I Hacked & Exposed This Fake Website for Educational Purposes - CTF
Vložit
- čas přidán 29. 06. 2024
- #pentesting #ctf #hacking #cybersecurity #php
00:00 - intro
00:08 - Disclaimer
00:19 - Mapping
02:23 - Digging
03:24 - Attempting file read
04:30 - Interesting log
04:50 - Log poisoning
05:44 - Remote Code Execution
06:38 - Log script
07:30 - Filter Bypass
08:30 - Command injection and Privilege escalation
09:41 - Exposing the dark secret
DISCLAIMER: The techniques shown here should strictly be used on targets you HAVE permission to test. NEVER hack something you don't have permission to.
In this video, I demonstrate how to hack a CTF target and get root in just a few minutes. Web developers will learn a lot on how to secure their websites! Ethical hackers will learn hacking techniques to help their clients become more secure.
Credit: Challenge The Ether: EvilScience (v1.0.1) from f1re_w1re (www.vulnhub.com/author/f1re_w...)
🔥Use Coupon THEHACKERISH and Get 5% discount on CRTP and other courses on www.alteredsecurity.com/ when you pay with Stripe.
🚀 🔥 Become a pentester
academy.thehackerish.com/p/fr...
📙 Learn the technical skills:
thehackerish.com/best-hacking...
📙 Become a successful bug bounty hunter: thehackerish.com/a-bug-bounty...
🆓 Download your FREE Web hacking LAB and starting hacking NOW: thehackerish.com/owasp-top-10...
🌐 Read more on the blog: thehackerish.com
🇩 Discord: / discord
💪🏻 Support this work: thehackerish.com/how-to-support
- Facebook Page: / thehackerish
- Follow us on Twitter: / thehackerish
- Listen on Anchor: anchor.fm/thehackerish
- Listen on Spotify: open.spotify.com/show/4Ht8jEb...
- Listen on Google Podcasts: podcasts.google.com/?feed=aHR...
Takeaway: don’t upload your evil incriminating journal to your company’s public web server
Why upload it at all? Pen and paper would protect a lot of companies getting evil shit only 1 or 2 people at the top should know about from coming out
M.x lostyckwi have smeeyny
Not bad! Just next time put a disclaimer at the start of the video saying that it is a actual CTF challenge
Might help people who aren't knowledgeful into CTF's or platforms like root-me to get to know them!
=clickbait
What's really disturbing is that there actually might actually be a real reasearch company that does questionable testing like this on people somewhere out there, it's good they have these simulation websites to test your hacking and programming skills.
I was literally just binging a tv series called Fringe. What a great coincidence! Great series
@trackme3621and you lack the ability to read
@trackme3621 r/whoosh
Mkultra
Its a ctf examination its not a real website it's just a example of how hackers can show the truth and test your skills.
Always love the little lore tidbits ctf makers include in their challenges
The real question is how does he know its evil?
It's a ctf challenge bro
He’s joking bro
its very clearly an evil website
Its not a real site, well it is but its made for hackers to hack.
The website was created by him .. just a demo
You sure you haven't hacked accidentally the source code of Fallout 5? That sounds like some Vault-Tec horror story... 😂
😂😂😂
i had a stroke reading that and fucking died
I wish they did this as security lesson on my uni. just one day of doing this just to get a feel for it and learn how to protect against these attacks
I think "might go to jail" is more accurate. It's not a guarantee; people do get away with it sometimes.
Better safe than sorry 😉
@@thehackerish 😉
most of the times xd
This directory traversal, to log poisoning, to RCE revshell is very well presented. Also, there are clearly some really interesting command aliases used in this video. If we ask nicely, could we see a few that you have? I noticed "nmapq" and "revshell" in the video.
Sure, I will share them in future videos
I love these videos, please keep making these!
I love how you fool people's while playing ctf & adding *STORY* to it like cherry on cake
" " *
This series is awesome keep up
wow rly didint think it would be so easy to hack a website that has close to none security implementations. scary
People seem to click before they read, so moving "CTF" closer to the front (or shortening the title in general, or putting it in the thumbnail) may help with the clickbait accusations.
It may also be getting cut off in some places ( i don't know though )
amazing act m8 ... really good and very educational
Very instructive, as always. Thanx hackerish! ❤
My pleasure!
very nice little easy ctf. I think I'ma go back into doing them, you've inspired me
Have fun!
love your videos! hope you get more traction soon because your channel is very underrated :)
Thank you so much! Share it with your peers
great video. I would fully prepare for youtube to take it down though. So please let us know about any community resources you host :) subscribed!
its a CTF would probably be considered to be educational and not malicious since the site is for this purpose.
Very nice. Please make a video with java/nodejs website
Man, this hacking looks so difficult. I want to learn like you 😭😭
If you wanna learn try "hack the box academy"
Bro made this video like im watching a horror movie and i absolutely love it!!
\
Glad you liked it!
I don't understand a second of this but respect that you share it.
The FBI is definitely watching us
love your PCs framerate for moving the mouse around
I had a friend working in I.T. at a college in Wales and we were talking on the phone. I asked if he thought his system was secure and of course, he's talking shit. So while we were talking I was hacking their website in real time and then email'd him the contents of one of the server's logs. :evil laugh:
😂😂😂
I keep on learning stuff, thanks
Btw Your CTF was Great I learned A lotcz I used same payload on HTB clicker machine but I faile now I know what to do
The etc/sudoers file properly set up would have prevented the escalation to root right?
