✉️ Sign up for the mailing list: https://bbre.dev/nl
? Follow me on twitter: https://bbre.dev/tw
This video is a write-up of a CTF task “Where are you from?” from 0CTF/TCTF 2022. The solution chained two bugs:
CVE-2022-26377 AJP request smuggling
CVE-2020-1938 AJP Request Injection and potential Remote Code Execution (Ghostcat)
? Get $100 in credits for Digital Ocean: https://bbre.dev/do
The CTF: https://ctftime.org/event/1717
Solve script: https://bbre.dev/4o2
Timestamps:
00:00 Intro
01:18 What is an Apache JServ protocol (AJP)?
05:35 AJP request smuggling
10:16 Exploiting Ghostcat in a smuggled request
Add comment