search attempts 115 | I tried first. 116 | And VideoLan responded. 117 | Good catch! 118 | Also KiBps could be something valid! 119 | Ki Bps. 120 | Bi directional. 121 | Does it mean something. 122 | Is more hidden here? 123 | Maybe? 124 | That will remain a mystery. 125 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/zoyK33-IcD4.txt: -------------------------------------------------------------------------------- 1 | TROOPERS is a security conference in Heidelberg 2 | Germany which I attended in 2017. 3 | One fun event that happens there every year 4 | is Packetwars, it’s kind of like a CTF competitions 5 | during one evening, but only for a few teams. 6 | And I didn’t have a group to play with. 7 | But it was held in this restaurant we were 8 | all at and the task was shown on a beamer. 9 | This was one. 10 | Battle I: Whale Spotting. 11 | Identify the email address of @darealtrump 12 | and achieve bonus objectives on the way. 13 | We have 45minutes to solve it. 14 | And we get points for various objectives. 15 | some for the email address, for evidence of 16 | whistleblower assassination and if we identify 17 | a favorite coffee shop to organize a boycott. 18 | So my friend TheVamp and I had nothing else 19 | than our phone but we were really craving 20 | to play. 21 | So we tried it. 22 | First we looked up the obvious twitter handle 23 | and found this account. 24 | Oh and this is all going to be screenshots 25 | I made from my phone while playing. 26 | The latest tweet we can find says that we 27 | should ignore the tweet before, because it 28 | was not relevant. 29 | So obviously the first step is to look into 30 | for example the web archive, because we hoped 31 | it had saved the deleted tweet. 32 | And yeah, there was. 33 | It was a URL to some kind of report. 34 | We clicked on it and downloaded the pdf. 35 | Unfortunately certain parts were blacked out, 36 | but I assumed they were just overlays, because 37 | that’s such a typical pdf redaction fail. 38 | So I simply tried to copy the whole page into 39 | a notes app. 40 | And yeah that worked, it revealed the text 41 | underneath. 42 | But it turned out that the text was actually 43 | an image. 44 | And it had this cipher text on it, which looked 45 | like some kind of simple substitution cipher 46 | like caesar or vigenere. 47 | So we had to get the text out of the image 48 | and we didn’t want to type it on the phone. 49 | So we pulled up an online OCR service and 50 | uploaded the image . And now we copied the 51 | text into an online cipher solver, which bruteforces 52 | the key and applying some heuristic if the 53 | result sounds like valid english. 54 | And we got this text out. 55 | It’s not quite perfect because the key is 56 | a bit jumbled and maybe OCR was also not perfect, 57 | but you can guess most of the text: 58 | After some further research, blah blah, and 59 | eliminate them. 60 | So that is evidence of assassination and we 61 | solved that task. 62 | But there were more tasks, so where is the 63 | other stuff? 64 | We checked back to the web archive and found 65 | another entry of deleted tweets, with the 66 | favorite coffee shop starbucks, which was 67 | another task. 68 | And what looks like login credentials. 69 | So we logged into this account, I tweeted 70 | that I was here, got the account’s email 71 | from the settings and we solved the last part. 72 | And now comes the not so humble brag. 73 | We were faster than the actual teams! 74 | I think the reason for that might be, that 75 | with a phone you are sooo limited that you 76 | can’t try out crazy stuff. 77 | Steganography, metadata and so forth is just 78 | out of reach, so we only tried what was possible 79 | for us and got lucky. 80 | I’m sure the other teams over complicated 81 | things because they had laptops. 82 | I think it’s something to keep in mind but 83 | it was really fun to solve something like 84 | this on just a phone. 85 | Because we solved it first, the organizers 86 | even gave us the flag for participating, even 87 | though we were not officially part of packetwars. 88 | So that was really awesome! 89 | And we also got this awesome shout-out at 90 | the end of the conference when they were announcing 91 | the winners. 92 | The actual first people to solve the first 93 | challenge were the spectators. 94 | So our players actually got off to kind of 95 | a rough start. 96 | Are those two guys out here? 97 | That’s us! 98 | We were sitting somewhere ther here in the 99 | back. 100 | OK! 101 | Let’s hear it for those guys, because... 102 | And they did a debrief much better than I 103 | or mathias could ever do. 104 | I think you gave me the debfrief and all the 105 | proofs in about 45 seconds. 106 | So I think you have a future in this sports! 107 | I really appreciate it, that was really fun. 108 | So i can only recommend the TROOPERS conference 109 | in heidelberg. 110 | It’s a solid conference and if you have 111 | a chance to go there, you should. 112 | Unfortunately it’s a professional conference 113 | which means ticket prices are really high 114 | and not something you generally buy privately, 115 | but the cool thing is they have limited spots 116 | available for students and you can write a 117 | motivational letter and maybe get a free ticket. 118 | So that’s really cool and I encourage you 119 | to do that.` 120 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/GSraDuD4ziQ.txt: -------------------------------------------------------------------------------- 1 | Hey, so in the past weeks I have been working  2 | on a really cool pentest project that I want 3 | to tell you about. For this I even got  4 | a 12 core server with 128 GB of RAM. 5 | I want to share each step along the way, so  6 | you can follow along and learn too. Though, 7 | maybe some experienced viewers could  8 | already guess what this is about. Of 9 | course this is going to be another Pentesting  10 | video, like every year! So let’s spin it! 11 | Guys I’m in, we’re live, go on go for it! 12 | Hello. We are sick of this  13 | LiveOverflow getting all the 14 | views. So we decided to take it over. Our  15 | YouTube channels are much better anyway. 16 | Uh oh, I think we’re losing it! 17 | ZetaTwo has made some great Pwny Racing  18 | videos, where multiple hackers try to 19 | exploit the same binary. So you can all watch  20 | and learn from their different approaches. 21 | InsiderPhD makes lectures about web security  22 | that she has tricked people to watch as 23 | “entertainment”. Get out your notebook, and a  24 | pen, and make sure you’re sitting near the front. 25 | Codingo teaches you how to use various  26 | security tools and do bug bounties well, 27 | so you may have reports worthy enough of  28 | a boom signoff. Has a giveaway addiction. 29 | Hacksplained serves you easy to  30 | digest web app security slices of cake 31 | directly to your table! #bugbountytips included 32 | PinkDraconian makes walkthroughs of good  33 | challenges, the ones that are actually 34 | useful in real life scenarios or that teach you  35 | the skills needed to go hunting in the wild! 36 | Who would’ve guessed  37 | LiveOverflow’s security question to 38 | “What is your maiden name” is “‘ OR  39 | 1=1 -- -”, SQL injections are so 2017… 40 | Rana Khalil mainly makes videos about  41 | web security related topics but will 42 | occasionally cover topics related  43 | to infosec certs she’s pursuing. 44 | Farah Hawa makes videos explaining  45 | some complex web hacking techniques 46 | with a beginner friendly approach. 47 | Superhero1 loves CTFs, hardware hacking and 48 | the cool stuff that is hard to  49 | find or to learn on your own. 50 | Pwnfunction creates videos on Binary Exploitation  51 | and Web Security but with better drawings than 52 | Liveoverflow. Pwnfunction is also a level 1337  53 | Hacker, unlike liveoverflow who's level noob. 54 | When I got into LiveOverflow's system, I  55 | had a look at his files. Why does he have 56 | so many pictures of pens? He really is  57 | just obsessed with pentesting, isn’t he? 58 | The XSS Rat goes in depth on all  59 | those “cheesy” bug bounty topics 60 | AshF0x learns Binary Exploitation  61 | and Coding while on stream. Fun fact: 62 | Every second one of his Hardware  63 | projects bursts into flames. 64 | John Hammond showcases capture  65 | the flag videos, wargames, 66 | security conferences, malware analysis and more. 67 | BlindHacker Does career and resume workshops, 68 | while still bringing hacking AMA’s  69 | to the table for education and fun. 70 | Sometimes when pwning something, it can feel  71 | like they laid out a welcome mat for you, 72 | but for LiveOverflow, it felt like he hang out a  73 | banner saying: Welcome, please pwn me. So easy! 74 | Cybersecurity Meg says “I’m stoked” way too much  75 | while she creates videos about getting into the 76 | Cybersecurity field, and provides guides  77 | on passing popular security certifications. 78 | Reconless does reconnaissance.  79 | Just kidding it’s reconlESS! 80 | 247CTF combines beginner security topics  81 | with CTF's, crypto and game hacking. 82 | Hey guys it’s DC Cybersec here  83 | and I want to help encourage YOU 84 | to grow in cybersec. Much more  85 | than mr overflow has, anyway :P 86 | Who would've known that I would be following  87 | a LiveOverflow tutorial to pwn LiveOverflow... 88 | Lupin mostly streams on  89 | Twitch but in the near future, 90 | some good content will be released  91 | on the Youtube channel. Stay tuned ;) 92 | Stacksmashing creates in-depth  93 | videos on embedded-security, 94 | reverse engineering & hardware hacking 95 | CryptoCat produces CTF challenge walkthroughs  96 | aimed at beginners. Although they focus on 97 | Binary Exploitation, Reverse Engineering and  98 | Offensive Security.. No topics are off limits :) 99 | Tib3rius mostly creates videos about  100 | web application penetration testing, 101 | and uploads edited versions of his Twitch streams 102 | which usually cover TryHackMe rooms  103 | and Portswigger Web Academy content. 104 | Hey, thanks for checking out this video. This  105 | video was actually edited by codingo. So huge 106 | thanks to him. And of course a huge thanks to  107 | all the other security creators who participated 108 | in this project. Thanks to them we have now a  109 | large list of YouTube channels you should put 110 | on your blocklist in the description. Of  111 | course this was only an aprilfools video, 112 | I would never recommend to you to watch these  113 | terrible channels with really bad hacking 114 | videos - they are awful. Of course I want you  115 | to only watch quality, so just watch my videos. 116 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/0exSe-PAhns.txt: -------------------------------------------------------------------------------- 1 | if you watch the two-part video about 2 | the exploitation challenge from the rhm 3 | III qualifier then you know I had some 4 | wrong assumptions about the heap this is 5 | what I said in the video we just have to 6 | find a sequence of operations where we 7 | get control of this pointer in general 8 | this should happen when we create some 9 | players select one remove some and add 10 | some again as you can see I imagine this 11 | is like the old school DL malloc heap 12 | with these basic chunks when you free 13 | them they are usually combined again to 14 | bigger free chunks and thus you can 15 | allocate a new much bigger one in its 16 | place and write anything in that place 17 | but this is not what is happening 18 | I know fast burns exists but how the 19 | heap algorithm really works was not 20 | clear to me and I never really spent 21 | time reading about it so what are fast 22 | bins free chunks are stored in various 23 | lists based on size and history so that 24 | the library can quickly find suitable 25 | junks to satisfy allocation requests 26 | this is already very different from the 27 | old-school heap as now the size of the 28 | allocated area decides what kind of 29 | strategy is used to manage the heap you 30 | can imagine that there are different 31 | optimized algorithms depending on how 32 | you use the heap the lists called bins 33 | and they are for example fast bins these 34 | are small chunks stored in size specific 35 | bins chunks added to a fast bin are not 36 | combined with a J's and chunks the logic 37 | is minimal to keep access fast hence the 38 | name chunks in the fast bins may be 39 | moved to other bins as needed fast burn 40 | chunks are stored in a single linked 41 | list 42 | AHA another page says about fast bins 43 | there are ten fast bins each of these 44 | bins maintain a single linked list 45 | addition and deletion happen from the 46 | front of this list last in first out 47 | each bin has chunks of the same size the 48 | 10mins have chunks of size 16 24 32 40 49 | 48 56 size mentioned here include 50 | metadata as well to store chunks for 51 | fewer bytes will be available on a 52 | platform of pointers all four bytes only 53 | the preface size and size field of the 54 | chunk will hold metadata for allocate 55 | chunks bref size of the next con 56 | Chung's will hold user data no to 57 | continuous free junks coalesce together 58 | so what this means is that the player 59 | structure which contains the stats and 60 | the name pointer is so small that it 61 | will be organized by such a bin and the 62 | use after free issue here is that we 63 | have a pointer into such a freed bin 64 | that's why our strategy is actually to 65 | make sure that we allocate data that 66 | goes into the same bin as a player 67 | struct was before basically we want to 68 | make sure that our name we enter ends up 69 | in the place of the player struct so the 70 | name has to have the same size or the 71 | size to displace in the same bin like 72 | the player struct so what is actually 73 | happening with the exploit is this we 74 | add two players with 32 byte names now 75 | the player structs are placed in the 76 | same bins with their size of 24 bytes 77 | but the names are larger and go in 78 | another bin now we select the second 79 | player so we have the reference to the 80 | spin then we free the two players and 81 | now we allocate a new player with a name 82 | of length 19 which means I chose a name 83 | that goes into the same bin as a player 84 | struct 85 | so the first malloc allocates a player 86 | struct and it's placed where the first 87 | player struct used to be and the name 88 | because it is put in the same bin it's 89 | now get placed here which used to be the 90 | player struct of the second player thus 91 | we can control the name pointer now I 92 | think that makes so much sense I'm glad 93 | I understood it now 94 | I wanted to mention one more thing after 95 | the qualification round was over I went 96 | on IRC and talked to the other players 97 | and that's when some really awesome 98 | people explained to me what was going on 99 | after that I felt kinda embarrassed on 100 | how wrong I was in the original video 101 | that I have already edited but 102 | ultimately decided not to change it and 103 | instead make this additional video 104 | because yes I didn't understand what was 105 | going on with the fast bins and my 106 | mental picture of the heap was wrong I 107 | still ended up solving it and I want to 108 | share my CTF experience with you in my 109 | experience include having these wrong 110 | assumptions but still solving it I think 111 | this is now a good example of what is 112 | always happening in IT security research 113 | because not everything is known and you 114 | don't have to know everything before 115 | doing stuff the more experience you have 116 | the better you are with educated guesses 117 | and based on my experience with the old 118 | school the old mellow keep but knowing 119 | that the modern heap implementations are 120 | a bit more complex I had a rough plan 121 | and worked out but in the end it wasn't 122 | exactly what was going on but now I 123 | learned and for the next heap challenge 124 | I will have a much better idea 125 | [Music] 126 | you 127 | [Music] 128 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/kMesRjygnRM.txt: -------------------------------------------------------------------------------- 1 | okay everybody this was it after 23 2 | daily videos this is the final one and I 3 | don't have any content for you in this 4 | video I just wanted to tell you this was 5 | an insane time for me I will probably 6 | never do this again this was completely 7 | ridiculous but also an interesting 8 | experiment I record this video already a 9 | couple of days ahead of the last video 10 | so I can't tell you all the videos that 11 | I've done but make sure to check out the 12 | hax Ember playlist with all the videos 13 | that I've released during this time I 14 | think we got a good mix of technical 15 | videos and also casual videos if you 16 | have a warped perception that I only did 17 | like casual videos also please check out 18 | the whole playlist because then the 19 | recommendations just recommended to you 20 | the other ones but mainly I use this 21 | opportunity to cover a couple of basic 22 | topics and pitfalls and issues that 23 | people had and told me about throughout 24 | the years and I think it's an awesome 25 | addition for the binary exploitation 26 | playlist you also know that I stopped 27 | the weekly regular uploads so there will 28 | be now just sporadic life overflow 29 | episodes and during this time we also 30 | had one regular life overflow episodes 31 | so even for the people that complain 32 | about the casual style of the other 33 | videos there was still one regular video 34 | for you which was perfectly in schedule 35 | like always so don't you get annoyed you 36 | were served as well but anyway nobody 37 | can tell me anything anyway because I do 38 | this just for fun if you don't like 39 | something just unsubscribe I couldn't 40 | care less well the videos were a lot 41 | more casual and longer than they should 42 | have been because when I create scripts 43 | and record and edit them properly they 44 | are they would be a lot shorter I do 45 | think I was able to cover a lot more 46 | interesting topics and I think maybe it 47 | lightens up things you know in the end 48 | there's this balance of I don't have 49 | time to make all the videos versus 50 | lowering quality to provide more content 51 | it's difficult to find this balance and 52 | this was a very interesting experiment 53 | for me and I don't know yet what kind of 54 | conclusions I draw with it I will look 55 | at the analytics in like a month or so 56 | and I'm sure we'll update you early next 57 | year 58 | in 2020 but I can kind of guess I will 59 | maybe once in a while do a casual video 60 | like this because it's so fast for me to 61 | produce them compared to a regular 62 | episode that I can for example react to 63 | news or 64 | look over a new vulnerability that was 65 | released or so like these kind of style 66 | videos might be easier to do but of 67 | course my big dedication will always be 68 | the edited and scripted videos with a 69 | deeply technical topic like the iOS 70 | exploit video that we did this month or 71 | just any like CTF video of writeable so 72 | this year was pretty insane for me for 73 | the workload but also as you know the 74 | big chapter in my life closed my master 75 | thesis so I'm ready for next year let's 76 | see what next year brings I think I will 77 | take it a bit more slower next year but 78 | I don't know yet I I don't make any 79 | promises because I will not be able to 80 | keep them anyway I will do whatever I 81 | want to do next year but I hope this 82 | advanced calendar of 24 videos in 83 | December there's very spontaneous and I 84 | guess maybe stupid idea from me was fun 85 | to you I got a lot more positive 86 | comments than I usually get people being 87 | happy about these consistent uploads but 88 | it's not something I will keep doing 89 | this is absolutely ridiculous 90 | also I covered most of those things that 91 | were bothering me that I always wanted 92 | to cover so you know I have no basically 93 | a clean slate there are a lot of 94 | thoughts in my head right now I 95 | definitely want to do CTS stuff next 96 | year I hope I get to stream again 97 | continue building the 8-bit computer 98 | over here it's still not finished so I 99 | want to get maybe back into that I'm 100 | also thinking about maybe making a 101 | course or so maybe I also just become an 102 | Instagram influencer at this point I 103 | don't know yet long story short I don't 104 | know yet and I will not make any 105 | promises for next year I think it's bad 106 | to promise anything or announce any 107 | projects that you haven't finished yet 108 | so be surprised what happens next year 109 | I'm sure I will update you for when I 110 | know anything more concrete next year 111 | I just wanted to ramble in this last 112 | video because it was insane making this 113 | episodes and I need an easy joker card 114 | no to just get this 24th video done and 115 | so I can say I completed it and I didn't 116 | fail also don't get any wrong 117 | impressions I don't care about Christmas 118 | at all it just happened to match the 119 | time and everybody was doing like advent 120 | calendar stuff that I kind of felt like 121 | ah well let's hear a reason to do that 122 | too if you celebrate Christmas or 123 | celebrate something else or celebrate 124 | nothing I still hope you have a great 125 | couple of weeks and relaxing times maybe 126 | you can use some of the free time to 127 | learn with some of my videos who knows 128 | play some CTS so I hope you enjoyed this 129 | see you soon 130 | [Music] 131 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/J2XS3m2Ctuc.txt: -------------------------------------------------------------------------------- 1 | So after I posted my video write-up about 2 | the JS Safe challenge from the Google CTF 3 | I got a lot of valuable feedback and some 4 | corrections, that I think deserves a very 5 | quick update video. 