Off Balance
Briefing:
We’re hot on the heels of catching this cyber gang but the closer we get, the more damage they try to inflict onto the Barcelona tourism industry!
This time, they’ve hacked into a large international bank’s mobile application. Customers of the bank are complaining they can’t see their current balance and these criminal masterminds need to be held to account. Intern, help customers retrieve their balances, so they can continue to spend their money during their well-earned holidays!
Helping our international friends will really help develop our network.
Hint:
If you check out the Network tab in the developer tools of your browser while you click on different pages in the app, you can see there are requests being made to an API. Try using a Linux command line tool like curl to talk to the API directly to see if you can get at the account balance that way.
How to Solve:
- Open the Console.
- Navigate to the Network tab.
- Click on Transactions in the phone menu.
- Right-click on
get-transactions
> Copy > Copy as fetch - In the console, paste the fetch (including all options) and change the URL from
https://cloudninebank.com/get-transactions
tohttps://cloudninebank.com/
and click enter.fetch("https://cloudninebank.com/", { "headers": { "accept": "*/*", "accept-language": "en-US,en;q=0.9", "content-type": "application/x-www-form-urlencoded", "sec-ch-ua": "\"Chromium\";v=\"106\", \"Microsoft Edge\";v=\"106\", \"Not;A=Brand\";v=\"99\"", "sec-ch-ua-mobile": "?0", "sec-ch-ua-platform": "\"Windows\"", "sec-fetch-dest": "empty", "sec-fetch-mode": "cors", "sec-fetch-site": "cross-site" }, "referrer": "https://play.cyberstart.com/", "referrerPolicy": "strict-origin-when-cross-origin", "body": "token=CNcsmXX5d50ZQCG5Us4twDi18awV", "method": "POST", "mode": "cors", "credentials": "omit" });
- Under Name (the list of all network requests), click on cloudninebank.com and go to Response.
{ "data": { "endpoint": { "ref": "index", "protocol": "https://", "domain": "cloudninebank.com", "path": "/" }, "user": { "id": "xgHof4h98" } }, "links": { "get-accounts": "https://cloudninebank.com/get-accounts", "get-payments": "https://cloudninebank.com/get-payments", "get-transactions": "https://cloudninebank.com/get-transactions" } }
- Observe the links as there is no
get-balances
rather there isget-accounts
. - Go back to the console and make another fetch to
https://cloudninebank.com/get-accounts
with the same headers. - Navigate to the Response tab once again and find
flag
, your flag should be there.
Answer:
- postD4ta_w1zard