slide1
Download
Skip this Video
Download Presentation
Hacme Bank

Loading in 2 Seconds...

play fullscreen
1 / 13

Hacme Bank - PowerPoint PPT Presentation


  • 257 Views
  • Uploaded on

Hacme Bank. Hacme Bank Challenges There are 10 challenges which all have to be completed Complete each challenge 1 by 1 We will talk about the solutions after each challenge has been completed Visit the following link: xxxxxxxxx. Hacme Bank Challenges - 1 Type: SQL Injection

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Hacme Bank' - diza


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide2
Hacme Bank

Challenges

  • There are 10 challenges which all have to be completed
  • Complete each challenge 1 by 1
  • We will talk about the solutions after each challenge has been completed
  • Visit the following link: xxxxxxxxx
slide3
Hacme Bank

Challenges - 1

  • Type: SQL Injection
  • Result: Bypass the login
slide4
Hacme Bank

Challenges - 2

  • Type: SQL Injection
  • Result: Database table modification
  • Steps
    • ’ having 1=1--
    • ’ union select (tables) from fsb_users having 1=1—
    • \'; INSERT INTO FSB_USERS VALUES(123423, \'HAX0R12\', \'HACKME12\', \'EASY32\', GETDATE())--
slide5
Hacme Bank

Challenges - 3

  • Type: SQL Injection & Poor configuration management
  • Result: Command execution
  • Steps
    • ’;EXEC master.dbo.xp_cmdshell ’command’;--
  • This can REALLY help an attacker. Here is some help:
    • The webserver is also a TFTP server and netcat is accessible for download and may be used for this exercise
    • The path to the file is c:\tftp32d\nc.exe
slide6
Hacme Bank

Challenges - 4

  • Type: Parameter Tampering
  • Result: Privilege escalation
  • Steps
    • My accounts
    • Alter the Account type from the silver account to the platinum
slide7
Hacme Bank

Challenges - 5

  • Type: Parameter Tampering
  • Result: Unauthorised Access
  • Tools Required:
    • Firefox with the ”Tamper Data” plugin or
    • IE with Burp Proxy
  • Steps
    • Request a loan
    • Try and alter the interest rate to a better value 
slide8
Hacme Bank

Challenges - 6

  • Type: Cross Site Scripting
  • Result: Account Hijacking
  • Steps:
    • Post Message
    • Create a message and try to execute some scripts. You can use the _session.asp
    • Post your message
slide9
Hacme Bank

Challenges - 7

  • Type: Parameter Tampering
  • Result: Money !!
  • Steps:
    • Transfer funds
    • Transfer money to your account from someone else’s account
slide10
Hacme Bank

Challenges - 8

  • Type: Parameter Tampering (Cookie poisening)
  • Result: Brute Force attacks are enabled
  • Tools Required:
    • Firefox with the ”Tamper Data” plugin or
    • IE with Burp Proxy
  • Steps:
    • Log out and find the log
    • Figure out how this web application stops brute force attacks and removed it
slide11
Hacme Bank

Challenges - 9

  • Type: Parameter Tampering (Cookie poisening)
  • Result: Brute Force attacks are enabled
  • Tools Required:
    • Firefox with the ”Tamper Data” plugin or
    • IE with Burp Proxy
  • Steps:
    • Log out and find the log
    • Figure out how this web application stops brute force attacks and removed it
slide12
Hacme Bank

Challenges - 10

  • Type: Parameter Tampering (Cookie poisening)
  • Result: Brute Force attacks are enabled
  • Tools Required:
    • Firefox with the ”Tamper Data” plugin or
    • IE with Burp Proxy
  • Steps:
    • Login
    • Alter the unique information that is associated with account numbers to view other accounts
ad