6 | If you haven’t seen that one, this video 7 | makes probably not that much sense, so check 8 | that out first. 9 | So let’s quickly go through the different 10 | points that were raised by viewers. 11 | First: I had this theory that weird JavaScript 12 | namespacing due to the with statement caused 13 | the different x values to be passed to the 14 | function. 15 | Onetime it was the function itself, onetime 16 | it is the parameter. 17 | But it turns out I got FOOLED! 18 | Those are not the same character. 19 | The function name x is a regular ascii x, 20 | it is the same character as the x in the hex 21 | variable and so forth. 22 | But the parameter x is actually a different 23 | unicode, it’s a cyrillic x. 24 | Visually it looks exactly the same, but for 25 | the computer it’s like it is a completely 26 | different letter and this a very different 27 | variable. 28 | And by searching for that cyrillic x you see 29 | that the parameter is used in the inner x, 30 | but it’s not the x outside. 31 | What do we learn from that? 32 | Let’s not always assume JavaScript is f’ed 33 | up, that’s actually very logical and probably 34 | works in any language exactly like that. 35 | The second kind of correction I got was about 36 | the cause for the crash. 37 | I couldn’t really make sense of it and theorized 38 | it had to do with some kind of recursive call 39 | of toString or something, but it turns out, 40 | it is in fact triggered by the toString, but 41 | crashes for a very different, much more logical 42 | reason. 43 | So source is a regex, it’s not a string. 44 | You see it starts and ends in a slash, not 45 | quotes. 46 | And the c function takes the length of the 47 | first parameter a, and a in this case is source 48 | and a regex doesn’t have a length. 49 | So if you write the loop like this, loop until 50 | i is equal to the length of source, then yeah, 51 | that never happens. 52 | The length of source is undefined. 53 | I will never be undefined. 54 | So you have an endless loop that freezes the 55 | tab too long and gets killed. 56 | Now if it was written like you usually see 57 | a for loop, with a less than, then i would 58 | not be less than undefined and the loop would 59 | never run. 60 | So what do we learn here? 61 | Read the code more carefully, if I had debugged 62 | that properly I would have understood that 63 | better. 64 | I actually thought about the regex vs a string 65 | for a bit, but mostly because of toString 66 | and wondered what kind of effect that could 67 | have. 68 | And I was also confused by the weird way the 69 | for loop is written, but I ignored it as a 70 | style choice of the author. 71 | So I saw all the traces, but didn’t get 72 | to the correct conclusion. 73 | Shame on me. 74 | And another feedback I got was about my comment 75 | on namespacing.Saying that the let statement 76 | binds variables to a block scope and I should 77 | use that instead, however in this case a var 78 | variable would have achieved the same result 79 | in terms of not influencing eachother, because 80 | var binds to the function scope and h is it’s 81 | own function. 82 | However in principle there is a difference. 83 | Let binds even stronger to a block. 84 | So for example inside and outside of a loop. 85 | Here just a quick example to show that var 86 | works here as well. 87 | So this is basically the skeleton of the JS 88 | safe code to test the variable scoping. 89 | We have a function that contains another function 90 | and a for loop. 91 | The for loop uses a to count up, and the function 92 | inside here also uses a. 93 | I added some console log output to see the 94 | value of a. 95 | Now in this base example a is counted up to 96 | a thousand, which makes the global value of 97 | a 1000 and that is then also still used inside 98 | the function h. 99 | And setting a in there also influences the 100 | a outside. 101 | If we now add the var statement as I suggested 102 | in the video then the scoping would change 103 | slightly, separating the a inside of the function 104 | h from the other a. 105 | So a at this point is obviously undefined 106 | and setting it also doesn’t affect the global 107 | a. 108 | The same result is achieved with using let 109 | here, and sure let is also a good solution, 110 | however if I’m nitpicky, I’d argue that 111 | in this case we don’t want block level separation, 112 | we want to separate a based on the function 113 | used. 114 | And in this case I think var is the better 115 | choice? 116 | Anyway. 117 | I’m not a javascript expert. 118 | Based on how completely wrong I read and interpreted 119 | the code, it’s actually a surprise that 120 | I was able to solve it. 121 | So I guess this is an example that you don’t 122 | always have to understand everything to solve 123 | an issue, as long as you identify the core 124 | and approach it systematically. 125 | Awesome, now all confusions I had about this 126 | challenge are cleared up. 127 | The challenge and the code makes total sense 128 | now. 129 | Thanks so much for your input, I always appreciate 130 | it, even if I get the same comment dozens 131 | of times, I always learn from it and I can’t 132 | repeat it often enough. 133 | I’m so glad that I can put my work out there 134 | and not only show something cool to others, 135 | but get feedback that helps me to improve 136 | as well. 137 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/qMEJ11jhlAc.txt: -------------------------------------------------------------------------------- 1 | hey welcome to another video where I 2 | just ramble a little bit about the state 3 | of the channel and where I give some 4 | background information and just 5 | generally what's going on the channel is 6 | doing pretty well 7 | I got currently about 4500 subscribers 8 | and it grows with about 150 new 9 | subscribers weekly and I'm at roughly 10 | 120,000 views and I get roughly 5000 11 | weekly more views which is pretty 12 | awesome and that's mostly thanks to 13 | people sharing it because otherwise it 14 | wouldn't be discovered also the feedback 15 | has been very amazing so far I get a lot 16 | of positive comments they are very 17 | encouraging I really love reading the 18 | notifications that I get them and they 19 | are huge motivational boost for spending 20 | so much time on something that doesn't 21 | provide me any income also a lot of 22 | people write me in private right knee 23 | emails or right knee reddit messages and 24 | ask me questions and I really try hard 25 | to answer all of those so again if you 26 | are stuck with a certain problem if you 27 | have some issues or you just want to 28 | have an opinion about something just 29 | write me I really love to to respond to 30 | these kind of messages in a couple of 31 | weeks or days the risk you are hardwood 32 | embedded hardware CTF challenge will be 33 | starting which I'm really looking 34 | forward to for a long time now you can 35 | still register until 1st of November on 36 | their website by solving a very easy 37 | binary reversing challenge sent them the 38 | key and the flag and then possibly if 39 | they have still units left you will be 40 | able to participate in the CTF and then 41 | they will send you a little arduino nano 42 | board with how i understand its 43 | preloaded with a bootloader that has I 44 | think individual cryptographic keys on 45 | them and then as far as I understand if 46 | I understand the chart correctly they 47 | will send out all challenges that you 48 | can then that are encrypted with your 49 | key and they are put on the Nano and 50 | then you can interact with the board and 51 | try to solve these different challenges 52 | but anyway in any way I'm really looking 53 | forward to this my hardware resources 54 | that I have for analysis and stuff 55 | not that much like I have a soldering 56 | iron I have some Arduino boards and I 57 | have a logic analyzer and a multimeter 58 | but that's about it I'm still really 59 | thinking about buying a chip Whisperer 60 | because there will definitely some 61 | side-channel attacks happening I've know 62 | what search analytics are I know the 63 | theory about it I've never done it 64 | myself directly and I know that the chip 65 | whisperer system is used also at my 66 | university by some teams so I think that 67 | would be a cool platform also I don't 68 | have a proper oscilloscope which would 69 | probably also be very helpful in 70 | identifying signals and all this kind of 71 | stuff so I contacted keysight and regal 72 | and asked them if they would be up for a 73 | little bit of sponsoring they'd give me 74 | an oscilloscope I show it in the videos 75 | I use it in the videos but so far I 76 | didn't get any response so let's see 77 | what this is going either wise it will 78 | probably just buy one because I really 79 | want one anyway so before I started my 80 | youtube channel I was looking for other 81 | proper hacking channels on YouTube and 82 | obviously you find the big ones like 83 | heck 5 and you find a lot of crap videos 84 | that how to hack Instagram and they are 85 | just super bad but since I have this 86 | live overflow account and I only 87 | subscribe to other neat channels that I 88 | discover suddenly YouTube algorithm 89 | recommends more and more of these really 90 | good channels and so I start to discover 91 | so many cool new YouTube channels that 92 | are actually doing very awesome work and 93 | they are technical and they are not the 94 | kind of hacking videos that you 95 | usually find so let me recommend two of 96 | them to you that I recently discovered 97 | one is mica Elizabeth Scott she does 98 | amazing videos they are well edited they 99 | are super entertaining and they contain 100 | so much knowledge it's a blast to watch 101 | it and you learn so much from it she 102 | mainly covers harder reversing analyzing 103 | hardware and all these kind of topics 104 | and I just get so much from it and it's 105 | such an enjoyment and they are so high 106 | quality so you should check it out she's 107 | definitely deserved more subscribers and 108 | all she has a patreon go and support her 109 | because it's just pretty cool 110 | another cool channel that I have to 111 | scout because he made a video about my 112 | old CTF that I did he solved the 113 | challenges and records himself with it 114 | and it's set for on the cyberspace camp 115 | channel and he just recently put out a 116 | series of short videos talking about 117 | different anti debugging techniques for 118 | Windows and those are pretty cool so 119 | it's just pretty short concise videos 120 | talking about all those different 121 | techniques you can do and he knows a lot 122 | and he has other CTF recordings so that 123 | is also just a very solid channel with a 124 | lot of information there and I'm just 125 | happy that I discovered the channel like 126 | this and also definitely serves more 127 | people watching it so that's it for now 128 | things are going great I have a great 129 | time I'm very stressed out a lot of 130 | things are going on right now but I'm 131 | having a great time and I hope you're 132 | having too so hopefully see you in the 133 | next video 134 | you 135 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/6pGEVDderN4.txt: -------------------------------------------------------------------------------- 1 | In the last video we have looked at a very 2 | simple javascript sandbox escape by abusing 3 | the constructor property of the scope object 4 | to get an instance of the Function constructor, 5 | which we then used to generate a function 6 | with alert and execute it. 7 | In this video we will have a look at a different 8 | sandbox bypass for the version 1.4.7. 9 | A lot of internal stuff has changed between 10 | the old version 1.0.8 and this one. 11 | But we will figure it out. 12 | Again, credit for this bypass goes entirely 13 | to all those amazing researches who looked 14 | at angularjs in the past. 15 | And the bypass I’m showing here was found 16 | by gareth heyes. 17 | So let’s move on to this newer angularjs 18 | version and use our old bypass. 19 | And Let’s see what happens. 20 | Mh no alert. 21 | Let’s have a look at the console. 22 | “Error!. 23 | Referencing Function” (notice the capital 24 | written Function, that refers to the Function 25 | constructor. 26 | You know, what we used to call alert.) “in 27 | Angular expression is disallowed”. 28 | Ok crazy. 29 | Angular refuses to work with the function 30 | constructor that we got by following the constructors 31 | from the scope. 32 | In the stacktrace we can also find the function 33 | where this error is coming from. 34 | It is coming from ensureSafeObject. 35 | Click on it to see the function. 36 | This is it. 37 | And here is quite a clever check if the object 38 | comping in as a parameter obj is the function 39 | constructor. 40 | I have briefly mentioned that the highest 41 | constructos in javascript is the function 42 | constructor. 43 | This means that if you try to get the constructor 44 | of the function constructor, you will end 45 | up with the function constructor again. 46 | So when obj is already a function constructor, 47 | the constructor of that will again be the 48 | function constructor, so this “if” will 49 | evaluate to “true” and throw this error. 50 | Aaand as you can see I have also modified 51 | this angularjs code and added debugger statements 52 | as brakpoints in multiple places. 53 | This will stop the execution when you have 54 | the developer tools open. 55 | Now I will take the sanbox bypass from gareth 56 | heyes and we will step through the javascript 57 | code to see how it works. 58 | And why it works. 59 | But that might be a bit freaky. 60 | So we will start by looking at this expression 61 | and try to get a first understanding on what 62 | it tries to achieve. 63 | And in a follow up video we will then see 64 | how this actually works inside of angularjs. 65 | First of all I will modify this a bit and 66 | instead of array dot join I will use string 67 | dot concat. 68 | I think It’s a bit less confusing. 69 | I will also modify the actual payload a little 70 | bit to make it more clear. 71 | And also add a breakpoint into it before we 72 | call alert. 73 | So as you can see, this expression has actually 74 | two parts. 75 | The first part with some weird prototype stuff 76 | and an assignment. 77 | And seperated, like javascript, with a semicolon 78 | is another expression with an dollar eval 79 | - I hope you remember the first video where 80 | I explained that dollar eval is just evaluating 81 | a angularjs expression. 82 | It’s equivalent to double curly braces. 83 | So this whole thing is basically an angularjs 84 | expression with another expression evaluaed 85 | inside. 86 | Let’s have a look at that first part. 87 | So… 88 | It somehow does somethign with charAt. 89 | chartAt is a standard string function. 90 | it returns the character at the index given 91 | as parameter. 92 | So charAt zero returns the character ‘a’. 93 | And charAt one the ‘s’. 94 | But what about that constructor prototype 95 | stuff. 96 | So the expression starts with a string and 97 | references the constructor of that. 98 | Which obviously gives us access to the String 99 | constructor. 100 | Note that is not a dangerous Object yet like 101 | the function constructor. 102 | I mean. 103 | What harm can a string constructor do that 104 | only allows us to create new strings? 105 | From that String constructor it now references 106 | prototype. 107 | Prototype is fancy javascript. 108 | Every string we use is a descendant from the 109 | String object. 110 | And prototype can be used to references the 111 | actual function or method that is inherited 112 | to all string objects. 113 | So we are now referencing the charAt function 114 | that all other strings inherit. 115 | And now the exploit wants to assign something 116 | different to that method? 117 | What the fuck? 118 | It want’s to assign the concat function? 119 | So let’s see what concat does. 120 | String ‘b’ dot concat is also a string 121 | function or method. 122 | It concatinates another string. 123 | So for example append the string “ccc” 124 | to “b”, which returns “bccc”. 125 | So now let’s overwrite the prototype charAt 126 | with concat. 127 | Now the string “asd” dot charAt suddenly 128 | returns the concat function instead of charAt. 129 | What the hell? 130 | And when we now perform the charAt like we 131 | did at the beginning, we don’t get the first 132 | character, we append 0 to the string. 133 | So that first part of the expression attempts 134 | to completly destroy how the string charAt 135 | function works. 136 | If that is successful, you can imagine very 137 | very weird things could happen if something 138 | is relying on charAt. 139 | And if we look at where our first breakpoint 140 | hit, angularjs uses charAt to do something. 141 | So what will happen? 142 | Find out on the next episode of this series 143 | to step through the catual angularjs exploit 144 | and see how it screws the internal state of 145 | angularjs. 146 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/6QQ4kgDWQ9w.txt: -------------------------------------------------------------------------------- 1 | in the previous videos of this series we have 2 | setup everything. 3 | We flashed the challenge “Secure Filesystem” 4 | on to the board and figured out how to interact 5 | with it over a serial connection. 6 | We also learned about using pyserial to speak 7 | with the embedded device via a python script. 