Simple Heist

Tags

gampang sekali, tinggal cari kunci dari brankasnya

cuma internal yang boleh tau banyak hal

by hilmios

When we visit the homepage, we will see a screen like this:

alt text

Here, we can log in, but we will immediately be logged in as the user teller from Fortis Bank.

Since the description includes the keyword internal, we try to access /internal, and we get a screen like this:

alt text

When we check the cookies, we find two cookies: auth and sig. The auth cookie contains user:teller|bank:Fortis Bank, and the sig cookie contains the HMAC SHA256 of the auth value.

alt text

On the /login page, we are instructed to access /vault, but we cannot access it because we are not admin and the bank we are using is Fortis Bank.

We try to modify the auth cookie to user:admin|bank:Fortis Bank and then update the sig cookie to be the HMAC SHA256 of the new auth value.

Here’s how we can create HMAC SHA256 using CyberChef.

auth: "user:admin|bank:Fortis Bank"
sig: 7f5976dcdc018b18b360aad2d4c5b3efe099db2bbba363bad5c1932b137f41ba

After obtaining the new auth and sig cookies, we try to access /vault and will see a screen like this:

alt text

Simple Heist Flag: FindITCTF{BEtEc_1O_&1J!)