Desafiei H4CK3RS a invadirem meu site! (de novo... 😭)

Name: Desafiei H4CK3RS a invadirem meu site! (de novo... 😭)
Uploaded: 2025-12-19T19:05:57.000Z
Duration: 22 min 15 s
Description: Nesse vídeo eu mostro como que... vocês resolveram o Capture the flag! 😎 👉 Nosso servidor do Discord: https://discord.gg/websec 👉 Me segue no X/Twitter: https://x.com/yurirdev 👉 O melhor host para seus projetos: https://squarecloud.app/ 👉 Thumb feita por https://www.behance.net/nez6vi

CTF Insights and Vulnerabilities in a Betting System

Introduction to the CTF Event

The speaker discusses their experience creating a Capture the Flag (CTF) event after analyzing scams, highlighting that their website was hacked as part of the challenge.

The CTF involved finding five vulnerabilities with a prize of R$200 and a Square Cloud Pro plan, emphasizing that these vulnerabilities can occur in real systems despite being in a controlled environment.

Sponsorship and Learning Opportunities

The CTF was sponsored by Solid, which offers ethical hacking certifications and connects hackers to job opportunities through its Solid Hunter talent bank.

Participants receive an initial balance of 10 for gameplay; however, this is not real money as deposits or withdrawals are not allowed.

First Vulnerability: Account Takeover

Samuel discovered an account takeover vulnerability where multiple affiliate accounts could be created with the same username, raising concerns about token security.

The issue lies in identical payload tokens for affiliates and users; if the secret used for signing tokens is the same, it allows unauthorized access to user accounts.

Real-world Implications of Token Mismanagement

The speaker explains how similar vulnerabilities can exist in real systems due to shared environments between production and testing databases.

If developers use identical tokens across different environments without proper separation, it could lead to serious security breaches.

Second Vulnerability: Infinite Money in Mines Game

A second vulnerability found by another participant allowed players to win indefinitely on the Mines game due to improper input validation when selecting boxes.

Players could exploit fractional inputs that bypassed server checks since comparisons against integers would always return false.

Race Condition Exploit

Aviator discovered a race condition vulnerability allowing players to start games without sufficient funds by sending simultaneous requests before balance updates occurred.

Despite implementing transactions intended to prevent such issues, this flaw highlights potential weaknesses in concurrency management within gaming applications.

Analyzing Vulnerabilities in a Betting Game

Identifying Initial Issues

The system should deny access if the user has insufficient balance, indicating a flaw in transaction handling.

A vulnerability was discovered in the "double" game, where users could see results before placing bets, raising concerns about fairness.

The random result generation (SID) is typically handled on the backend but appears to be processed on the frontend, suggesting potential manipulation.

Investigating Frontend Logic

Upon examining API responses, it was noted that the response from the API is not utilized; instead, a generated SID is used for further processing.

The code responsible for generating colors and animations also includes a function that generates random values stored in variable S, which can be exploited.

By manipulating requests with specific parameters, it became possible to consistently win by betting on predetermined outcomes.

Discovering Further Exploits

Another vulnerability was found in "Aviator," where players must cash out before an airplane explodes. The initial request returns an ID and an encrypted string (ms).

There’s no persistent connection to inform clients when the airplane crashes; this information must be derived from client-side logic.

Decrypting Critical Information

Analysis of the source code revealed that ms contains AES-encrypted data representing milliseconds until explosion.

By modifying code to log remaining time until explosion directly into console logs, players could ensure they never lose.

Final Vulnerability Discovery

After two hours of challenges, access to an admin panel was achieved through hidden routes—highlighting security through obscurity as ineffective alone.

A brute-force attack was facilitated due to lack of rate limiting or CAPTCHA on login attempts for admin access.

Executing Brute Force Attack

Using a wordlist and automated scripts allowed rapid testing of OTP combinations without manual input delays.

Successfully obtaining valid credentials led to accessing what appeared to be an admin panel message rather than full functionality.

This structured overview captures key insights and vulnerabilities identified during gameplay analysis while providing timestamps for easy reference.

Insights on CTF Performance and Ethical Hacking Resources

CTF Performance and Hosting Solutions

The speaker discusses the impressive performance of a Capture The Flag (CTF) event, noting that it handled numerous requests without any issues.

They mention using Square Cloud for hosting, suggesting it as a reliable option for those looking to host similar events.

Ethical Hacking Education

The speaker emphasizes the importance of pursuing ethical hacking certifications, recommending Solid as an excellent resource for beginners.

They highlight Solid's diverse content pathway, which includes topics such as hardware hacking and automation, making it suitable for individuals starting from scratch.