8 | This means we are ready to solve some challenges 9 | So when you connect the board with this challenge 10 | loaded on it, you can see the following output 11 | on the serial console. 12 | It shows a list of files. 13 | And our goal is probably to read the passwd 14 | file. 15 | But let’s first read the challenge description. 16 | Secure File System - We don't remember why, 17 | but we wanted a file system on an AVR328p 18 | (that’s the microcontroller on the arduino 19 | board). 20 | After the system was completed we discovered 21 | that it lacked basic security. 22 | A couple of beers later we came up with what 23 | we think is a revolutionary way to do file 24 | system permissions. 25 | It is now your task to fill in our shoes and 26 | test its security. 27 | The filesystem allows you to request the contents 28 | of one or more available files by using the 29 | following 30 | Format: 31 | A token, followed by a hash and then at least 32 | one filename, followed by multiple optional 33 | filenames colon separated. 34 | And there are multiple example requests to 35 | read different files. 36 | For example this one here would return the 37 | content of cat.txt and finances.csv. 38 | We already successfully did that in the previous 39 | video. 40 | So, while I’m pretty certain what the solution 41 | will be, let’s have a look at the other 42 | examples and approach it with an open mind. 43 | Because maybe it’s not what I think it is. 44 | The first thing we should notice is, that 45 | the tokens look pretty random. 46 | Especially when you compare different tokens 47 | that all request cat.txt, but in combination 48 | with another file, it will completly change. 49 | This means it’s unlikely that data is encoded 50 | in there. 51 | Or that it follows a predictable pattern that 52 | we could analyze statistically. 53 | It’s very likely that it is a hash. 54 | Like a password hash. 55 | Easy to compute and verify, but really hard 56 | to reverse. 57 | From the length i suspect it to be a sha1 58 | hash. 59 | I didn’t record this, but at this moment 60 | we could check if the filename, or the combination 61 | of multiple filenames are simply hashed and 62 | that becomes the token, but it turns out it’s 63 | not. 64 | And at this point I wanted to try out what 65 | I suspected to be the solution. 66 | Because if you see a token, that presumably 67 | protects or authenticates some data, it might 68 | be some kind of MAC, Message authentication 69 | code. 70 | A mac, or how it’s here called, a token, 71 | can be used to prevent somebody else from 72 | changing data. 73 | And we don’t know how to generate a valid 74 | token to request the passwd file. 75 | But, a message authentication code can be 76 | implemented in a weak way, and then you can 77 | mess with it. 78 | And I actually introduced this weakness in 79 | a previous CTF video. 80 | So let me play 81 | that clip. 82 | 83 | In that video it was about an md5 hash, but 84 | sha1 has the same issue. 85 | If we assume that the embedded device has 86 | a secret key, which is prepended to the requested 87 | filenames, and then a hash calculated around 88 | it, we should be able to attack this with 89 | a length extension attack. 90 | So let’s start to write our attack script 91 | and use hashpump, the tool that I introduced 92 | in the other video already to do that. 93 | We import pyserial, setup the serial connection 94 | with the USB to serial device. 95 | Then we can attempt to read from it, write 96 | one of the example tokens which should allow 97 | us to read cat.txt. 98 | And then read again to get that content. 99 | But when we run it, it doesn’t work. 100 | We read nothing. 101 | I assume that we read data too fast and the 102 | board is just too slow with sending. 103 | So I write a little helper function called 104 | read_until, which always reads data from the 105 | serial connection, until the read data contains 106 | the string we expect. 107 | So now we can read until the prompt appears. 108 | When we now test it, it will take a second 109 | until the board sends us something, but we 110 | are eventually able to read the content. 111 | Then I install hashpump and the python module, 112 | hashpumpy. 113 | THis allows easy access to the hashpump utility 114 | from a python script. 115 | One problem with this is, that a hash length 116 | extension attack has to know how long the 117 | secret key is. 118 | And we don’t know that. 119 | But we can simply write a for loop, that just 120 | tries out all different lengths. 121 | And then we simply call the hashpump function. 122 | We give it the hash we have, the data we know, 123 | the data we want to append, in this case we 124 | want to append the passwd file with colons. 125 | Also we don’t know what is in pepper, so 126 | we get that file as well. 127 | At at last we need the key length. 128 | Hashpump will return the updated hash and 129 | the new message which contains the padding 130 | and so forth. 131 | We can also print the tested key lentgh with 132 | that data so we can later see how long the 133 | secret key was. 134 | Then we send the new calculated updated token, 135 | with the hash symbol, and the colon seperated 136 | file request via serial to the board. 137 | Then we should read until the next prompt 138 | after each attempt, so we know the board is 139 | ready to get our next request. 140 | Now we let it run and watch. 141 | And UH! 142 | There it looked like we got something. 143 | Let’s scroll back up. 144 | Yeah and there it is. 145 | The flag. 146 | Let’s submit the flag and collect our first 147 | 100 points. 148 | Awesome. 149 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/28JHPOUZvDw.txt: -------------------------------------------------------------------------------- 1 | this video is part of the cybersecurity 2 | challenge Germany 2020 I'm showing off 3 | various tools that can be used to solve 4 | this part one of the introduction to 5 | reverse engineering challenges 6 | note that this challenge is super easy 7 | and not every technique shown here will 8 | work for the second challenge but I hope 9 | I can give you enough inspiration to do 10 | your own research into these tools and 11 | then dig into a part two and part three 12 | yourself 13 | [Music] 14 | so here are the intro ref challenges or 15 | f1 f2 and f3 we will look at ref one so 16 | first of all it's a good idea to check 17 | what type of file you have on Linux like 18 | machines the file command can be used to 19 | get some information and so it tells us 20 | it's a 64 bit elf binary for Linux and 21 | it's not stripped so it contains symbol 22 | names from the source code it was 23 | compiled from this makes 24 | reverse-engineering easier I'm using a 25 | Mac here and you can see when I try to 26 | execute it it gives me an exact format 27 | error and Linux elf binary cannot be 28 | executed on a Mac so I'm using here a 29 | workflow with docker to get a linux 30 | shell I link some resources below how I 31 | do that alternatively you can also 32 | install a VM or on Windows check out the 33 | windows subsystem for Linux okay so now 34 | I have here a linux shell and you can 35 | now execute the binary it asks for a 36 | password and if it's wrong it will fail 37 | note that I executed here locally once 38 | you found the password you need to use 39 | netcat and talk to the IP and port given 40 | in the challenge description and enter 41 | the password there now let's just go 42 | through a big collection of alternatives 43 | on how you could find the password first 44 | I'm using a hex editor here you can see 45 | the raw bytes represented as hex values 46 | and over here you see those by its 47 | represented as ASCII text when you look 48 | around you can find in there some 49 | readable text like the give me your 50 | password enter prompt and then there's 51 | the suspicious-looking string that could 52 | be a password let's try it out give me 53 | your password you shall pass and that's 54 | the right password easy now we solve the 55 | challenge but let's check out a bit more 56 | there's also a utility called strings 57 | which extracts all valid ASCII byte 58 | sequences from this binary and in there 59 | you can also find the password a similar 60 | but more powerful tool is part of red r2 61 | and it's called robin - with - sets @q 62 | you can find a lot of possible strings 63 | and the output also gives you 64 | information like the offset inside of 65 | the binary where it was found 66 | n 67 | of course here's the password to s trace 68 | is a tool to trace system calls and it 69 | can be used to learn more about what the 70 | binary does all the stuff here at the 71 | start can be ignored it's just 72 | executable setup stuff but down here you 73 | can see how the flag file is opened and 74 | read and then it writes the password 75 | prompt and reads and waits for input but 76 | it didn't reveal the password here 77 | however there is a related trace tool 78 | called L trace which traces library 79 | calls and it can show the Lipsy library 80 | functions that are being called if you 81 | use that you can find a string compare 82 | on the input and the password awesome 83 | another option especially when a 84 | password check is a bit more hidden and 85 | not just a simple string compare is to 86 | debug it for example with gdb 87 | in this case I'm using gdb with the 88 | extension Pony back to make it look 89 | fancy 90 | and so you could disassemble main and 91 | read the assembly here to see what 92 | happens or you could do a dynamic 93 | approach and see what happens by setting 94 | a breakpoint in main and step through 95 | the code with si4 single stepping or ni 96 | if you want to skip calls and you can 97 | observe the registers the stick and 98 | generally what's going on here you might 99 | identify the technique for the password 100 | check in this case simple string compare 101 | here's the password gdb is definitely 102 | very useful I talked a bit more about 103 | gdb and some other videos i linked 104 | resources that are relevant below 105 | another awesome tool for reverse 106 | engineering is Vedra it's also a 107 | disassembler but it can also decompile 108 | code so I'm loading the binary into 109 | Ghidorah yep yeah blah blah could you 110 | analyze and all that stuff and then 111 | let's look for the main function it's 112 | here it automatically D compiles the 113 | assembly code and it's awesome to learn 114 | as simply to because you can compare how 115 | certain assembly instructions relate to 116 | some pseudo code anyway here you can see 117 | how user input is read into this char 118 | buffer and then it is compared to you 119 | shall pass so this is also a very 120 | awesome and powerful tool to reverse 121 | engineer any kind of password check 122 | algorithm 123 | another more hardcore reverse 124 | engineering tool but definitely looking 125 | cooler is red r2 I'm opening ref one in 126 | it and I analyze it with a a then I'm 127 | seeking to the main function and use 128 | capital V to enter a visual mode and 129 | here you can also see the call graph 130 | with the string compare and you can find 131 | the passport here yeah that's it 132 | what's really easy right if you are just 133 | starting out to learn reverse 134 | engineering I'll link some videos of 135 | mine below but I can also just recommend 136 | to play around with it write a simple 137 | passport check and see yourself 138 | compile it and then try to 139 | reverse-engineer it implement a for loop 140 | a while loop some if case and then 141 | always reverse engineer to get a feeling 142 | how C code is compelled to assembly now 143 | good luck with ref two and ref three 144 | [Music] 145 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/N1US3c6CpSw.txt: -------------------------------------------------------------------------------- 1 | sometimes your binary will not have 2 | symbols it's a so-called strip binary 3 | let me show what you can do that 4 | [Music] 5 | sometimes you find yourself with a 6 | binary that says it's stripped your 7 | problem is when you try to debug this 8 | and you want to set a breakpoint romain 9 | no symbol table is loaded so I have 10 | downloaded the disassembler called 11 | Piedra and I've linked it in the 12 | description of this video this will not 13 | work 14 | we still need Java 11 while this is 15 | still installing let's go back to gdb 16 | and I'll show you another method first 17 | with info files you can get a couple of 18 | informations about this file and so 19 | first of all you see here a lot of the 20 | sections that this file has so for 21 | example you can find the text section 22 | which is the code or you can find the 23 | data section where there's an aesthetic 24 | data this may be other stuff that you 25 | recognize like the procedure linkage 26 | table and the global offset table and so 27 | forth but it also shows you here an 28 | entry point which coincidentally is 29 | right at the start of the text section 2 30 | so let's disassemble the code there ok 31 | this so there's no function at this 32 | address so let's look at this with the 33 | examine command so I'm examining 20 34 | instructions at this address and then we 35 | can see here just cohhd cohhd cohhd 36 | cohhd cohhd and then we see here a call 37 | coming up as well as certain parameters 38 | being prepared for it and I get rights 39 | basically the same thing 40 | ok I tried to zoom in a little bit so 41 | obviously it's not very very crowded so 42 | in the symbol tree you can find a symbol 43 | that get recalled entry the entry 44 | function here also starts at 4 F 0 @ is 45 | the offset kitra puts it actually at 1 0 46 | 0 for f 0 but that's just good invention 47 | that's just where Dedra kind of like 48 | assumes where in memory it could be but 49 | you see the offset is the same and so 50 | let's look at this code here you can 51 | also see here eventually this called 52 | ng draw already recognized this as Lipsy 53 | start 54 | main guitar recognize this because even 55 | though the binary itself M is strip 56 | doesn't have cymbals it still uses 57 | dynamic libraries like Lib C and to 58 | resolve the addresses of the Lib C 59 | functions it has to include the cymbals 60 | for this dynamic library so it will 61 | recognize if it tries to call something 62 | like main gdb is not really a 63 | disassembly gdb is a debugger so it 64 | doesn't have fancy display features like 65 | this there are some extensions that 66 | might help you with that but generally 67 | you would want a disassembler to kind of 68 | like analyze most ethically a binary 69 | like this so here we can see ellipses 70 | start main and get R also has a d 71 | compiler and you can see that this 72 | function takes a couple of parameters 73 | and actually the first parameter of this 74 | Lipsy start main function is the address 75 | where the actual main is where your - so 76 | what get er identified as this function 77 | here is main so we can go there and we 78 | can see that's like my shellcode test 79 | code this this is the main function that 80 | I have written don't don't worry about 81 | what this Court has asked but I can 82 | assure you that this is the main 83 | function this means that the address 84 | loaded into RDI is in fact the address 85 | of main so we know this is the entry 86 | point so at the corner of the entry 87 | point you can also see that here's this 88 | call and because you can assume this is 89 | a typical binary you might assume that 90 | in the entry code you have that the 91 | first call there goes to Lipsy main is 92 | it's just an assumption that you can 93 | make this assembler like g-drive will 94 | actually tell you if that's the case but 95 | that's a fair assumption you can make if 96 | you assume as just a normal binary which 97 | means the first parameter here for this 98 | call is actually the real main and here 99 | gdb actually helped you because it's 100 | from our IP so our IP would be at this 101 | case 5 0 T plus this offset here here's 102 | the result so if this address should be 103 | the real main your main and yet so this 104 | definitely looks like a function start 105 | so yeah this this is your main function 106 | so this is how you can find me 107 | okay so now that we have learned about 108 | the lips II start main we can actually 109 | use this also to our advantage with gdb 110 | as long as it's a dynamic binary so 111 | another static binary you can break on 112 | the lip see function because for that 113 | you have symbols and it says you hear 114 | that the lips e start main is not 115 | defined but you can make a pending 116 | breakpoint in case a shared library is 117 | loaded at some point that has the symbol 118 | and now let's execute the binary we hit 119 | a breakpoint in lips e start main this 120 | happened because when the binary was 121 | executed the loader started to set up 122 | the whole binary and it saw that it 123 | needs dynamic library so it was loading 124 | ellipse e and there was a breakpoint so 125 | it set a break but you get the point and 126 | here you can actually see a few more of 127 | the symbols you can see here the names 128 | of the parameters of this function and 129 | the first parameter is called main and 130 | it shows you actually what the parameter 131 | value is so at this address generally 132 | this offset here at the end is where you 133 | can find main let's see if this is 134 | correct v fa so yeah we assume that at 5 135 | F a we can find main so now we can also 136 | set a breakpoint there and we continue 137 | and we hit a breakpoint and now we are 138 | in main so this is how we can find the 139 | main function in a strip binary and how 140 | we can also then debug this now you know 141 | how you can find the main function when 142 | you have a strip binary make sure to 143 | check out the full playlist of hex 144 | member and see you tomorrow 145 | [Music] 146 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/JFIGpRh76XY.txt: -------------------------------------------------------------------------------- 1 | AngularJS fixed the sandbox bypass from version 2 | 1.4.7. 3 | But very quickly a new bypass was found. 4 | The old bypass which overwrote the charAt 5 | prototype function to screw with AngularJS 6 | internals, got fixed. 7 | But the fix was incomplete. 8 | Very quickly a new bypass was found but was 9 | initially kept private. 10 | Eventually somebody else discovered the bypass 11 | too, and reported it publicly on github. 12 | SO let's try to find the bypass for the incomplete 13 | fix ourselves. 14 | Let's start by testing the old bypass. 15 | No alert. 16 | And when we look into the console we can see 17 | the Error "Assigning to a constructor is disallowed!" 18 | What does that mean? 19 | Let's have a look at what ensureSafeAssignContext 20 | is doing. 21 | So this is a function that takes an object 22 | as parameter and performs a couple of checks 23 | on it. 24 | It basically checks if the object passed to 25 | it, is some kind of constructor. 26 | As we have seen with the first bypass, constructors 27 | are dangerous. 28 | In that video we used the Function constructor 29 | to escape the sandbox. 30 | And in the last escape we accessed the prototype 31 | of charAt via the String constructor to screw 32 | with Angular's internals. 33 | So it makes sense that the sandbox tries to 34 | prevent you assigning to the constructor. 35 | Well... the name "AssignContext" indicates, 36 | that this is a check used in assignments. 37 | I set a breakpoint with the debugger; keywoard 38 | here, so let's see what kind of objects are 39 | passed to this function. 40 | So the first object passed to it is the string 41 | "a". 42 | The second object passed to it is the String() 43 | constructor, which will obviously then throw 44 | the exception. 45 | Now let's check where this is called from 46 | in the call stack. 