What is it? @.@

Here is the place where I record some tactics about wargame, systems, and other security issues.

2012-09-29

Hack This Site! - Realistic 8

Description:

United Banks Of America
One of America's Richest Men plans to donate $10,000,000 to a campaign set on hunting down hackers and locking them up. Please, if you can't do this, then we're all screwed. Can you hack in and move the money? 

Level 8
From: DarkOneWithANeed 

Message: Hey man, you gotta help me out, Gary Hunter, one of the richest men in America, has just deposited $10,000,000 into his bank account at the United Banks Of America and plans to donate that money to a campaign to hunt down and lock up all hackers. Now I've tried hacking their site but I'm just not good enough. That's why I need your help, Here's a list of your objectives:
1. Find the account of Gary Hunter (I don't know his account name).
2. Move the $10,000,000 into the account dropCash.
3. Clear The Logs, They're held in the folder 'logFiles'.
I really hope you can do this, because if you can't we're all screwed

Solution:
  1. Take a tour of the website.
  2. There are many HTML forms you could play with  your hands. Just try it!
  3. There's a login page, but you don't have an account with a valid password to login. So, let's go to the register page to register one.
  4. After you created an account, you knew there were three fields you need to fill in when you were registering. (1)Username (2)Password (3)Description
  5. Go to the 'User Info' page to query information of your new account. There will display the information containing the username and description.
  6. How about SQL Injection? I use the SQL Injection below to display all accounts' information in the 'User Info' page.
    Reference: http://en.wikipedia.org/wiki/SQL_injection
    SQLi: ' or 1=1--
  7. Survey all accounts' information, then you will find out there's an account like below. It's our target.
    GaryWilliamHunter : -- $$$$$ --
  8. We had achieved the first part of the challenge requirement. But we still don't know the password of GaryWilliamHunter. Anyway, let us login our account to see what is inside the login page.
  9. After login the page, we will find out the password is encrypted in md5 32-bit.  Besides, there exists two HTML forms to transfer money and to clear logs.
  10. Yes, we will utilize the two HTML forms to accomplish the remaining part of the challenge.
  11. I use Chrome Developer Tools to view the page source code of the two forms.
    <form action='cleardir.php' method='POST'>
    <input type='hidden' name='dir' value='adminSQLFiles'>
    <input type='submit' value='Clear Files In Personal Folder'>
    </form>

    <form action='movemoney.php' method='POST'>
    <input type='submit' value='Move Money To A Different Account'><br />
    <input type='text' name='TO' value='Username To Give Money To'>
    <input type='text' name='AMOUNT' value='Amount Of Money To Move'><br />
    </form>
  12. Don't forget to check your cookies. You will see something interesting there.
  13. Okay, there's a cookie value named 'accountUsername'. I use the javascript code below to change its value by Chrome JavaScript Console.
    javascript:document.cookie="accountUsername=GaryWilliamHunter"
  14. Then, input 10000000 into the 'Amount Of Money To Move' field and input dropCash into 'Username To Give Money To' field. After clicking the 'Move Money To A Different Account' button, you'll get a message like below.
    Congratulations, 1st Objective Done, Now Cover Your Tracks
  15. Again, use the javascript code below to change the default value of the 'Clear Files In Personal Folder' FORM by Chrome JavaScript Console.
    javascript:alert(document.forms[0].dir.value="logFiles");
  16. Click the 'Clear Files In Personal Folder' button.
  17. Good Job, OOXXOOXX, You have sucessfully completed Mission 8