SeaEssAreEph is a funny WEB challenge where our goal is hack money to buy a flag.
Made by Filip "Ret2Me" Poplewski member of WaletSec group
At the website we can find information about CEO, random employee and web admin. In the future it can be used to generate CUPP.
When we click at Contact button, input named "To" will be filled with Bobby Schnapps username unfortunately when we click Contact to Web Admin input will be empty.
At the beginning I tried scan website in search of hidden administrator panel or other interesting files).
As we can see scan doesn't return anything special at all (maybe API can be useful in the future, but it is a directory so right now we can't do with it anything special)
Let's look at what we have got at robots.txt (in this file are stored directories and pages which admin want to hide against the bots)
If user exist and password is incorrect we get error "Bad password".
We know that's CEO login was name_surname let's check if web admin login was created in the same way.
Yes, we are lucky now we know what is the administrator username, nextly i tried some SQLinjection, brute force, CUPP on CEO and web administrator accounts but nothing works for me.
Ok so let's create account (it is needed to transfer money what can be very useful) and look at the page source code.
As we can see webpage doesn't use any csrf-token what is critical vulnerability! We can use it to generate money transaction link which uses GET to send the param. Now we need to send malicious link to web administrator via contact form.
In the first field we need to fill our username because when website administrator click at the link we want send money to our selfs.
At the second field amount of money that will be send to us.