47 | It's coming from fn, and fn is again this 48 | dynamically generated JavaScript code representing 49 | our expression. 50 | We can take this generated code here and compare 51 | it to the generated code from 1.4.7. 52 | You can see that the fix is not super big. 53 | It only added two function calls to ensureSafeAssignContext. 54 | Anyhow. 55 | Let's try to understand what Assign context 56 | means. 57 | In what cases does AngularJS check an object 58 | with this function? 59 | We can do this by using simple expressions. 60 | So for example 1+1 doesn't trigger the breakpoint. 61 | So no check here. 62 | That's not surprising, we would expect some 63 | kind of assignment anyway, right? 64 | So let's do an assignment. 65 | a=1. 66 | Ok this triggered the breakpoint. 67 | And the object passed to it is the Scope object. 68 | Remember from the very first video, that any 69 | variable you use is evaluated against the 70 | Scope? 71 | So that kinda makes sense. 72 | Let's look at the function Angular generated. 73 | So v0 is the 1 that we want to assign. 74 | v2 up here is s, our scope. 75 | So that also makes sense. 76 | So now in here it checks if v2 is a safe object 77 | for assignments. 78 | And yeah the Scope is a safe object. 79 | After that you see the assignment happening 80 | with v2.a. 81 | So a on the scope get's assigned the number 82 | 1. 83 | As you can see, it always only checks the 84 | left side of an assignment. 85 | So the object to the right is never checked. 86 | This means we can still do stuff with the 87 | constructor, it just can't be on the left. 88 | So we can assign it to a variable on the scope 89 | just fine. 90 | But is that enough? 91 | Now that a is the String() constructor, let's 92 | see if we can assign something to the the 93 | prototype of a. 94 | First check is the first assignment, which 95 | is fine. 96 | But the second check, will fail. 97 | Because a is the constructor. 98 | mhmh.... 99 | Playing around like this is enough to find 100 | the bypass for the incomplete fix! 101 | So go ahead and pause the video to try it 102 | yourself and head over to the testbed at liveoverflow.com/angularjs/ 103 | You can do it! 104 | In case you didn't get it or you just want 105 | me to tell you, well here we go. 106 | So we can use those evil objects on the right 107 | side of an assignment. 108 | So we can assign them to anything we want. 109 | But they can't be on the left. 110 | But the only evil object that can't be on 111 | the left is the constructor. 112 | So what we could do is, we could assign the 113 | prototype to a instead. 114 | And then we use a.charAt in the next step. 115 | Theoretically this should work, because a 116 | contains now prototype and NOT the constructor. 117 | Which means ensureSafeAssignContext will not 118 | find a constructor and be happy. 119 | So let's try it. 120 | First assignment is on the scope. 121 | So that is safe. 122 | And the second check is on this weird object 123 | here, but that is just the prototype! 124 | And when we let the code continue, we pop 125 | an alert! 126 | Hah! that was super easy. 127 | Let's compare our bypass with what ian found. 128 | His exploit is a little bit overcomplicated, 129 | but in essence it's the same. 130 | He assigns the prototype to a property y of 131 | x. and then accesses the charAt via that property. 132 | Same thing, we just used a simple variable. 133 | Also this bypass still works in the latest 134 | version 1.5.8. 135 | But AngularJs has announced that they will 136 | remove the AngularJS sandbox in 1.6. 137 | This means, that we don't need any fancy sandbox 138 | bypasses anymore and exploitation becomes 139 | trivial. 140 | It sounds counter intuitive, but I think that's 141 | a good thing. 142 | But let's discuss this in another video. 143 | Now that you understand AngularJS sandbox 144 | bypasses, I highly recommend you to watch 145 | the talk "an abusive relationship with angularjs" 146 | by Mario Heiderich. 147 | He gives a great overview over the history 148 | of angularjs sandbox bypasses. 149 | I just finished editing the video and i realized 150 | I forgot to give my disclaimer and the proper 151 | credits like I did in the previous videos. 152 | So here it comes a bit late. 153 | I did not discover those bypasses myself. 154 | Great researchers like Mario Heiderich, Ian 155 | Hickey, Gareth Heyes and many more are true 156 | brains here, I merely tried to explain their 157 | hard work in a video. 158 | So look them up, and follow them on twitter. 159 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/3xIj8Xyx1TU.txt: -------------------------------------------------------------------------------- 1 | so today I show you a quick tool that is 2 | really really cool when you are starting 3 | to learn about the Linux command line 4 | [Music] 5 | this is it explain shell calm it's by 6 | Ida and camara and you can also find the 7 | source code on github so let's check it 8 | out what it does in the recent video 9 | about the zero day in bash I quickly 10 | brushed over my solution and because the 11 | challenge solar was a bit difficult to 12 | get files over there there's this trick 13 | you can use for copy and pasting but it 14 | can look pretty intimidating and weird 15 | but like all these three directions and 16 | AOF like what the heck is going on so 17 | let's see what explained shell tells us 18 | about it 19 | so the first line of this command is 20 | simply this so let's hit explain and 21 | there we go so explain shell recognizes 22 | here three parts 23 | first cat then the TMP escaped and then 24 | the EOF so here it just shows you the 25 | main page from cat and cat is the tool 26 | to concatenate files and print on the 27 | standard output so while it doesn't 28 | quite tell you exactly what's like 29 | special about the way that cat is used 30 | here it does show you what belongs 31 | together so there's just the cat command 32 | so what does the cat command do and if 33 | you're not sure what a command does the 34 | easiest thing you can do is just playing 35 | around with it and see what happens so 36 | if you execute cut it always seems to 37 | output whatever you enter hey this is my 38 | input enter and cut gives us the output 39 | back AAA so cut without parameters like 40 | in this case we'll simply take anything 41 | that it reads as input and sends it to 42 | the output okay let's look at the second 43 | component before a command is executed 44 | its input and output may be redirected 45 | redirections are processed in the order 46 | they appear from left to right okay so 47 | we have here a redirection and we are 48 | redirecting output languages here very 49 | confusing but it says here okay so the 50 | sentence is a bit convoluted but we can 51 | break it up redirection of output causes 52 | the file whose name here word is open 53 | for writing and we can see the redirect 54 | and then word so in our case we have 55 | three direct and then a file name so 56 | this file name will be 57 | opened for writing and what will be 58 | written here specified by the second 59 | part here now we don't have an end here 60 | we don't have a number before there's 61 | nothing because n is not specified 62 | anything from standard output or the 63 | file descriptor want to be more precise 64 | it's written to that file probably most 65 | of you know this redirection right you 66 | know when you use this redirect into a 67 | file you just take the output from the 68 | one command and put it into the file so 69 | you probably even knew this but it just 70 | looks weird in the setup with the cat 71 | and also this EOF then here at the end 72 | but explain shell just shows you what 73 | belongs together so here we just have a 74 | redirection of the output so whatever 75 | the output from cat is is redirected 76 | into this file okay now let's go to this 77 | weird double redirection and the EOF 78 | thing okay so this is again about 79 | redirection before command is executed 80 | its input and output may be redirected 81 | it's exactly the same explanation 82 | as with the other redirection but this 83 | time we have a different redirection but 84 | this time it's not an output redirection 85 | it's this here documents so let's check 86 | out what that means 87 | this type of redirection instructs the 88 | shell to read input from the current 89 | source until a line containing only the 90 | delimiter with no trailing blanks is 91 | seen so check this out you have to - 92 | like redirect brackets thing and then 93 | word in our case it's a Oh F it will 94 | read anything from the input until it 95 | finds an e o f as a single line you can 96 | place some document some text here and 97 | then the same delimiter word has to 98 | appear as a single line at the end and 99 | so this explains how this works any 100 | input that cut receives is redirected 101 | into the file TMP escaped at C and then 102 | with this redirection here at the end we 103 | define that we will read any input the 104 | whole document until it receives a line 105 | containing this delimiter this word here 106 | and so it will put all this text as the 107 | input to cut and write it into the file 108 | until yo F is found an end will stop and 109 | so that's why you can copy this whole 110 | text here and just paste it into a shell 111 | and that will write all this output into 112 | the file but I mean it was still kind of 113 | a condom 114 | little thing but let's try something 115 | else so let's see what here this fine 116 | command does so find searches for files 117 | in a directory here you can see the 118 | parameters or find so this corresponds 119 | to Lu the path and then it has the type 120 | minus F and type minus F means it looks 121 | for regular files and then print 0 means 122 | print the full file name on the standard 123 | output following by a null character 124 | let's look at this one here 125 | true ok so do nothing but do it 126 | successfully all right and then we see 127 | it highlight these two here so these are 128 | and and or and and all lists are 129 | sequences of one or more pipelines 130 | separated by and and or control 131 | operators this one here means command to 132 | is only executed and only if command one 133 | returns an exit status of zero which is 134 | kind of like defined as the it ran 135 | successfully in an error case program 136 | should return something nonzero and the 137 | oldest I guess is also kind of 138 | interesting command to is executed if 139 | and only if command run returns and 140 | nonzero exit status then we have these 141 | brackets so what do they mean they 142 | define our list list is simply executed 143 | in the current shell environments all 144 | right ok so we have here a list of 145 | commands and in the first list we have 146 | one command and in the second list here 147 | we also have just one command and then 148 | we have here echo echo displays a line 149 | of text and then we have here the 150 | parameters for echo which are success or 151 | failed I think this is a really cool and 152 | small tool oh there was also a dark 153 | theme that might have been nicer on the 154 | ice sorry 155 | [Music] 156 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/VzZi2AGAsOY.txt: -------------------------------------------------------------------------------- 1 | Last video we figured out how to overwrite 2 | certain functions with LD_PRELOAD and how 3 | to access the internal objects from libGameLogic. 4 | With that we were able to increase our walking 5 | speed a lot. 6 | So let’s see what else we can do. 7 | One really cool thing would be flying, right? 8 | Flying… so how could we get flying. 9 | There is obviously not an attribute in the 10 | Player class to simply enable flying, but 11 | we can maybe be creative with what we have. 12 | And jumping is definitely close to flying, 13 | we just can't fly very high. 14 | And we will fall back down. 15 | So Maybe we can make something out of that. 16 | I have noticed there is a jumpHoldTime and 17 | jumpSpeed. 18 | So let’s set jumpSpeed to a higher values 19 | and check what it does. 20 | Let’s compile our evil library, then we 21 | LD_PRELOAD it into the game and then let’s 22 | see what changed. 23 | When we now jump, whooooosh… ok I think 24 | the speed was a bit too crazy. 25 | But we get a nice view of the map. 26 | Including an island? 27 | We haven’t found that island during our 28 | let’s play in episode 1. 29 | I wonder what we can find there. 30 | So let’s tone down the speed a bit. 31 | And now also add the jumpHoldTime with a higher 32 | value. 33 | Then we can try it again. 34 | Ok… 35 | So jumping seems fairly normal. 36 | Except that I can keep space pressed, or you 37 | know hold space for a longer time. 38 | And then I keep rising up. 39 | That’s pretty cool flying already, but the 40 | issue is, that once I release space again 41 | we start falling down and we can’t jump 42 | anymore until we touch the ground again…. 43 | Mhmh 44 | This is kind of the challenge with game hacking. 45 | We have essentially all power of the world, 46 | we can modify any memory, call any function 47 | we want, we just need to be creative with 48 | what and how we do it, so we can make it usable 49 | and fun. 50 | So when I was looking around a bit more I 51 | found that the Player class has a function 52 | called CanJump(), which returns a boolean, 53 | true or false. 54 | So let’s try to overwrite that function 55 | and always return 1. 56 | When we now try this ingame, we can fly up 57 | when we press space, decline when we release 58 | it, but then we can also press it again to 59 | jump again and thus, fly up! 60 | While the flying is not perfect, because the 61 | player has an awful velocity while in the 62 | air, it’s still pretty neat. 63 | If anybody finds a way to be able to move 64 | horizontally as if you are walking on the 65 | ground, let me know! 66 | Let’s fly a bit higher to see again which 67 | direction the island was. 68 | Hehe so cool. 69 | The island looks awesome from above. 70 | Oh… there is a dark spot over there. 71 | Is that an island? 72 | ENHANCE! 73 | It could be the island! 74 | Let’s fall back to the ground, which takes 75 | a little bit, but then thanks to our super 76 | speed we just quickly run there! 77 | We are approaching it. 78 | ISLAN HERE WE COME! 79 | Entering Cowabungalow! 80 | Oh look there is a chest! 81 | And the Cow King! 82 | Remember the Gold Farm from the Let’s Play 83 | in episode 1? 84 | Welcome to the gold farm. 85 | I farm all day to provide for this island. 86 | But it has all gone wrong. 87 | What’s wrong? 88 | My Cows are missing! 89 | One night I heard a massive amount of thunder 90 | , then my cows had disappeared. 91 | I have no idea where they went. 92 | I will let you know if I see them. 93 | So sounds like we found the Cows! 94 | Ouch! 95 | The Cow King just killed us! 96 | Damn… 97 | With the attack Static Link. 98 | It’s a 1337 Magic Spell. 99 | And dealing a lot of shock damage. 100 | Let’s respawn. and checkout that house here. 101 | Welcome to my humble bungalow. 102 | I was enjoying my private island until those 103 | mad cows showed up. 104 | Where did the cows come from? 105 | One night I heard a thunderous boom, and when 106 | I looked outside there were mad cows everywhere. 107 | There is one in particular that worries me. 108 | That sounds familiar. 109 | I think I know who owned these cows. 110 | Which one worries you? 111 | The one with the crown! 112 | Anything that gets close gets struck by a 113 | bolt of lightning out of the blue. 114 | Do you know any magic? 115 | I do. 116 | Why do you ask? 117 | I have a legendary magical cube here. 118 | I read that it posseses. 119 | TYPO! 120 | THERE IS A TYPO. 121 | LITERALLY UNPLAYABLE! 122 | I read that it posseses the power of the fable 123 | Rubick, and might be able to steal the thunder 124 | of the Cow King, leaving it defenseless. 125 | Have you tried to use it on the cow? 126 | I would, but I’m terrible with magic. 127 | My last attempt got me stranded on this island. 128 | That fast travel spot right there is such 129 | a tease, as whatever magic got me here is 130 | preventing me from using it. 131 | Would you please take the cube and try it? 132 | I will take it and try to use it. 133 | Here it is, I won’t need it back. 134 | No more magic for me. 135 | Good luck, now go steal the Cow King’s thunder. 136 | Thank you. 137 | I will see what I can do. 138 | Acquired Rubick’s Cube. 139 | I am Legend. 140 | AND WHAT THE HECK. 141 | Killed by a Mad Cow. 142 | Thank you. 143 | Ok. 144 | Now let’s go to the Cow King again. 145 | It’s attacking me, let’s spam using the 146 | Rubicks Cube, and I steal the Static Link 147 | skill! 148 | Now I can use Static Link. 149 | There we go. 150 | Quest complete. 151 | Until the Cows Come home. 152 | And a New Achievement. 153 | Monster Kill. 154 | We also get a weapon, the Cowboy Coder. 155 | But let’s check out the chest. 156 | Acquired Flag of the Cow! 157 | 1337 Flag. 158 | The key is: I should’ve used dynamic link. 159 | Wuhooo… 160 | Our first flag. 161 | And if we would have found this during the 162 | CTF, we could now submit this flag to the 163 | scoreboard to get points for our team. 164 | Awesome! 165 | We are slowly making progress. 166 | Before we end this, maybe we could also take 167 | a quick look at the original list of challenges 168 | to get an overview what our goals are. 169 | This was the CTF page for the Ghost in the 170 | shellcode CTF 2015. 171 | And here is the challenge we just solved, 172 | “Until the Cows Come Home”. 173 | We would have gotten 100 points for that, 174 | and it was the easiest one. 175 | I think next time I try to go for Unbearable 176 | Revenge. 177 | Btw. 178 | If you wanna follow along and try this out 179 | yourself, you can find all the files in the 180 | description of the videos. 181 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/kUk5pw4w0h4.txt: -------------------------------------------------------------------------------- 1 | In this video we make another excursion into 2 | reversing C programs. To be specific, we will 3 | talk about the Global Offset Table (short 4 | GOT) and the Process Linkage Table (short 5 | PLT). 6 | Let’s start by creating a very simple C 7 | program that just calls a couple of libc functions. 8 | So I just write two printfs and an exit. These 9 | two functions are clearly external functions, 10 | I haven’t defined them myself. And they 11 | come from libc. When I compile this binary 12 | with gcc libc will be dynamically linked to 13 | this binary. Which means that libc is not 14 | included in the program. With `ldd` we can 15 | see the dynamic libraries referenced from 16 | this binary and it shows that it wants libc, 17 | and it also displays the path on my system 18 | where my libc binary is. This is great because 19 | then the program can be much smaller, and 20 | libc can receive updates without having to 21 | recompile my binnary. 22 | But this also means, that the addresses in 23 | libc might be different for each version. 24 | So how can I compile a binary to assembler, 25 | when I have to know the exact address so I 26 | can create a call instruction? Well this is 27 | where the PLT and GOT comes into play. 28 | Let’s open this binary in hopper disassembler 29 | and let’s have a look at the main function. 30 | So first thing we notice is, where the hell 31 | are our printfs()? Why are there puts() calls? 32 | Well the disassembler saw that we specified 33 | a constant string, nota dynamic format string, 34 | thus decided to replace the printf with puts. 35 | But anyway, we have here our three function 36 | calls and hopper decided to prefix the name 37 | of the call location with a j, probably for 38 | jump. Not sure. 39 | So if we follow this call, we noticed that 40 | we don’t end up in libc puts. We are still 41 | in our binary. Also how would we, because 42 | libc is not included in this binary. We landed 43 | in the plt section. The process linkage table. 