Скачать или смотреть Exploit Blind SQL Injection to deserialize objects and execute code | Elf Resources @ X-MAS CTF 2022

Elf Resources is an easy-to-medium web challenge from the X-MAS CTF 2022, involving the exploitation of a blind SQL Injection in order to retrieve some python objects and then exploit an arbitrary deserialization vulnerability to exfiltrate the flag.

=== Timestamp ===
00:00 - Intro
00:22 - Attack surface analyses
00:43 - Testing the Elf's Id parameter
01:31 - Installing Hackvector
01:42 - Exploitation of the SQL Injection with sqlmap
02:31 - Elf's data column analyses
02:49 - Wrap up about serialization, deserialization, and pickle
03:21 - Attack planning and assumptions
03:38 - Understanding and reproducing the object with a custom script
04:03 - Assumptions about the implementation of the API and how to attack it
05:10 - Exploiting blind SQL Injection and arbitrary deserialization to exfiltrate the flag
05:42 - Exfiltrate and analyze the vulnerable code
06:30 - Vulnerability remediations and suggestions
06:47 - Conclusion


If you enjoyed the video leave a like and subscribe to my channel!
For writeups in text format or other articles related to Ethical Hacking go to my blog: https://maoutis.github.io/
---
Would you like to support my work? Offer me a virtual coffee :)
https://www.buymeacoffee.com/0xbro

Check out my socials:
Twitter:   / 0xbro1  
Linkedin:   / mattia-0xbro-brollo-b4129614b  

Shout-out to those who supported me during the CTF:
https://github.com/m3ssap0
https://negromarco.it/
https://morelli.dev/
https://bullsoc.com/

Tags:
#XMASCTF #sqlinjection #ctf #hacking