Categories
CTF's My CTF's

Credit Card Scammers CTF

This is my first Capture the Flag exercise and covers a number of different techniques.

Download Now

The back story: Scammers are taking advantage of people and various fake shopping websites have been setup, but people are finding their orders never arrive. We have identified one scam website which we believe is harvesting credit card details from victims. Your objective is to take down the scam website by gaining root access, and identify the 3 flags on their server. Our intelligence suggests the scammers are actively reviewing all orders to quickly make use of the credit card information.

The types of vulnerability used in this CTF can be seen below (they are intentionally hidden by default):

You can download the Capture the Flag here. This has been tested using VirtualBox but may work with other virtualisation platforms. DHCP is enabled, and it is recommended you run this in host-only network mode.

Please feel free to leave me feedback in the comments. I am keen to see what people thought about it and how easy/difficult they thought it was.

SHA-256: e840abca18c81bb269a02247a99416b0f63261f3a62d4b17b9436fb3387f70e7
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEbBiicuM2ITDGGcOJPvHWS2kZ5UMFAl7NYsAACgkQPvHWS2kZ
5UNxQhAAk134aocO6KkEoe+f+DIQrTdFbG8CxQ/b4PWRrIWvFStPzyLwlFe2Vi/W
oYfJ+i+pgrkh2NXVf5UbwnfvChUPIjnyxa6NhuVM9vfWsxkwvWLJ4DcKYMVhKuK1
bOEyXqL4MXp1TrEUZWUm7R3xxlgcaRAA2cpts0joDImmggcljC7n1oeBYHumasbn
A9YPuBnjBJnST3ii2brhNV0c58YTJLpssN3XFIGSQmFsl9xwXeU/zClrX4WivP0U
9odK/gUvVXGBRzr/BrsxVK65s5/0IYuFkwGBKoDvqCQOr2sZQC6le/PioH8VeQ19
23jYte6fbMDggXzvbXNUx19tMg6tGKXipcXKD5+9Vdp6SL8nbxHo07DhkeuOPFmv
GjAYj1jEYcgVUVNrb9lRmMkow9tkUq67DhPBN8ekwM/PR/1jxAQTG/P9JL+69/lS
aag3U/IpNl334I4oO5TniutUJf06YsHeWqeKO7cq9elVVfC4YPI+VOESS6eiS0DB
Zc7YO6oYomEcL7wA4Io5m+qaEy4SFHUEutw4aurcoXNf8a/95BL5jIAK71JA30Ut
euB/KWB2IxxuafxD38coqjxmlDQPx7fztMHPGUhvvqZiqyjaQtFoPFzKu4BYDeIY
y5INDm1oVetVt1VB5ZHYXT8dS2owGET8WC6DTZCf4g9isTbhlws=
=NDWq
-----END PGP SIGNATURE-----

22 replies on “Credit Card Scammers CTF”

Hi. Thanks for your comment.

The default setting on the CTF is host-only. Do you have a host-only network setup on VirtualBox? If not, it may have changed back to NAT automatically as it can’t find a host-only network. NAT isn’t needed for this box. If you follow the steps on my other post up to the first two screenshots, it will show you how to enable host-only network if you haven’t done so already.

Let me know if you need any help. Thanks

Hi,
With virtualbox 6 and the Credit-Card-Scammers.ova file (md5: e0af2231b6cc0bba6b78340b79a74885) provided on vulnhub, the VM has two network interfaces by default. Is this normal?
My vbox configuration has only one host-only network. So the second interface of the vm is self-configured in nat (or bridged).
Have a good day
Vincent

Hey! I am really trying to hack your VM, but i have no success with it. I have run dirb, nikto and nmap, found a couple of directories, the admin area, tried sql injection on the purchase form and admin login, hydra brute force on the admin login, with 0 success. Is there something i’m missing?

Hi. Thanks for getting in contact. Yes – have a look into XSS vulnerabilities. Imagine that for every order submitted on buynow.php, an administrator is accessing an admin panel where all the order information is displayed. Perhaps you can put malicious JavaScript into the order page to hijack the session cookie of the administrator? I’m due to publish a write up of the CTF this week so if this doesn’t work, a full write up should be available by the end of the week.

Thank you, and good luck.

Thanks for the reply. I tried doing that, after you press the Submit query button, the same page (no changes) is sent back to me. Is there a problem on the VM? I am using VMWare, not VirtualBox.

Hey dude, do you mind getting in contact with me? Im trying to hack the VM aswell and im stuck too.

Hi.
It should work fine on VMWare. Depending on what you’ve put into the order form, it may have broken it though (if you’ve tried putting alert tests in etc). I will e-mail you the steps up to that point if that’s ok with you? I will send it shortly after you confirm – remember to check your spam box.

Thanks

I tried as you did Thomas, but it does not work.

The IP of the machine (not kali) is 192.168.178.90

i tried
SELECT “[‘verify_peer’=>false,’verify_peer_name’=>false]]))); ?>” INTO OUTFILE ‘192.168.178.90/shell.php’

and adding http:// before 192.168.178.90 and it does not work. Can you please help me?

That’s not correct. Have you referred to the guide I provided in the previous link?

With SQL OUTFILE, you need to specify the path on the file system instead of an IP address.

For example: SELECT “php code goes here to get a shell” INTO OUTFILE “/var/www/html/shell.php”

After “OUTFILE” I put a “/var/www/html/shell4.php” so that i can access shell.php like this:
192.168.178.90/shell4.php.

When type that link into Firefox it just loads and loads and after a while there is just a blank page and on metasploit does not “react”.

https://pastebin.com/Ssz8Didw <- here is my "code".

Hi

I recommend restarting the CTF with a fresh download. It could be the page has broken due to some Javascript you have put on the page (this can happen when exploiting XSS in real life too).

If you start with a fresh image, hopefully it should work.

Good luck

I managed to crack this CTF, with some help from the walkthrough. The first part is confusing because you have to wait a while until you get feedback from the XSS (also i think you can break it if you use location.href, window.location, etc). So the waiting was something i was not used to in other CTFs. Another help was to find out what kind of hash the MariaDB user has, and another was how to get to the 3rd flag (lots of guess work). All in all, a fun experience.

Leave a Reply to Thomas Williams Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.