44 | And the call to this here is immediatly followed 45 | up with a jump to an address stored at a nother 46 | location. And this location got the name puts 47 | @ GOT. So let’s go there. 48 | Now we are in a segment called got. The global 49 | offset table. And the jump will jump to whatever 50 | address is stored here. And at the moment 51 | the address that is stored here is referencing 52 | an external symbol. So… 53 | So what are they doing here? 54 | During compilation we don’t know the address 55 | of puts, or exit. So we just create a function 56 | trampoline. We call a location we know where 57 | it is, the PLT section. Which contains a jump 58 | with the jump location referenced from this 59 | list (or table if you want). So all we have 60 | to do, to be able to use external functions 61 | from a library, is somehow write the real 62 | address of the libc function in this table. 63 | And this is what is happening when we execute 64 | the binary. As you know by now, an ELF binary 65 | is not just plain assembler code. Before our 66 | codes get executed, the complicated ELF format 67 | is parsed and based on that the process is 68 | set up by the kernel. And during that time 69 | references like that might get resolved. 70 | So let’s debug this binary. Let’s use 71 | hopper this time. First we set a breakpoint 72 | in main by clicking the red column in the 73 | right row. Then we open the debugger interface 74 | with teh buttom on the top right. So let’s 75 | step forward until we follow the call to puts(). 76 | As expected we arrive in the PLT section and 77 | are just about to jump to the address referenced 78 | in the global offset table. Let’s step further 79 | and let’s see what happens. Oh… nope. 80 | We don’t go to puts in libc. Somehow we 81 | ended up right after the jump and push a value 82 | now on the stack. 83 | As you can see every PLT entry, also for our 84 | exit() function, we have this push of a number 85 | and then a jump to this address up here. And 86 | when we follow this jump we end up in a function 87 | called _dl_runtime_resolve. 88 | We can use the proc file system to have a 89 | look at the memory maps of this process and 90 | we can see that the address from _dl_runtime_resolve 91 | belongs to this ld.so binary. The man page 92 | for `ld.so` tells us that this is the dynamic 93 | linker/loader. So this library helps us to 94 | set upt the external references to libc. 95 | This function does magic. No idea what it 96 | does in detail, but it will find the address 97 | of the puts() function in libc and updates 98 | the GOT table and also executes puts. 99 | Now the second time we want to execute puts(), 100 | the GOT got updated and when we jump to the 101 | address stored in the global offset table 102 | we end up in puts() from libc. 103 | This Global offset table is very very useful 104 | when writing exploits, because there are a 105 | couple of things you can do with it. 106 | First instance, we have an arbitrary write. 107 | We can write a value, we want, anywhere in 108 | memory. So you can simply overwrite the address 109 | in the global offset table for a certain function. 110 | And the next time this function is called, 111 | the code will be redirected to whatever you 112 | entered in the global offset table. 113 | Let’s say you have a memory leak, for example 114 | through a format string exploit like from 115 | the previous video. And the binary doesn’t 116 | use ASLR. Well, the system itself can still 117 | have ASLR enabled thus the location of libc 118 | will always be random. But the address of 119 | the global offset table in your binary is 120 | always fixed. So when you can read from an 121 | address you control, you can read an entry 122 | of the global offset table, which is an address 123 | in libc. Which you can then use to calculate 124 | the offsets to other locations of libc. Which 125 | is useful if you have to find rop gadgets 126 | or you want to do a return-to-libc. 127 | And even if your binary uses ASLR, if you 128 | are able to leak an address of your binary 129 | to defeat its address randomization, you can 130 | then calculate the offset to the global offset 131 | table and then leak an address of libc that 132 | way. 133 | Sometimes you even have a buffer overflow 134 | or an arbitrary write in a function, but the 135 | function itself never returns, because it 136 | calls exit(), or loops forever, thus overwriting 137 | the return pointer on the stack doesn’t 138 | help to redirect code execution. That’s 139 | exactly the challenge in format level 4 of 140 | exploit-exercises.com. We cannot overwrite 141 | the return address on the stack, so we have 142 | to rely on a different technique to gain control 143 | over the program execution. 144 | See you next time when we use a format string 145 | vulnerability to overwrite an entry on the 146 | global offset table to redirect code execution. 147 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/0TPXvpaiYWc.txt: -------------------------------------------------------------------------------- 1 | Mindreader had more solves than any other 2 | challenge and was considered easy. 3 | And still, I failed to solve it. 4 | In the end I had solved two medium and one 5 | hard challenge, so what was my issue with 6 | mindreader? 7 | Well. 8 | Let me tell you about how I approached this 9 | challenge and what went wrong. 10 | Mindreader. 11 | Can you read my mind? 12 | I was wondering what that could mean. 13 | Reading your mind. 14 | I thought maybe it could be related to reading 15 | a processes memory. 16 | Well. 17 | Challenge is running at mindreader.web.ctfcompetition.com 18 | When we visit this site we find a very easy 19 | form with a text input. 20 | If you write something it passes a GET variable 21 | f with your input but returns a Not Found 22 | error. 23 | Well that already smells bad. 24 | So a natural first thing to do is to try local 25 | file inclusion. 26 | And sure, /etc/passwd works. 27 | So what do we do now, where can we find the 28 | flag. 29 | Usually when I work with a web challenge I 30 | use a web proxy like Burp. 31 | My firefox has already the proxy server configured 32 | so I just have to start burp and then can 33 | visit the site. 34 | Disable the request interception, visit the 35 | page and look for the request in the HTTP 36 | history. 37 | And there it is. 38 | When you highlight it you see the request 39 | and response details of the HTTP request down 40 | here. 41 | Then I hand over this request to the repeater, 42 | which is a neat feature of burp where you 43 | can repeat those requests. 44 | So it becomes really easy to change the f 45 | GET parameter and see the result on the right. 46 | So now I wonder what I could be looking for. 47 | I remember a few interesting files on linux, 48 | but obviously I don’t know everything. 49 | And one of the first things I noticed was 50 | the Server nginx in the response. 51 | Which made me start to google for the default 52 | config and log locations because I was hoping 53 | to learn something about the web app running 54 | there. 55 | So for example /var/log/nginx/error.log. 56 | Or /etc/nginx/nginx.conf. 57 | But nothing worked… mhmh 58 | At some point I opened up a terminal and connected 59 | to a linux VM I had running somewhere to find 60 | interesting files. 61 | Especially because I wanted to check the /proc 62 | filesystem. 63 | There is a lot of information about your own 64 | process there. 65 | So I tried to access a few things like /proc/self/environ 66 | which should print the environment variables 67 | of your current process. 68 | But it didn’t work. 69 | Here is the first mistake I made. 70 | I wonder if you notice it. 71 | I will come back to it in a second. 72 | I then went on and looked for other interesting 73 | files, maybe there is something in /dev/. 74 | I started to continue trying out different 75 | interesting /dev/ files and there was this 76 | fd folder. 77 | Fildescriptors. 78 | And it’s actually a symlink to /proc/self/fd, 79 | so pointing at your own fildescriptors. 80 | You can see that fd 0 returns OK, and fd 1 81 | and fd 2 just keep hanging, but no error. 82 | And there seem to be even more open filedescriptors; 83 | not only the standard stdin, stdout and stderr. 84 | That’s interesting but didn’t give me 85 | anything. 86 | Anyway. 87 | This was my second mistake. 88 | Do you notice my mistake here? 89 | I didn’t so I thought this is going nowhere. 90 | So I started to work on another challenge 91 | and procrastinated checking twitter. 92 | And there was an unread message. 93 | This guy had some problems with Joe and asked 94 | me about it. 95 | Had a short chat about the CTF and because 96 | he saw I didn’t solve mindreader yet, he 97 | told me I could easily do it. 98 | Well… yeah I assume because it’s an easy 99 | challenge that I should be able to do it, 100 | but so far I’m stuck. 101 | And then the worst thing happened. 102 | He sent me a spoiler for the challenge. 103 | Please don’t do this. 104 | If I don’t solve a challenge I don’t mind 105 | and I will seek out writeups after the event. 106 | But in the moment you deprive me of a valuable 107 | learning experience. 108 | Because even when I’m stuck with a challenge 109 | I start researching. 110 | And the bits of information I read and pick 111 | up left and right makes me more knowledgeable 112 | in general. 113 | And next CTF I will be better. 114 | I tried to stay away from mindreader after 115 | that, but it was bugging me and for my own 116 | curiosity and because I was failing with another 117 | challenge I just had to look what the hint 118 | is. 119 | I just can’t ignore this, it’s in my head. 120 | And the code revealed that the flag is in 121 | the environment variables, which I already 122 | had a hunch for as the possible place, but 123 | now I know the goal. 124 | And it also shows why /proc/ didn’t work. 125 | There is a filter. 126 | And it hit me in the face. 127 | I realized the two major mistakes I made and 128 | how I could have solved it on my own. 129 | This right here has turned into a valuable 130 | lesson for me. 131 | Ok let’s have a look at my first mistake. 132 | When I tried to access something in /proc 133 | and get the error, it’s actually a different 134 | error then when I try to access some random 135 | other file. 136 | I did not notice that. 137 | The second mistake I made was when I checked 138 | /dev/fd/. 139 | Because I knew it was a symlink to /proc/self/fd 140 | from my example linux system, and while I 141 | did wonder for a second why that works, I 142 | filed it away as a small oddity. 143 | If I had made notes of the weirdness that 144 | I see with accessing /proc and that apparently 145 | the symlink works I could have combined those 146 | two things and figured it out myself. 147 | But I didn’t. 148 | I was sloppy, I didn’t take proper notes, 149 | and most importantly I didn’t pay attention 150 | to the details. 151 | Oftentimes when it comes to hunting for bugs 152 | it’s the small oddities you must not ignore. 153 | A hacker who can focus on details, will discover 154 | great vulnerabilities. 155 | So when I saw that proc was filtered and returned 156 | another error, and that I had to access the 157 | processes environment variables, I immediately 158 | knew what to do and tried to use the symlink 159 | to /proc/self/environ through /dev/fd/.. 160 | One directory up ../environ and get the flag. 161 | Solved. 162 | Well not really. 163 | I got a spoiler. 164 | I’m not sure if I had solved it without. 165 | Maybe, maybe not. 166 | It was certainly not hard, but I made mistakes. 167 | And while it was a good lesson for myself, 168 | I hope it will also show you that, if you 169 | allow me this arrogance, that even I can fail 170 | easy challenges. 171 | Sometimes knowledge and experience is missing, 172 | but oftentimes the issue is just not paying 173 | attention to all the information you have 174 | been given. 175 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/Yfsmc0b8o78.txt: -------------------------------------------------------------------------------- 1 | This is a nearly true story. 2 | The events happened about eleven years ago 3 | at Tymshare, a company which provided commercial 4 | timesharing services. 5 | This story is an excerpt from a famous 1988 6 | computer science paper. 7 | At the end of the story we will understand 8 | why the browser is a very. 9 | A very confused deputy. 10 | But let’s continue with the story. 11 | Our operating system was much like Unix in 12 | its protection structures.... 13 | A compiler was installed in a directory called 14 | SYSX. 15 | A user would use the compiler by saying “RUN 16 | /SYSX/FORT”, and could provide the name 17 | of a file to receive some optional debugging 18 | output... 19 | We had instrumented the compiler to collect 20 | statistics about language feature usage. 21 | The statistics file was called /SYSX/STAT, 22 | a name which was assembled into the compiler... 23 | To enable the compiler to write the /SYSX/STAT 24 | file, we added the compiler /SYSX/FORT to 25 | the user group. 26 | The operating system allowed a program with 27 | those permissions to write files in its home 28 | directory, SYSX in our case. 29 | The billing information file /SYSX/BILL was 30 | also stored in SYSX. 31 | Some user came to know the name /SYSX/BILL 32 | and supplied it to the compiler as the name 33 | of the file to receive the debugging information. 34 | The compiler passed the name to the operating 35 | system in a request to open that file for 36 | output. 37 | The operating system, observing that the compiler 38 | had user permissions, let the compiler write 39 | debugging information over /SYSX/BILL. 40 | The billing information was lost. 41 | Who is to blame? 42 | What can we change to rectify the problem? 43 | Will that cause other problems? 44 | How can we foresee such problems? 45 | The fundamental problem is that the compiler 46 | runs with authority stemming from two sources. 47 | (That’s why the compiler is a confused deputy.) 48 | The invoker yields his authority to the compiler 49 | when he says “RUN /SYSX/FORT”. 50 | The other authority of the compiler stems 51 | from its user group permission. 52 | The compiler serves two masters and carries 53 | some authority from each to perform its respective 54 | duties. 55 | It has no way to keep them apart… 56 | When it produces statistics it intends to 57 | use the authority granted by its user group 58 | permission 59 | When it produces its debugging output it intends 60 | to use authority from its invoker. 61 | The compiler had no way of expressing these 62 | intents! 63 | The confused deputy. 64 | Norman Hardy, 1988 65 | Wikipedia summarises this as: 66 | A confused deputy is a computer program that 67 | is innocently fooled by some other party into 68 | misusing its authority. 69 | It is a specific type of privilege escalation. 70 | Authority might sounds weird at first. 71 | But authority simply means it was given the 72 | permissions and the ability to perform a certain 73 | action. 74 | And it might have unintended side effects, 75 | because there are multiple authorities involved. 76 | And this is what we see on the internet. 77 | The confused deputy here is the browser. 78 | The browser was given authority to handle 79 | the sensitive user authenticated session of 80 | a website. 81 | But sometimes a third party is invoking the 82 | browser to perform something unintended. 83 | For example cross site scripting. 84 | A browser simply executes javascript. 85 | A browser doesn’t know if a script is malicious 86 | or good. 87 | Like the compiler in the story didn’t know 88 | if the file name passed to it is good or evil. 89 | But because the browser has the authority 90 | of performing authenticated requests, somebody 91 | controlling this javascript can fool the browser 92 | to do something bad. 93 | It’s not the attacker who performs the request. 94 | The browser is executing the attack, not intentionally. 95 | But that’s why we call the browser confused. 96 | Same thing with Cross site request forgery. 97 | A browser will simply parse html and fetch 98 | every image embedded on that site. 99 | It doesn’t know if a certain image source 100 | is actually a URL that has bad side effects 101 | like deleting a user’s account. 102 | But again, the attacker tricked the browser 103 | into executing a privileged action. 104 | And the weird thing is, neither executing 105 | javascript, nor handling authenticated sessions 106 | is a security vulnerability. 107 | This is not a bug in the browser. 108 | This is how the browser is supposed to behave. 109 | Hell, even injecting javascript into a site 110 | is by itself not a vulnerability of a web 111 | application. 112 | You don’t get code exeuction on the server 113 | with that. 114 | You don’t get access to private user data 115 | directly from the server. 116 | ONLY because the browser has a special authority 117 | and we trick the browser into doing it for 118 | us, it suddenly evolves into a security issue. 119 | And I believe that this is a good way of thinking 120 | when approaching and researching a new piece 121 | of software. 122 | Don’t always look for this single shot vulnerability. 123 | This one buffer overflow to rule it all. 124 | Think about what kind legitimate authority 125 | a software has. 126 | What are the permissions and privileges it 127 | has, that you don’t have. 128 | And once you identified such a system, ask 129 | yourself, can you outsmart it. 130 | Can you use this system to do something else? 131 | Like we indirectly use the browser to do actions? 132 | As wikipedia says, this is a special kind 133 | of privilege escalation. 134 | You don’t have the privilege to access the 135 | private facebook messages of another user, 136 | but if you get javascript into the facebook 137 | page, then suddenly you can confuse the browser 138 | and indirectly derive this privilege. 139 | Now another confused deputy on the internet 140 | is the webserver, or the application running 141 | on it. 142 | There is a cool vulnerability, that is kind 143 | of related to Cross site request forgery, 144 | just instead of making the browser performing 145 | a request, we make the server execute a request. 146 | This is then called server side request forgery 147 | - SSRF. 148 | There is a legitimate use-case why a server 149 | would want to be able to perform requests 150 | when a user asks for it, but this can have 151 | devastating results. 152 | But SSRF will be a topic for another video. 153 | Something I haven’t mentioned yet is, that 154 | the confused deputy story is actually about 155 | introducing a reason for a different permission 156 | model, called “capabilities”, because 157 | it shows flaws in our traditional permission 158 | model. 159 | But we won’t go into that now. 160 | I just think the concept of a confused deputy 161 | is important to know and provides a good abstract 162 | classification of security issues. 163 | What do you think? 164 | Is this an important way of thinking? 165 | See you next time. 166 | And I hope you don’t get confused. 167 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/hRei9xXRAGE.txt: -------------------------------------------------------------------------------- 1 | Let’s have a look at another ffmpeg vulnerability. 2 | Again Paul will walk us through the vulnerability 3 | that he found together with Emil and I try 4 | to understand it and add some comments. 5 | Hopefully to make it a bit easier to understand. 6 | In the previous issue we achieved code execution 7 | quite easily, this time we will have to be 8 | much more accurate during exploitation. 