Yep, correct
That journal at the end looked like an SCP
Damn, this sounds like something straight out of Resident Evil.
very entertaining!
what app you use to digging in? some kinda postman but it's not postman. what was that?
Burpsuite, or zaproxy works as well
Excellent work!! Thanks for sharing.
Thank you! Cheers!
What program are you using at the digging part?
Web proxy: burpsuite, terminal: Ubuntu
You had me there for 11 min and 15 seconds 😉😉
Good job
Thank you , but if the website outside you Lan network , you do the same ?
if it's accessible through internet, yes
Oh my. This is definitely scary. I can't believe there are company hidden in the world would do this. As a professional website clicker, I can tell you, this is definitely and totally not a dummy site. Very scary indeed.
Finally! Log poisoning 😁
Beautiful lab 😂 I love it
What is the rpogram hat you use in this video?
Just aliases around Nmap and wfuzz
i'm so damn confused. enchantment table is something i never learned.
so there was no ssl key, so what was the use of the private key ? , then why post stuff on a webserver, i don't understand the security of this site
Clickbait Successful. 😂
what happen if someone go to the url of the website
what's the name of the tool to fetch data (with GET etc...) ?
Curl and Burpsuite
Which operation system are you using bro please reply
Kali Linux I assume
Ubuntu running on windows wsl
what is nmapq?
i robbed a bank and stole 2M$ for educational purposes 🤣
How do hack website that is doing illegal activity also the users doing illegal activity
sick project
🔵 The Hackerish is the best 👏
Dyaumn man !
Sounds like chaos insurgency hacker hacking into one of scp foundations websites. Welcome to the splinter group, cyber security dude. 😂😂😂
what are the names of those windows he's using to execute code?
Terminal
This is just a ctf.. why are you making it sound as if this is a real site in the title?
Dude noone is gonna post something unethical in CZcams
Delightful. 🎩
☕🗿
Brother i am in huge trouble i need your help plz help me
can u do it on a virtual box?
Yes, from vulnhub.com
I know someone who hacked into a rape ring. He got more prison time than the rapists.
The hacker shouldn't have gotten any prison time. Absolutely ridiculous.
so you can basicaly install a virus and run it using this to destroy the server?
Yeah, once root, you can do pretty much all you want. But in penetration tests, you always take your customer's data and availability into account
Disclaimer: Never put click bait such as video without permission from your viewers otherwise you might go actually you will be banned and forgotten
Well heard, what do you suggest as a title?
Is this genuine data of them... or you just crafted iy yourself, i mean the experiment sounds russian
No, this is a capture the flag designed to test hacking skills, and has a story behind
I am root
why are you recording in 2 fps
The video is not in 2 fps
Not understand fully but I enjoy every time. With seen of earning. But I not understand every time. What is money. Why people always money only. Why they do not work for reality. Why they don't need simple ways. Why people going in trouble trouble and troublings..... 🎉
Enjoy your money. But Please take care yourself and poors.
You you all.
ALLAH BLESS US AAMEEN
❤
Hii sir please please give a fuxsocy details video
Spooky story
Sir good day to you l was watching your videos but l should like to ask about a certain app which l don't know if it's real or fake app
He research l made almost people are saying that it's working but honestly speaking according to you hackers you can tell us the truth
So how can l reach on you or how can l contact you and l give you full details sir, l will be glad to hear from you
You can dm me on Twitter
But guy why do you always send us to contact you through Twitter, Instagram, Telegram why do you give us direct numbers or contacts to reach up on you
can you hack a scammer website who take money from people's by fraud .. reply if you can i will share you link.
i dnot get it
How do you know what you know ..
Everything is available online to self-learn
hello fbi watchlist!
when you put educational purposes at the end of the law
the just ignore what your doing.
Not just that, the website itself is for educational purposes only 😉
5:40 wait… what did he do here?
twist: he hacked a evil site, create but remove security, then do a educational vid on it.
(Joke btw)
5:23 is that your IP?
Nice catch, vpn
thanks.@@thehackerish
1st yr 😌
1דא
0:13 then why are you doing it 💀
hahahaha
Pro tip: this vid smacks in 1.25x speed
You have your own ip 😔
hi
this stuff is years old.....
PLEASE TELL ME THIS IS SATIRE
is the life expectancy gonna be Pay To Win? i prefer Free To Play
naay kahibaw mu hack dri cebu? willing to pay
omething has gone wron
who tf encode experiment logs in a flag.png file?! ridiculous, unrealistic
It's a ctf
POV you don’t understand that even in unrealistic CTF’s, you can learn a thing or two to apply to real world scenarios 🤯🤯🤯🤯
LOLL IM STUPJD IDK ANYTHING ABOUT CODE AND I WAS LIKE ILL WATCH GHIS IT LOOKS COOL I THOUGHT IT WAS REAL AND THEN THE REVEAL STARTED AND I WAS LIKE 💔💔💔
can you hack discord servers and give everyone free Nitro ?
(for educational purposes of course)
Haha, unfortunately no. It's unethical
it is lel >:)))))@@thehackerish
And don't be evil again okay😊
Ngl a link name like that already screams scam lol
❤❤❤❤❤🎉😂😂😂
Discalimer
I believe you already hacked it, then repeated the steps again while recording. I mean, in this type of thing its how to make good content. well done
bruh
Love the fakeness abt this lol
Lmao just hack any website and say its for “educational purposes“ problem solved
It's not just any website, I don't hack things I am not authorized to