Hack I-Bank Pro 2023

In this article we will learn about Hack I-Bank Pro.

Introduction[Hack I-Bank Pro]:

In this article, we will look at some of the main vulnerabilities typical of remote banking applications. We found an interesting vulnerable machine created by the PHDays team. We hosted the vulnerable computer in a virtual box and logged in with the following credentials: Username:root Password:phd2012. We identified the IP for this computer and opened it from the browser.

Here we see the bank login page that requires a name and password. We have no credentials so we have to hack. The first thing we’ll do is look for internal files that might reveal some information about the application. So we crawled the application URL using Burp Suite Spider.

As we can see in the above figure, we found only two links: the login page and the recovery page. The recovery page leads to the forgot password functionality.

Now the for recovering password, we need the login name. We guessed here for default credentials such as admin, ibank, bob, etc. But nothing worked.

But we noticed the error message “Identifier not found”; that’s a good indicator that we’re dealing with numbers rather than a username, which could be lowercase and uppercase alphanumeric letters, which reduces the range of characters required, making it easier to brute force. Again we move to the login page to find something juicy.

On this verification page we see three parameters: Login, Password and CAPTCHA.

Hmm.. CAPTCHA. Let’s find where it’s coming from. Just right click on the CAPTCHA image and select the Inspect element.

Now we can see a link there: image.php has a code parameter holding a value which looks like a Base64 encrypted. We took that value and decoded it from base64 decoder by using Burp Suite Decoder.

After decoding, we get a value =ljN5YTO. We were confused a little bit, but noticed that it’s again a Base64 and it’s reversed so we have to reverse this output like this OTY5Njl= and then decode it again.

Now we get the exact value of the CAPTCHA which is 96962. “So far we have figured out how the CAPTCHA generates but this will not help us to access the bank account. We continue to enumerate user credentials. First enter login and password whatever you want and don’t enter correct value in CAPTCHA. Let’s see if the CAPTCHA works or not.

After logging with wrong credentials and invalid CAPTCHA the application is giving an error message, “Wrong code”.

Again, try to login with any credential, but this time put the valid CAPTCHA value and see this time how it is responding.

After trying to log in with valid CAPTCHA values, the application is giving again an error, but this time it is different , “Identifier not found”.

Now we have started to check whether the CAPTCHA is properly implemented or not. Generally, CAPTCHA is used to stop the automation process to prevent brute force attack. In most cases CAPTCHA is not implemented correctly. If the CAPTCHA value does not change per request, then the login is vulnerable to a brute force attack. So let’s check it out. Login with any credentials and enter the correct CAPTCHA value and capture the request with Burp Suite.

Here in the image above we can see that the captured request has a login value, a password value, a code and another code which is a base64 encrypted CAPTCHA code. Now we repeat this request several times to verify whether the CAPTCHA is validated or not. We will use Burp’s Intruder to replicate this request. Select Actions and then select Send to Intruder as shown in the image below.

Select the Intruder tab and we can see our target is added.

Then select Positions and click on the Clear button for clearing all default positions selected by Burp’s Intruder.

After clearing the positions, select the Login parameter and password parameter values and click on Add.

We can see in the below figure that our position is set on both parameters.

After that, select the attack type and set it to Cluster bomb.

Now select the Payload tab to set the payload on both positions. The payload set is 1, which means that the first position is the value of the Login parameter. Leave Payload type set to Simple list and in the next section select Add from list to Usernames which has a list of default usernames.

Next, change the Payload set to 2. Leave the Payload type as it is. Select Add from list and choose Passwords, which contains a large default password list.

Related article:Ethical Hacking Interview Questions 2023

Everything is set. Now run the Intruder. Select Intruder from the Burp’s menu and select Start attack.

Our attack is launched; check the response to the attack. We noticed that the CAPTCHA value is the same as entered during login. In the image below, we have selected request #304 and its CAPTCHA value is the same as the first request. It means CAPTCHA is not working properly and we can use brute force here.

“What information do we have so far:

1. We can brute force
2. The application uses the Identifier as a login name

Predictable user identifiers are much more dangerous than you might think. This application also uses an identifier, as we have already seen, like most identifiers in real remote banking applications, eg 100000, 1000001, etc.

So we need to create a list of identifiers for brute forcing. We use a small Python script to create a list of identifiers.

Line 3: Creates a text file called “numericWordlist.txt”, the “a” attribute allows appending the content to the text file.
Line 5: Is a loop that starts from 1000000 to 1000101
Line 6: Appends the generated number to the text file.
Line 8: Simple closes the text file.

Just save the code with a py extension and run it. Generates a Wordlist.txt with a list of identifiers.

Now that we have a list of login identifiers, it’s time to brute force. Capture the login request as before and send the request to Aliens to add positions. Then in the Payload option here we will use our worldlist.txt so select Runtime file from Payload type and select file to browse the worldlist.txt file from its location.

Then run the intruder attack, and during the attack we notice that there is something different with Length. We saw two types of length: 4749 and 4755.

The identifier from 1000001 to 1000005 has a content length of 4749 and the rest of the identifiers are 4755. So let’s see where the difference is? We selected a request of length 4749, looked at the HTML response and rendered the page and saw a “Bad password” error message.

Then we selected the 4755 Length request and looked the HTML response. It’s showing a different error message, “Identifier not found”

So now we have confirmed valid identifiers.

Valid identifiers: 1000001, 1000002, 1000003, 1000004, 1000005

We have logins, now we need passwords for those accounts. Again we brute force with these identifiers, We log in with the identifier and capture the request and send it to the intruder. Don’t change the attack type this time. Keep it with Sniper because we only add one position in the password parameter.

We created a password list, which can easily be found on the Internet.

Next select the Payload options and change the Payload type to Runtime file and select the password list.

Then run the Intruder. After running it, we found that there is one request with a status of 302 and content Length is also different than others.

The password for that request is 1234567 as can be seen above. We tried to login with that password and it worked.

Using this process, we have three of the five credentials:
1000001:1234567
1000004: qwerty
1000005:1234567

Conclusion:

After testing this application, we have seen some typical known vulnerabilities that lead to user account compromise. Some major security flaws such as weak passwords, incorrect CAPTCHA implementation leading to possible brute force, and incorrect handling of error messages lead to enumeration of users.

Reference:

https://www.slideshare.net/phdays