9 | This crash was found during fuzzing the RTMP 10 | protocol. 11 | This protocol is binary, so let’s open this 12 | open up in my favourite hex editor called 13 | radare2. 14 | I like to use it when viewing binary files, 15 | because it has a very shiny UI. 16 | Nothing too special here, just some binary 17 | data. 18 | So let me tell you something about this protocol, 19 | while I am launching the binary once again. 20 | RTMP stands for Real Time Messaging protocol, 21 | actually it was developed by Adobe for real-time 22 | streaming of audio and video. 23 | The protocol has actually a lot of stuff inside 24 | and I had to spend some time learning the 25 | specs before getting into exploitation. 26 | All you need to know about the RTMP protocol 27 | so far is that it does a handshake first and 28 | then it starts to transfer data in small chunks 29 | and maximum size of each chunk is one hundred 30 | and twenty eight bytes. 31 | Now, let’s dig up into the source code once 32 | again. 33 | So after passing the version check and doing 34 | some handshakes we end up in packet read function 35 | in rtmppkt.c . This function simply reads 36 | one bytes of the header and then call the 37 | most important function in a loop. 38 | And this is the function which does all the 39 | parsing of the protocol. 40 | There are a lot of structures, functions and 41 | allocations and all of them are important. 42 | As you can see each chunk has the channel_id. 43 | It is basicly identifier of each RTMPPacket 44 | in the array, which corresponds to its own 45 | buffer. 46 | One channel may be filled by multiple chunks, 47 | because maximum size of each chunk is hundred 48 | twenty eight bytes and packet data might be 49 | much larger. 50 | Each chunk has fields like size, type, header, 51 | timestamp and some extra data. 52 | So if the current channel does not exist yet, 53 | RTMPPacket structure is filled in the array 54 | and a buffer is created for it. 55 | So the av_realloc function with NULL pointer 56 | means simply, do the allocation ofthe corresponding 57 | size, Otherwise data is just filled in the 58 | existing structure and the buffer. 59 | So if you will pay enough attention, you may 60 | notice an issue there, when the structure 61 | is filled for the second time, there is not 62 | check that the buffer size passed for the 63 | second time is actually the same that the 64 | size of the allocation made the first time. 65 | And this how we manage to overflow the heap. 66 | Ah yeah this makes sense. 67 | So the packet contains a channel ID read from 68 | the header. 69 | And if this packet was not seen before it 70 | will alocate it with the size. 71 | But if an atatcker sends the packet with the 72 | same packet id again with a different size 73 | it will not be reallocated. 74 | Let’s visualize that. 75 | If we send a packet with id 1 and size 0xa0 76 | it will get allocated. 77 | Then we can send another packet with id 2 78 | and the size 0x80 and it will get allocated 79 | after the first one. 80 | Now we send again a packet with id 1 and a 81 | much larger size, like 0x200. 82 | Now we overflow stuff on the heap. 83 | Awesome. 84 | Let’s try to gather some primitives from 85 | the source code. 86 | So we could allocate a data chunk by sending 87 | a new channel ID. 88 | We could overflow the chunk next to it by 89 | changing the size 90 | And we could also trigger the reallocation 91 | inside the rtmp_check_alloc_array function. 92 | If we send a channel_id large enough we will 93 | trigger the reallocation of the control structure 94 | and it will be positioned right after our 95 | buffer we can overflow.. 96 | By doing this little heap magic we overflow 97 | the pointer to the data and get arbitrary 98 | write. 99 | That’s a super easy plan. 100 | We just force the reallocation of the array 101 | that contains the pointers to the data chunks, 102 | and thus the array will be allocated now after 103 | the one data packet we have. 104 | And then we send again a packet with this 105 | id to overflow into this array. 106 | And thus control the address of those data 107 | chunks and can point it anywhere we want and 108 | thus also write there. 109 | So I already did some preparations before 110 | and wrote a little proof of concept, because 111 | most of the work here was counting the offsets. 112 | So there are the functions I wrote. 113 | These are lambdas for packing our integers 114 | using little endian. 115 | create_payload function helps me to pack data 116 | into the RTMP protocol. 117 | And create_rtmp_packet function will help 118 | me to create fake rtmp structure on the heap. 119 | Now let’s take a look at the main code. 120 | So here is the handshake happens. 121 | After the handshake I send first payload with 122 | size just a bit bigger than 80 bytes in hex, 123 | and some ‘A’s and the channel_id number 124 | 4. 125 | I do this, to create control structure on 126 | the heap. 127 | Next I send some data with larger channel_id 128 | to trigger the reallocation of the control 129 | structure. 130 | Next I overflow the next heap chunk, which 131 | happens to be the control structure and fix 132 | it’s size, so that I will have no problems 133 | with the heap when I will be allocating more 134 | data. 135 | I position the fake chunk on the place of 136 | RTMPPacket with second channel_id. 137 | As you can see there I position a realloc@got.plt 138 | instead of data pointer, so I will be able 139 | to write to it. 140 | As my last steps I write to got.plt with some 141 | data, and after I use the big channel_id once 142 | again to trigger the realloc function. 143 | All of this should give us control of RIP 144 | register. 145 | Let’s see. 146 | Super straight forward exploit, right? 147 | If you can overwrite an addresses in the control 148 | structure, in this array, you can point it 149 | anywhere and write data to it. 150 | So here is ffmpeg in gdb with the triggered 151 | segfault. 152 | And it does, because we have successfully 153 | overwritten the .got.plt section. 154 | Achieving code execution should be easy from 155 | now on. 156 | I hope that this video motivated you a little 157 | bit and shown, that real-life exploitation 158 | may be rather simple and this will encourage 159 | you to make your own research. 160 | Good luck. 161 | That is a really great example. 162 | Thank you so much Paul for sharing this with 163 | us and all the work you have put into recording. 164 | Make sure to follow him on twitter and check 165 | the description for some links. 166 | And don’t forget to checkout the podcast 167 | episode with Paul, if you haven't listened 168 | to it yet. 169 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/bqaZBeZ4zf0.txt: -------------------------------------------------------------------------------- 1 | During the BruCON conference 2016 I participated 2 | in the local CTF, where I won 3rd place. 3 | Because it was a CTF for individuals, the 4 | difficulty was not high, so I was able to 5 | solve many challenges alone. 6 | I didn’t record all challenges, but let’s 7 | have a look at some of them. 8 | I started with the easy challenge, which I 9 | really didn’t like. 10 | The description says, that we have to identify 11 | unusual traffic in this package capture and 12 | count them. 13 | The flag will be the sha256 hash of that number. 14 | So let’s download and open up that capture. 15 | While doing that I try to think what could 16 | “unusual packets” mean? 17 | That is not really clear. 18 | It highly depends on the context of this network. 19 | Let’s say if I have captured traffic from 20 | a phone, it could be weird to see ssh traffic. 21 | But when I have a capture from a computer, 22 | I that would be normal. 23 | Are unusual packets maybe corrupted ones? 24 | Or packets out of order? 25 | The hint also says that those packets were 26 | sent by the source. 27 | So I try to figure out what the heck they 28 | mean. 29 | I start with some filters for what I think 30 | is the source IP, and start looking for packets 31 | that are not typical packets like port 80, 32 | 443 or 53 for DNS. 33 | At this point I give up on the challenge and 34 | move on to something else. 35 | I wasted too much time not knowing what to 36 | look for. 37 | This is very frustrating because the challenge 38 | description is just not clear to me. 39 | It feels more like guessing, rather than showing 40 | knowledge or skill. 41 | I feel like the challenge should have required 42 | more information, a story what exactly we 43 | are expected to find in there. 44 | Anyhow, I will later get that flag, but on 45 | another way. 46 | But first let’s move on to another challenge. 47 | I don’t like these forensic challenges a 48 | lot. 49 | So I was very happy to see a reversing challenge. 50 | Reverse Beer. 51 | Apparently also pretty easy, find the key 52 | - but the flag is not in the standard format. 53 | First criticism here, can you then please 54 | tell me what format the flag will have, because 55 | if you don’t provide a flag format I might 56 | have to start guessing and that can be frustrating. 57 | But let’s see. 58 | So I donwload the file and check the file 59 | format. 60 | Looks like a 32bit linux binary. 61 | That sounds great. 62 | So I continue and open the binary in binary 63 | ninja and in parallel I try to run the binary 64 | on a linux system. 65 | So here I have a 64bit Linux machine on digital 66 | ocean, but I can’t execute the binary. 67 | I was a bit puzzled by that, but then I remembered 68 | I didn’t install the 32bit libraries. 69 | While they are installing I have a first real 70 | look at the assembler code. 71 | So when I follow main I immediately notice 72 | a function call to ptrace, and afterwards 73 | a jump not equal, 74 | so that is a simple anti-debugging check, 75 | that can be simply bypassed by always jumping 76 | to the code that continues. 77 | You can save that binary and continue to work 78 | with that one on the linux machine. 79 | In case you want to debug it. 80 | But let’s continue here. 81 | Next we notice a call “string to unsigned 82 | long”, which will convert a string to a 83 | number. 84 | Afterwards we see these suspiciously similar 85 | blocks in a row - that looks very interesting. 86 | But first I want to run the program and see 87 | what it does. 88 | Ok so we have to provide a number as parameter. 89 | I didn’t immediatly go for the interesting 90 | blocks because I felt I didn’t understand 91 | the binary yet and wanted to get a better 92 | overview before chasing something down. 93 | So for example this f function, which seems 94 | to print something. 95 | And there are also these huge ascii art pictures 96 | that have a symbol name, but in a different 97 | language. 98 | So I translated those. 99 | Now I understand better what I try to get 100 | to. 101 | I don’t want this bad ascii output, I want 102 | this good output. 103 | So now I look at the blocks in the row and 104 | see the compares, which probably check the 105 | number we enter. 106 | Each block takes the input number, extracts 107 | a byte from it with masking and shifting, 108 | and then comparing it. 109 | So the first block doesn’t shift, so that’s 110 | the lowest byte. 111 | The third block shifts by 8 bit, so one byte 112 | and uses test eax,eax, which means it’s 113 | checking if the second byte is zero. 114 | then comes the second block which verifies 115 | the third byte to be 6b, 116 | and the last block checks the last byte with 117 | b1. 118 | Ok now we have the correct input number, which 119 | we can use as a key. 120 | It works, we have a different output. 121 | And it tells us that the key we found is the 122 | flag. 123 | By the way, it’s not BruCON’s fault, because 124 | the CTF was organized by a third party, but 125 | stupid sexual jokes like that drives women 126 | out of this field and it’s not cool. 127 | Ok, so despite the flag format not being clear 128 | at first, the challenge was telling you exactly 129 | what the flag is. 130 | Though, in my opinion, this information that 131 | the input key is the flag, could have been 132 | already disclosed in the description and it 133 | would have been completely unambiguous. 134 | Next up, virtual lockpicking for 350. 135 | I have no idea why this challenge is worth 136 | 350 points and what exactly it is supposed 137 | to teach you, or what kind of skill is required, 138 | but here is how I did it. 139 | So I follow the provided link and find this 140 | weird, game website? 141 | Looks like a small flash game or something 142 | wher eyou have to lockpick? 143 | I immediatly notice the “DRAFT” tag and 144 | the “create” and “see inside” button, 145 | which sounds like this website is actually 146 | for developing games. 147 | And you can look into the code. 148 | So I look inside and get presented these logical 149 | code blocks. 150 | You can drag’n’drop these blocks and create 151 | a program that way. 152 | So I’m just clicking around and try to see 153 | if something looks like logic that hides the 154 | flag or whatever. 155 | And eventually I find this weird lonely block 156 | with a base64 string. 157 | At this moment it was clear that I got the 158 | solution. 159 | Behind it is a url to an image, which contains 160 | the flag. 161 | Very easy, didn’t require any hacking skills. 162 | Worth more than reversing a linux binary. 163 | Oh and before I forget it, here is how I solved 164 | the first challenge. 165 | I just wrote a simple python script that bruteforces 166 | the flag. 167 | I use a for loop to count up the number of 168 | packets, hash the number with sha256, and 169 | send the request to the CTF page. 170 | And eventually my script stopped, because 171 | it I found the correct flag. 172 | So, I was gaming the game. 173 | Still no idea what the unusual packets are, 174 | but as a hacker you sometimes have to think 175 | around the corner. 176 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/PBvthC7soS4.txt: -------------------------------------------------------------------------------- 1 | so today was the first day of the ctf 2 | in the morning john and i arrived there 3 | fairly early 4 | to play one of the challenges 5 | that challenge was special because 6 | everything got a time slot one single 7 | time slot 8 | for that day and so we had to come in 9 | [Music] 10 | early 11 | google why is everything so early 12 | today's the day of the ctf 13 | it's 7 30 and i need to be at 8 14 | at google because they have prepared 15 | like a challenge that john and me have 16 | to do 17 | like right in the beginning before the 18 | ctf starts 19 | uh you will see why in a moment but 20 | i need to very quickly shower and then 21 | head out so 22 | see you there just in time let's go 23 | good morning morning do you want to be 24 | on camera 25 | or not sure okay this is for the rico 26 | hello 27 | so do you think you should watch the 28 | video first or the 29 | picture uh let's go to the video first 30 | it's six minutes oh my gosh 31 | it's just this for six minutes there's 32 | no context 33 | i died all right 34 | we have a couple of minutes left before 35 | the ctf uh we also received this 36 | envelope 37 | every team gets such an envelope we 38 | don't really know what's inside and we 39 | wait with opening it up 40 | to like nine o'clock when the other 41 | teams also open it up 42 | so um we will see what's in there it's 43 | probably like 44 | the wi-fi password and things like that 45 | but maybe there's 46 | more to it there's definitely there's 47 | definitely something in it 48 | what is it wearing nothing 49 | so have fun good luck and 50 | never else ever be in your favor 51 | first one 52 | [Music] 53 | so the first actual challenge was just 54 | solved by red rocket 55 | unfortunately he was a remote player so 56 | they have no clue how it was solved 57 | but yeah congrats that was the big first 58 | blood i guess 59 | so the challenge that was just solved by 60 | red rocket is called stuffed 61 | it's in the misc category and the 62 | challenge description 63 | reads just click the link and the page 64 | displays the flag 65 | easy right but when you go onto 66 | this website it shows a plain like flag 67 | colon and then nothing happens and the 68 | site keeps loading 69 | and doesn't really do anything at some 70 | point it like crashes the the tab 71 | crashes but when you try to look at the 72 | request for example with burp you get a 73 | very 74 | different response it says not 75 | acceptable and the text reads that 76 | to avoid a repeat of last month's 77 | bandwidth bill we only support browsers 78 | that can understand 79 | broadly compression supported browsers 80 | include chrome firefox edge safari and 81 | opera 82 | of course we are using chrome but we are 83 | going through this proxy with this http 84 | request 85 | i wonder where the flag itself is hiding 86 | maybe you somehow just has to have to 87 | get to the 88 | actual like data stream but there's the 89 | ssl layer so maybe the 90 | the the stuff that comes out of the ssl 91 | layer at least was my thought that might 92 | be the compressed data and then you 93 | somehow have to decompress it 94 | so i try to use openssl to connect to 95 | this ssl server but 96 | it didn't seem to work i get ssl errors 97 | apparently like there's a handshake 98 | failure so 99 | now i'm not quite sure how to approach 100 | this also i got to talk to two teams 101 | that attempted the 102 | b challenge when they were coming out 103 | and both teams also 104 | didn't succeed so i'm quite happy about 105 | that because we failed 106 | so this is 107 | foreign 108 | thank you 109 | first one 110 | okay folks so all challenges are now 111 | released there will be no more 112 | challenges 113 | happy hacking and that's it 114 | good luck 115 | hey everyone so we have our first 116 | attempt for the gomeon challenge 117 | which is punable it's a browser 118 | exploitation challenge 119 | one team here by stephen king i think 120 | they have an expert so let's try it out 121 | all right all right let's try it okay 122 | that's it go back to work 123 | [Music] 124 | okay so there's a serious lack of cola 125 | to fulfill my addiction but now there 126 | were some 127 | so i stole two and i will put them in my 128 | bag 129 | for tomorrow morning because i need that 130 | stuff in the morning 131 | it's almost 8 pm which means that the 132 | ctf is almost over i think 133 | let's go into the ctf room and just have 134 | a last overview of 135 | how the ctf area looks like after the 136 | first day 137 | as you can see the ctf players are still 138 | concentrated as always 139 | by and yeah outside there are just some 140 | of the staff 141 | the organizers um still hanging out 142 | but yeah it's not much going on anymore 143 | except here again 144 | here look it's gadget overflow my 145 | favorite youtuber 146 | so the ctf players just left the 147 | scoreboard and challenges stay online 148 | but they will not be supported so if the 149 | challenges crash overnight or go down 150 | um they will not get any support but 151 | they still have the chance to solve them 152 | overnight 153 | so it will be kind of interesting in the 154 | next morning when this 155 | when the flag submission goes back 156 | online again and they can then submit 157 | all the flags 158 | uh maybe we see a lot of crazy 159 | animations tomorrow so i reviewed a 160 | couple of the 161 | recordings i've done i'm backing them up 162 | always from the sd card so to have it in 163 | two places 164 | and i noticed that a lot of the footage 165 | is blurry 166 | because i accidentally switched to auto 167 | to manual focus 168 | or for example when i talked to guinwell 169 | the autofocus was set to 170 | looking for eyes and for whatever reason 171 | it didn't really recognize our 172 | faces a lot and it focused on the eyes 173 | on the laptop 174 | from greenville and when he closed it 175 | that's when it started to focus back on 176 | our faces 177 | like things like this i kind of need to 178 | learn 179 | also for interviews i noticed that the 180 | white aperture to get like the nice 181 | blurry effect is not really good because 182 | as soon as like 183 | the people are at different distances 184 | like leaning forward or backward they 185 | start to get blurry too 186 | that's not a good fit so yeah sorry for 187 | the 188 | not so great footage um but you know 189 | i now i'm gaining experience how to do 190 | it better and 191 | in the end i still think it shows kind 192 | of like the spirit and 193 | ex and shares the experience with you at 194 | around 8pm 195 | the ctf was over for the day 196 | and i yeah and basically all the ctf 197 | players went back here to the hotel but 198 | i'm sure 199 | they will work throughout the night or 200 | through most of the night so i will now 201 | lay into bed with my laptop 202 | try a bit more some of the challenges 203 | there's one 204 | that i kind of like wanna understand a 205 | bit better so i 206 | will look more into that i'm i'm not 207 | even close 208 | in anything solving so does that and 209 | then i guess sleep soon 210 | so yeah talk to you tomorrow 211 | [Music] 212 | foreign 213 | you 214 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/8ev9ZX9J45A.txt: -------------------------------------------------------------------------------- 1 | Security CTFs, or Capture-The-Flag competitions 2 | have nothing to do with paintball or shooter 3 | games, but they are awesome to learn hacking. 