Video walkthrough for the /"knock-knock/" challenge of the Dice Capture The Flag (CTF) competition 2022. In this challenge we explore a /"pastebin/" style website written in NodeJS that is vulnerable to Insecure Direct Object References ( IDOR ) due to the predictable SHA-256 HMAC generation, i.e. the crypto library function (randomUUID) is referenced rather than called. We also play with stored XSS and discuss the potential risks this poses. Write-ups/tutorials aimed at beginners – I hope you enjoy #DiceCTF #CTF #Pentesting #OffSec

↢Social media↣
Twitter: https://twitter.com/_CryptoCat
GitHub: https://github.com/Crypto-Cat
HackTheBox: https://app.hackthebox.eu/profile/11897
LinkedIn: https://www.linkedin.com/in/cryptocat
Reddit: https://www.reddit.com/user/_CryptoCat23
YouTube: https://www.youtube.com/CryptoCat23
Twitch: https://www.twitch.tv/cryptocat23

↢DiceCTF↣
https://ctf.dicega.ng/
https://twitter.com/dicegangctf
https://discord.com/invite/CbCXtrDE5m?event=935026219014037520
https://ctftime.org/event/1541

↢Sources↣
Ghidra: https://ghidra-sre.org/CheatSheet.html
Volatility: https://github.com/volatilityfoundation/volatility/wiki/Linux
PwnTools: https://github.com/Gallopsled/pwntools-tutorial
CyberChef: https://gchq.github.io/CyberChef
DCode: https://www.dcode.fr/en
HackTricks: https://book.hacktricks.xyz/pentesting-web/idor
CTF tools: https://github.com/apsdehal/awesome-ctf
Forensics: https://cugu.github.io/awesome-forensics
Decompile code: https://www.decompiler.com
Run code: https://tio.run

↢Chapters↣
Start: 0:00 am
Saved XSS: 1:00
Source Code Review: 3:37
Secret key generation vulnerability: 5:52
Generate secret for SHA256 HMAC: 6:47
Flag pick up (IDOR): 8:40
End: 9:17

Please take the opportunity to connect and share this video with your friends and family if you find it helpful.