Rating: 3.3
**Event** : Space Heroes CTF 2023
**Challenge** : Bank-of-Knowhere
**Description** : Groot is in dire need of some crucial intel about the Bank of Knowhere, but they only
share such classified information with their inner circle. To become a member of their inner circle,
one must have at least 2000₳ - Units in their bank account. Can you lend a hand to Groot in acquiring
this information?
**Vulnerability** : HTTP Parameter Pollution
We are presented with our current balance and a table of the balance of other members. We are
seemingly able to send currency to other members.
The request from clicking the ‘Submit’ button was captured in BurpSuite
We can see the request contains URL/HTTP parameters to pass the information along to the server
for processing.
Can we change the parameters to send currency between accounts not owned by Groot?
Yes! 450 has transferred from Rocket to Gamora
Can we change the sender and receiver parameters to try and give ourselves currency from another
account?
**Unsuccessful**
What happens if we add a second **receiver** parameter, maybe the server only checks the first
instance of a receiver parameter?...
**No Error, Looking Good!**
Success! We have been able to increase Groot’s balance!
This method was repeated once more with the amount parameter increased to bring Groot’s balance
to over 2000.
This then let us access the **/admin** page, which gave us the flag.