4 | They can be very challenging and teach you 5 | a lot of new skills. 6 | In this video I want to tell you about what 7 | kind of challenges there are and how you can 8 | find CTFs to play. 9 | Generally there are two categories of CTFs. 10 | Jeopardy-style and Attack-and-defense. 11 | While the second one sounds like a lot of 12 | fun, personally I have never played one. 13 | So I will only focus on the Jeopardy-style, 14 | especially because it’s easier to get into. 15 | So a typical CTF offers a bunch of different 16 | challenges that you have to solve. 17 | Most commonly you have to exploit some kind 18 | of service so you get remote access to the 19 | server, so you can then read the content of 20 | a file that contains a special string, the 21 | flag, which is proof that you hacked the system. 22 | You can then enter that string in a form and 23 | you get points depending on how hard the challenge 24 | was for your team. 25 | Usually a challenge has a title, a short description 26 | and maybe infos on how to reach the service 27 | or a file to download. 28 | Oftentimes the title or description is already 29 | a small hint. 30 | So for example there was a challenge called 31 | sha1lcode at the HITCOn CTF 2014, and without 32 | really looking into the challenge I already 33 | assumed that you have to write shellcode, 34 | and it has something to do with sha1 hashes. 35 | Maybe writing shellcode in the form of sha1 36 | hashes. 37 | And indeed, that was the solution in the end. 38 | There are a lot of different kinds of challenges, 39 | and sometime you get some new creative ones, 40 | but the typical topics covered are reversing, 41 | pwning, crypto, web and maybe misc or programming. 42 | Reversing usually comes with a executable, 43 | a program you can download and run locally. 44 | The program implements some kind of algorithm 45 | that checks an input key. 46 | If you find the correct key, which is oftentimes 47 | already the correct flag, then you solved 48 | it. 49 | So solving it requires you to reverse engineer 50 | and understand the implemented algorithm to 51 | deduct the correct input key. 52 | A good example for that is my Zwiebel video 53 | write-up. 54 | For pwning challenges you often get also an 55 | executable, but with it an IP address and 56 | port of a server running this program. 57 | So you have to figure out how to exploit the 58 | program to gain remote code execution. 59 | You develop your exploit locally and then 60 | use it against the server, where you can then 61 | read the flag file. 62 | These challenges range from simple buffer 63 | overflows to very advanced heap feng shui 64 | stuff. 65 | And they are the most interesting ones to 66 | me. 67 | The cookbook challenge vide writeup on my 68 | channel is one example of such a challenge. 69 | Crypto, like the name says is about cryptography. 70 | Sometimes it’s about attacking a self-made 71 | cipher, or very simple crypto attacks like 72 | weak random generators. 73 | But it can get really advanced and mathematical. 74 | Where you are basically lost if you are not 75 | up to date with the research and papers form 76 | that field. 77 | I have a simple crypto video writeup from 78 | the Internetwache CTF that gives you an idea, 79 | but there are way more advanced ones where 80 | I just yield. 81 | You should check out hellman’s writeups. 82 | Web challenges are also clear, they are about 83 | web applications. 84 | Usually you get a URL and you have to exploit 85 | maybe a advanced SQL injection, or bypass 86 | authentication. 87 | Sometimes even XSS or CSRF challenges. 88 | I also have a web challenge writeup where 89 | you can get a feeling for what it is about. 90 | Misc basically covers anything else. 91 | And programming is also self explanatory. 92 | Mostly it’s about clever implementations 93 | of solving some kind of problem. 94 | Now that you are excited about solving some 95 | of these challenges, let’s talk about where 96 | you can find them. 97 | The best platform for all of this is ctftime. 98 | It’s made by the CTF community for the CTF 99 | community. 100 | You can see which CTFs are upcoming and you 101 | get information like the format, when it happens 102 | and where to register. 103 | You can also see the archive of competitions 104 | in the past. 105 | So for example the HITCON CTF recently. 106 | And below, you see the final ranking of all 107 | teams. 108 | Each CTF has points attached to it. 109 | Hard CTFs have high numbers like 50, or 75 110 | points. 111 | Easy CTFs have maybe only 5 or 10 points you 112 | can get for them. 113 | So if you participate in a very hard CTF and 114 | do well, you are rewarded more than for easy 115 | college CTFs where you can easily get rank 116 | 1. 117 | But those CTFs are also really damn hard. 118 | At least I struggle a lot with them. 119 | Over the year the CTF teams collect these 120 | points and you have an overall ranking. 121 | Being in the top 50 is quite challenging. 122 | But how to find a team? 123 | Well it’s like finding a group of friends. 124 | There is no one way how to do it. 125 | I found my group from another security competition 126 | I participated in. 127 | And we kept hanging around on IRC and started 128 | playing other CTFs. 129 | And suddenly we had a serious team. 130 | Before that I played CTFs solo, which meant 131 | I would maybe solve only one challenge per 132 | CTF but that’s fine, I can’t compete with 133 | the crazy skilled people anyway, and I just 134 | play for my own curiosity. 135 | But you could also checkout the reddit CTF 136 | team OpenToAll, which is, like the name says, 137 | open to everybody. 138 | But all these CTFs are usually short. 139 | They are over a weekend. 140 | Maybe 48-72 hours. 141 | But there are also websites where these kind 142 | of challenges are available forever. 143 | So I played a lot on w3challs, smashthestack 144 | and overthewire. 145 | In the beginning you will realize you know 146 | nothing. 147 | You fail every challenge you try. 148 | But that’s normal. 149 | So what I always do, I will look up the challenge 150 | after the event. 151 | Because people create writeups or upload their 152 | exploit script. 153 | And then you can work through those solutions. 154 | You can research topics you didn’t know 155 | about. 156 | You see how other people solve it. 157 | And you start to gain experience. 158 | And you will see that after a couple of CTFs 159 | you start to be able to make progress yourself. 160 | So for that prupose you should look up the 161 | writeups on ctftime, or the ctf writeup github 162 | repository (maybe contribute yourself by gathering 163 | other peoples writeups and create a pull request), 164 | or simply hang around on the IRC channel of 165 | the competition, because people will start 166 | discussing solutions afterwards. 167 | I hope this quick overview was helpful to 168 | get into challenges yourself. 169 | And maybe consider recording yourself solving 170 | them during the CTF. 171 | Just make sure you don’t beg for flags, 172 | solutions and hints. 173 | Respect the competition. 174 | Be excellent to each other. 175 | And accept your lack of skill and convert 176 | it into motivation to learn more. 177 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/OZvc-c1OLnM.txt: -------------------------------------------------------------------------------- 1 | We can use static analysis and reverse engineer 2 | the license check algorithm and write a keygen 3 | to generate valid keys. Obviously this algorithm 4 | also can become very complex but generally, 5 | if you put a lot of work in it, you can figure 6 | it out. 7 | Now you tell that to your manager, but he 8 | is a smart ass and tells you: “then stop 9 | people from being able to reverse engineer 10 | the binary”. Then you drag yourself back 11 | to the desk and you come up with a new creative 12 | way how to stop somebody from debugging or 13 | reversing it. 14 | Because you are a pro, you understand that 15 | a executable is a very complicated file format. 16 | With objdump we have seen that this executable 17 | has a lot of information in there, that is 18 | needed to load and execute it. But you also 19 | realise that a program like gdb has to parse 20 | the executable to be able to disassemble and 21 | debug it. And radare has to read and parse 22 | the executable file to show you stuff. So 23 | could you modify the executable in a way, 24 | that you can still execute it with linux, 25 | but gdb and radare tell you that something 26 | is broken? 27 | What we are looking for is a parser differential. 28 | We hope that the parser from execve differs 29 | from the gdb parser. In an ideal world, every 30 | program that reads input, would do it in the 31 | exact same way. But every tool implements 32 | the parsing algorithm a bit different. So 33 | if you screw with the input, a linux might 34 | see a valid file and executes it, while a 35 | gdb says its broken and cannot be disassembled. 36 | Let me show you a very naive way how to find 37 | something like that. With fuzzing. 38 | So lets create a new python script called 39 | fuzz_elf.py. 40 | First we import some modules we need. Import 41 | random. And import os. 42 | First function we will write is called flip_byte. 43 | As a parameter it takes a big string. Which 44 | will be the whole executable file later. Then 45 | we select a random index i, between 0 and 46 | the max length of the input. Then we select 47 | a random character that we will use to overwrite 48 | a byte in the program. So character byte from 49 | a random number between 0 and FF, which is 50 | 255. Then we return the original bytes up 51 | to index i. The next character will be the 52 | random created one, instead of the original 53 | character i at this point. And we append the 54 | remaining original bytes. If you want to understand 55 | this fancy bracket colon index stuff in python, 56 | just google ‘python lists’. 57 | So just a quick example of this function. 58 | print flip_bytes(“ASD123”) 59 | With yy you can copy this line and with p 60 | you can paste it multiple times. 61 | And now you can see that a random character 62 | got changed to something else. 63 | With dd you can delete those lines again. 64 | Now we want a function that copies the original 65 | binary but flips a byte and saves it in another 66 | file. We call this function copy binary. So 67 | we open the normal license_2 and a copy license_2_fuzz 68 | with write access. 69 | Now we read the whole original file, and pass 70 | those bytes to the flip_byte function. Now 71 | this returns a copy of our license_2 executable, 72 | just with a random byte flipped. And then 73 | we write this to the copy. 74 | If we just run this now, the new license_2_fuzz 75 | file will be not executable, so I already 76 | create this file as a copy from the original, 77 | and it will be executable. 78 | Now obviously we flip weird stuff. And the 79 | file might not be executable anymore. So we 80 | should check if the program still works the 81 | same way. This means, that it should print 82 | Access Granted with a valid key. So this output 83 | should be the same for the original and the 84 | fuzz program. That’s why I redirect this 85 | output to a file called, original_output. 86 | Now let’s write a python function that runs 87 | the fuzz binary once a byte got flipped and 88 | let’s check if it outputs the same thing. 89 | A really ugly way how I do this now, just 90 | because it’s less code, I execute the same 91 | command like I just did, just pipe the output 92 | into fuzz_output. 93 | Now I add a function to compare the original 94 | output with the fuzz output. And also let 95 | that result return from the check output function. 96 | Ok so this function checks if the binary still 97 | executes normally. 98 | Now let’s think about how we can check if 99 | gdb still works. Basically we don’t want 100 | people to disassemble main. So you can use 101 | echo and pipe this command and quit into gdb 102 | to get the output. So echo -e and this here 103 | just basically types those two commands and 104 | with the pipe we redirect this to the input 105 | of gdb. This looks good. so let’s simply 106 | redirect this output also to a file, that 107 | I will call original_gdb. 108 | Now let’s basically create the same function, 109 | just with check gdb. 110 | And then compare those two files. Now let’s 111 | to the same for radare2. Here we just use 112 | the commands aaa, s sym.main and pdf. Also 113 | store this output in a file. And now again 114 | we create a check radare function. 115 | You can use Shift V, which you can use to 116 | highlight multiple lines, and with y you can 117 | copy it and paste it with p. 118 | Ok… almost there. Now let’s create an 119 | endless loop. Where we first create a new 120 | copy. Then we check if the executable still 121 | works. If that works we want radare and gdb 122 | to fail. So let’s do if not check_gdb and 123 | not check_radare. If we reach this here, we 124 | print success and exit. 125 | Then we print the tail of the radare and gdb 126 | output. Just to have a visual check if the 127 | disassembly failed in a way. With raw_input 128 | we can halt the python program until we hit 129 | enter. 130 | Now let’s run it. Ah another small mistake. 131 | this should be f1 instead of fn1. 132 | And I just discovered another mistake. 133 | Ok it found something, but we clearly still 134 | se disassembly there. So let’s just continue 135 | until we find an output without disassembly. 136 | Uh. that looks good. Let’s investigate. 137 | Binary still works. 138 | Gdb can’t find a main function. 139 | And radare also has problems. 140 | Haha! that is cool :D 141 | I admit, this is very ugly. This is not really 142 | a good technique that you can use in practice. 143 | But that is basically how fuzzing works. And 144 | how you might discover cool new tricks to 145 | hide your malware and make it harder for people 146 | to analyse it. 147 | If you want to learn more about this you can 148 | read this one, which calls this a “novel 149 | technique”, but it is not really new. And 150 | there is a bit more in depth research on the 151 | ELF file format from IOActive. 152 | And you can go even deeper and read even more 153 | crazy ELF file format tricks in the holy “International 154 | Journal of PoC || GTFO - Issue 0x00“ 155 | My binary can be found in the github repository 156 | and you can try different tools like hopper 157 | or IDA and see if they still analyse it automatically. 158 | But I suspect they do. So this is just one 159 | small trick which can annoy somebody trying 160 | to analyse it. 161 | Now you can go back to your manager and tell 162 | him, that he should hire some web developers 163 | and move the product into the cloud, so that 164 | the code only runs on the servers you control. 165 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/DkL3jaI1cj0.txt: -------------------------------------------------------------------------------- 1 | Welcome to the second video in the AngularJS 2 | sandbox bypass series. 3 | In the previous video I have provioded a quick 4 | overview of AngularJS. 5 | Now we will dive right into AngularJS internals 6 | by debugging why alert in an AngularJS expression 7 | doesn’t work. 8 | The research I’m showing off here was not 9 | done by me. 10 | I build upon the research done by other people. 11 | Most notably mario and gareth. 12 | I have not found an angularjs sandbox bypasses 13 | myself, but I understand them now, so I want 14 | to pass on this knowledge. 15 | Now let’s execute the expression with the 16 | alert by submitting this form. 17 | The site loads, executes angularjs, the expression 18 | gets evaluated and we hit our first breakpoint. 19 | The first breakpoint is hit in a function 20 | called getterfn. 21 | That means Getter function. 22 | You can see that in the call stack to the 23 | right. 24 | I have also added some comments here. 25 | Getter fn is a function that creates a string 26 | with some javascript code. 27 | The variable with that code is called code. 28 | And because we hit a breakpoint we are currently 29 | in that context. 30 | So we can access this variable code in the 31 | console and look at what it contains. 32 | You can also see that it somehow includes 33 | the alert that we used in the expression. 34 | It looks like this code checks if alert is 35 | a property of s or k. 36 | And tries get that property from s or k. 37 | And right below the breakpoint you see a call 38 | to the Function constructor. 39 | The constructor is called with s and k, meaning 40 | those are variables that should be known inside 41 | of the function. 42 | And third parameter is finally the javascript 43 | code. 44 | So this function constructor is fancy javascript 45 | stuff. 46 | That creates now a function with two parameters 47 | s and k. 48 | With the code that was created as a string. 49 | And that function could then be actually called. 50 | So that function contains some dynamically 51 | generated javascript code trying to get the 52 | property alert of s or k. 53 | Let’s quickly make an example what getting 54 | the property means in javascripot. 55 | So here is a simple object a, with two properties 56 | b and c. 57 | You can now check that a has the property 58 | b, but not the property f. 59 | And you can access the propertie’s value 60 | with .b or in brackets. 61 | That’s the same. 62 | Also the object a automatically has the function 63 | to String. 64 | So functions are also just properties on an 65 | object. 66 | Instead of getting a value like 1, you get 67 | a function back. 68 | And you can call it by adding the parantheses 69 | for the function call. 70 | Ok… 71 | So this geterfn function in angulars creates 72 | a new function which tries to get the property 73 | alert from an object passed as parameters 74 | s or k if executed. 75 | Let’s see what happens when we continue 76 | in the code. 77 | The next breakpoint is hit and we are now 78 | in a function with the name underscore functionCall. 79 | This function prepares arguments for a function 80 | to call. 81 | Our expression attempts to calls the function 82 | alert, so that makes sense. 