? Subscribe to BBRE Premium: https://bbre.dev/premium
✉️ Sign up for the mailing list: https://bbre.dev/nl
? Follow me on twitter: https://bbre.dev/tw

This video is a write-up of a CTF task “Where are you from?” from 0CTF/TCTF 2022. The solution chained two bugs:
CVE-2022-26377 AJP request smuggling
CVE-2020-1938 AJP Request Injection and potential Remote Code Execution (Ghostcat)

? Get $100 in credits for Digital Ocean: https://bbre.dev/do

The CTF: https://ctftime.org/event/1717
Solve script: https://bbre.dev/4o2

Timestamps:
00:00 Intro
01:18 What is an Apache JServ protocol (AJP)?
05:35 AJP request smuggling
10:16 Exploiting Ghostcat in a smuggled request

Add comment

Your email address will not be published. Required fields are marked *