83 | Our first argument of our alert is the number 84 | 1.. 85 | So this function parses the parentheses with 86 | the arguments and creates an array args with 87 | all the parameters. 88 | And args is now an array with only one element. 89 | The number 1. 90 | Below our breakpoint you can see a call to 91 | a function called fn, with the scope as the 92 | first parameter. 93 | Thats the angular app scope we have talked 94 | about earlier. 95 | If that returns nothing, noop will be used 96 | instead. 97 | So what is fn. 98 | Fn is a short function calling another function 99 | getter. 100 | When we click on getter we can see what getter 101 | is. 102 | Getter is set here as the result of getterFn. 103 | And we know what getterFN does. 104 | GetterFn creates a function that tries to 105 | get the property alert of an object. 106 | So getter is now that function. 107 | And getter is basically fn. 108 | And fn is called with the scope. 109 | So all this fn calls tries to do is, to get 110 | the property alert from the scope. 111 | If that was sucessful, fnPtr, function pointer, 112 | would contain a reference to the alert function 113 | from the scoe. 114 | But the alert function doesn’t exist in 115 | the scope object, thus fnptr will be noop. 116 | And noop is just an empty function doing nothing. 117 | And this is why the alert(1) fails. 118 | Because the scope has no function alert defined. 119 | Okay now we understand angularjs expressions 120 | better. 121 | AngularJS evaluates those expressions. 122 | It parses them and does some fancy javascript 123 | foo. 124 | So when you write an identifier like username 125 | or in this case alert into an expression, 126 | angularjs tries, in a fancy way, to get the 127 | property alert from the scope object. 128 | And then call this as a function. 129 | So we know now, basically whatever we type 130 | in an expression, it has to exist in the scope. 131 | This is basically a javscript sandbox. 132 | AngularJS expressions are kinda javascript 133 | syntax, but are parsed and evaluated by angular 134 | and you are only allowed to access variables 135 | on functions from that scope object. 136 | You are not allowed to access global functions 137 | like alert. 138 | Or the cookies. 139 | Now we want to break out of this scope object 140 | and try to access those dangerous global functions. 141 | So here it comes. 142 | How we can break out of the scope. 143 | The scope object is like any other Javscript 144 | object, it automatically has the property 145 | constructor. 146 | The constructor of the scope object gives 147 | us the object constructor. 148 | And the constructor of the object constructor 149 | gives us the function constructor. 150 | That’s like the highest constructor in Javascript. 151 | The constructor of a Function constructor 152 | is again the function constructor. 153 | And we have just learned what the function 154 | constructor can do, from getterFn. 155 | We can create an arbitrary javascript function. 156 | So for example we can create a function containing 157 | the code alert(1). 158 | The constructor created now a new javascript 159 | function. 160 | And then we can call this function by adding 161 | parentheses and get an alert! 162 | So because we can get the function constructor 163 | from the scope by using constructor two times, 164 | we should be able to create a function with 165 | alert and execute it. 166 | At least that seems works in the console. 167 | Does that also work in an angularjs expression? 168 | To put it into an angular expression we simply 169 | have to remove the scope in the beginning, 170 | because each expression gets already evaluated 171 | against the scope. 172 | So lets put it in there and try it. 173 | So the first breakpoint is again in the getterFn 174 | function. 175 | And when we look at the dynamic code that 176 | got generated this time we see it attempts 177 | to get the constructor of s. 178 | So that seems to work! 179 | This means it will then later try to get the 180 | property constructor of the scope, which obviously 181 | does exist. 182 | That looks good! 183 | And if we just let the code run, we get the 184 | alert! 185 | Awesome! 186 | In the next part of this series we will have 187 | a look at a more advanced and more recent 188 | bypass for angularjs version 1.4.7. 189 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/u_U6F2Kkbb0.txt: -------------------------------------------------------------------------------- 1 | A package arrived from the netherlands. 2 | This can only mean one thing. 3 | It’s the board for the embedded hardware 4 | CTF by riscure. 5 | So let’s see what’s in there. 6 | We got a couple of stickers, very nice and 7 | an anti-static bag with the arduino board. 8 | Let’s remove the staple and see inside. 9 | So we got a couple of connectors that we can 10 | solder to the board, and the board itself. 11 | As you can see the board has a mini USB connector, 12 | a reset button, 4 LEDs, and several connectors. 13 | We should solder these connectors to the board 14 | in order to be able to more easily attach 15 | cables if needed. 16 | And we can stick it onto a breadboard. 17 | To solder the board I use a 3rd hand that 18 | holds the board for me. 19 | I apply some soldering flux, which helps, 20 | and then I simply apply some solder. 21 | So now we got the long row. 22 | Please don’t judge my solder job, I know 23 | it is a bit crooked. 24 | I don’t do this a lot. 25 | And then we turn the board around and connect 26 | the other 6 pins to stick out the other direction. 27 | Once we are done, we can place the arduino 28 | board on a convenient breadboard, which is 29 | great to attach other wires and so forth. 30 | But turns out I suck at soldering, and it’s 31 | so croocked, that I can’t really get the 32 | board in, so I use a paper towel to cushion 33 | the pressure a bit and apply some force to 34 | get it in there. 35 | Then I do some sanity checks, to make sure 36 | I didn’t accidentally connect ground with 37 | another pin that shouldn't be ground. 38 | If you hear it beeping, that means these pins 39 | are directly connected. 40 | But these ones are all fine. 41 | Now let’s have a closer look at the board. 42 | We can remove the sticker from the microcontroller 43 | to reveal the exact model number. 44 | And we start collecting information about 45 | the board that might be important later. 46 | For example knowing the exact chip identifier, 47 | we can look up the data sheet and learn more 48 | about the ahrdware. 49 | So here we got an Atmel MEGA, or ATmega, 328P. 50 | I mean this is not really surprising, we already 51 | know that the embedded system is an arduino 52 | nano from the CTF description, but it’s 53 | good to know. 54 | We also might understand now, that this is 55 | actually not an official arduino board from 56 | the arduino company, but an arduino compatible 57 | board based on the open arduino design. 58 | So, now let’s get really started. 59 | Let’s put the stickers that came with the 60 | board onto our laptop to make this legit. 61 | Now we are allowed to connect the board with 62 | a mini USB cable to our laptop. 63 | The green power LED is turned on, and the 64 | red LED is blinking slowly, indicating that 65 | it’s working. 66 | Now we can log into the CTF websites. 67 | Before we can start with the challenges we 68 | have to personalize the board. 69 | So the board is preloaded with a custom bootloader, 70 | which is capable of decrypting the challenge 71 | binaries and flash them onto the board. 72 | To tell the bootloader the personal secret 73 | key, we have to flash this personaliztion 74 | binary. 75 | At least that is what I think it does. 76 | I think this binary might be encrypted with 77 | a master key that is known to all bootloaders, 78 | or simply obfuscated, and it will then place 79 | our real personal key somewhere into the board. 80 | Maybe it overwrites parts of the bootloader 81 | data or gets burned into it another way. 82 | I don’t know. 83 | To load this binary onto the board we have 84 | to run a program called avrdude, which is 85 | a program that allows to flash code onto microcontrollers. 86 | Riscure already tells us how to do this, we 87 | have to run avrdude, tell it that it’s an 88 | arduino board, the processor type, atmega328p 89 | - which we already know - then the connected 90 | serial USB device, the baud rate for the serial 91 | connection, some other flags and at the end 92 | the flash command, to flash the setup.hex, 93 | that is the personalization binary. 94 | I think the easiest way to get a working avrdude 95 | setup, is to simply download the arduino IDE, 96 | which is used normally to write and program 97 | arduino boards. 98 | It contains an avrdude binary and config already. 99 | Ok, now that we have installed arduino, we 100 | can look for the binary in the application 101 | package, and there it is. 102 | Now we need to find the device to communicate 103 | with it. 104 | We can save the current list of devices in 105 | /dev, and then connect the board, do it again, 106 | and diff these two, too find which is the 107 | correct connected USB serial device. 108 | But it doesn’t show up. 109 | This means, that I don’t have a compatible 110 | driver that can communicate with this usb 111 | serial chip. 112 | What we can do is check the device manager 113 | and have a look at all conencted USB devices, 114 | and we will find a USB2.0 Serial device, that 115 | is what we want to talk to, and it has here 116 | a product and vendor ID. 117 | Each USB device has that, and when you plug 118 | a device in, your system will check if it 119 | has a driver that can communicate with this 120 | aprticular device. 121 | In our case it can’t find a working driver. 122 | But we can use these now to search online, 123 | for a driver that supports this product. 124 | We find other people having the same issue 125 | and we get a link to this chinese vendor site 126 | with a driver download. 127 | So the trick to not get compromised from a 128 | shady chinese driver that you are going to 129 | install with very high priviledges, which 130 | you download over an insecure HTTP connection 131 | is, to just do it very very fast, so your 132 | brain can’t tell you to not do it. 133 | Click fast. 134 | Faster. 135 | Click. 136 | gogo. 137 | And maybe you have to disable even more security 138 | mechanisms to load this shady driver. 139 | Once you did that, and you feel dirty, you 140 | can check again the devices under /dev, before 141 | and after you plugin the board. 142 | And there it is. 143 | A tty and cu usb serial device. 144 | Now you can also start the arduino IDE, and 145 | it will show you an available board on this 146 | port. 147 | I added an alias for the avrdude binary, because 148 | it’s in such an obscure long path. 149 | Also you probably need to specify a config 150 | file, which is also somewhere in the arduino 151 | directory, so I added that one as well, with 152 | -C. 153 | Now you can flash the personalization binary. 154 | Cool! 155 | And next we can flash our first challenge. 156 | I’d suggest to go with secure filesystem, 157 | it’s the first one I had a look at and you 158 | can use it to learn how to communicate with 159 | the board properly. 160 | Because that is already is a first challenge. 161 | I’m sure most of you will run into the issue 162 | to not be able to send something. 163 | But you can figure it out. 164 | Your board is not broken. 165 | You should also join the IRC channel #rhme 166 | on freenode. 167 | There is a lot of hardware reversing talk 168 | going on, and I’m sure after the competition 169 | is over in february, a lot of writeups and 170 | explanations will be happening there. 171 | Ok good luck to all participants. 172 | I hope we all will learn more. 173 | Thanks to riscure and specifically the people 174 | who worked hard to create this CTF. 175 | I’m really looking forward to this and I 176 | hope I will solve at least some challenges. 177 | -------------------------------------------------------------------------------- /liveoverflow_transcripts/E9kz6RQu9Oc.txt: -------------------------------------------------------------------------------- 1 | Hey I'm on my way to nullcon and this is my 2 | first time vlogging in a long time. 3 | I feel super awkward. 4 | I mean I felt awkward the last few times I 5 | have vlogged, I haven't done this a lot on 6 | this channel. 7 | So that's why I went into this park, which 8 | is very close by to the conference. 9 | I thought about vlogging in the city first 10 | on my way. 11 | But no. 12 | couldn't do it. 13 | But here nobody is around; there is like this 14 | one guy with his dog in the background, who 15 | I feel weird about, but otherwise I'm alone. 16 | so yeah. 17 | You are not here to listen to my awkwardness, 18 | I'm on my way to the conference. 19 | So let's head there. 20 | Hey everyone. 21 | welcome to nullcon berlin. 22 | This is our first edition and we have something 23 | really cool, for everybody to go green. 24 | If you use public transport: train, bus, bicycle, 25 | or walking to the venue. 26 | Or into the country. 27 | We will give you something really cool. 28 | Actually that just reminds me I did come with 29 | public transport. 30 | Yes you will get one! 31 | I will have to show my ticket? 32 | [yes] 33 | So I'm really happy to meet liveoverflow, 34 | because I learned so much from him. 35 | And I want to say hi to all his italian fans. 36 | [italian blah blah]. 37 | When I asked you to talk about it, I didn't 38 | mean you to complement me. 39 | I mean I learned so much from you, because 40 | I just started with your videos and then I 41 | started playing CTFs. 42 | So yeah that's all. 43 | I'm here with smaury. 44 | And smaury has a cardgame he wants to show 45 | us. 46 | Yeah this is a cardgame we made at shielder, 47 | which is my company, and this card game is 48 | based on this traditional italian which is 49 | called "briscola". 50 | And basically in briscola you can play with 51 | buddies. 52 | And it's kind of the typical game usually 53 | you play with your parents or friends like 54 | during christmas time. 55 | And we created this deck which is "hacker 56 | powered", so you can find some references 57 | about hacking culture. 58 | For example this here is about injection. 59 | So you can see this horse jumping around a 60 | firewall. 61 | Yeah we chose to publish it and to start selling 62 | it to donate all the profits to "Informatici 63 | Senza Frontiere", which is "Informatics without 64 | borders". 65 | It's like "[doctors] without borders". 66 | But for informatics in italy. 67 | They try to fight against the digital divide. 68 | Mainly about the pandemic. 69 | But not just about the pandemic. 70 | I mean they are out there, I don't know, the 71 | last 10 years. 72 | They are a non-profit, so they are not making 73 | any profits out of this thing. 74 | And we are donating all the gross profit to 75 | them. 76 | So that's it. 77 | So thank you very much. 78 | As you heard it's a card game and the profits 79 | go to a good cause. 80 | So yeah, check it out. 81 | Of course I will also link it below. 82 | BitK. 83 | Hey. 84 | This is the famous minecraft YouTuber? 85 | I saw you being on a panel about bugbounties 86 | today, right? 87 | was there anything us bugbounty people to 88 | know. 89 | I mean, he just has a lot of complaining to 90 | do [oh shit]. 91 | yes. 92 | so. 93 | You can plug your channel. 94 | What's up guys. 95 | If you wanna follow bugbounty content on youtube 96 | go checkout hacksplained. 97 | And do it now. 98 | And subscribe. 99 | and like. 100 | Are you hacksplained? 101 | [yes] 102 | ahhhhhhh! 103 | Now you. 104 | Okay okay. 105 | If you wanna watch hacking content on YouTube 106 | be sure to subscribe to pink draconian. 107 | And well, enjoy the videos. 108 | Can you point the camera on me, so there is 109 | footage of me. 110 | Okay. 111 | Is it recording? 112 | okay. 113 | yeah it's recording. 114 | But I also don't know what to do. 115 | I make some shots. 116 | Let's stop. 117 | He is good at dancing. 118 | Like, it's his actual hobby. 119 | You wanna plug your channel? 120 | Plug my channel again? 121 | I'm PinkDraconian follow me. 122 | subscribe. 123 | watch my videos. 124 | [blah blah] 125 | [blah] 126 | [more blah] 127 | [blah] 128 | okay. 129 | second day. 130 | let's go. 131 | When I did that, I was thinking: "yeah, I'm 132 | nobody in my docker, and I want to read some data" 133 | and the challenge is about that. 134 | and this is getting interesting. 135 | So let's try to find a way to steal the password 136 | without being able to modify anything on docker. 137 | Ok so I'm hear with yaman. 138 | And he also played the CTF a little bit, and 139 | he just gives us a quick walkthrough of one 140 | of the challenges. 141 | So in this task we are basically given a .c 142 | file. 143 | So basically the way I started to solve this 144 | challenge was like, I quickly skimmed through 145 | the source code. 146 | I looked at if maybe something stood out. 147 | It's a crypto problem. 148 | Most of the times you have to go out of the 149 | protocol to have it exploitable. 150 | So the first thing I saw was like. 151 | It was basically doing a RSA signature, something 152 | like that. 153 | and it had the exponent of 3. 154 | which is like never a good idea because opens 155 | so much attacks like coppersmith, and whatever. 156 | Okay, well. 157 | He explained the solution to me. 158 | But it turned out it was a bit too long and 159 | too complicated for a quick conference video. 160 | so I link the writeup and the link to the 161 | challenge below. 162 | so check it out if you are interested. 163 | long story short, you can create a signature 164 | with a nullbyte in it and the string compare 165 | then fails to properly compare the resulting 166 | signature. 167 | And it does a str compare, which is like vulnerable 168 | to many reasons. 169 | Like if you have a null-byte. 170 | When we run this, we see that we first. 171 | This is the challenge we have to sign. 172 | it's in hex. 173 | this is the perfect cube, that includes the 174 | challenge sentence. 175 | the challenge words. 176 | that is a perfect cube. 177 | yeah we just sent it. 178 | and we get the flag. 179 | well done! 180 | how is it going? 181 | it's going great. 182 | yeah. 183 | yeah. 184 | Just thank a lot of people and especially 185 | null and nullcon. 186 | I basically got my first security meetup at 187 | nullcon. 188 | Community meetups. 189 | And one of the first ones was nullcon. 190 | So all of this came because nullcon was there. 191 | So thank you! 192 | So we had multiple sub-events at the conference. 193 | we had I think three CTFs, four CTFs! 194 | One HackIM, one winja, one was by the Google 195 | guys, as well as the [sorry didn't understand]. 196 | So please, for the winner of the 2020 nullcon 197 | berlin on-site CTF. 198 | please join us, team mango! 199 | With 10.5 solves. 200 | Anyways. 201 | You probably noticed one price is still missing. 202 | that you might have seen before. 203 | As you have seen here, some have played in 204 | a team. 205 | Some people have played alone. 206 | So we thought what's the best way of giving 207 | this, to be honest, best price of all. 208 | The lightsaber goes to, drumrull....... oh. 209 | place number one, team mango as well. 210 | When I was talking to mario. 211 | When I decided let's do nullcon berlin, he 212 | did mention, that when we spoke around, there 213 | was an emotional feeling within the berlin 214 | community, that they would like to have nullcon 215 | in europe. 216 | So thank you so much everybody. 217 | see you in goa. 218 | I forgot. 219 | Now is the time to give me feedback. 220 | Thank you. 221 | --------------------------------------------------------------------------------