RISC CTF Writeups

Making a Statement

Web: Making a Statement

We have two writeups for this challenge. First is our official writeup, and further down the page we have a writeup submitted by one of our members, who took a different approach since we’d forgotten to release source code when he solved it :)

Official Writeup

Challenge Description

There’s an account with id 99999 that has made some interesting transactions. See if you can find out more.

Approach

This challenge demonstrates a classic Insecure Direct Object Reference (IDOR) vulnerability. IDOR occurs when an application exposes references to internal objects (like document IDs, product IDs account IDs) and does not properly enforce access controls.

In this case the vulnerability orginates from this line of code from statements.php:

$account_id = intval($_GET['account'] ?? 0);

This line takes the account ID directly from the URL without verifying that the logged in user actually owns that account.

How can this be exploited?

Our first step is to investigate transactions. To do this, we create a new account and log in.

When we visit the account statement page, we notice that the hyperlink directly exposes the account number:

http://leftmanbrothers.ctf.urisc.club/netbank/statements.php?account=1000..

Since the account ID is included directly in the URL and there is no additional access control, we can manually modify the request to access another account’s statements. In our case changing the account ID to 99999

http://leftmanbrothers.ctf.urisc.club/netbank/statements.php?account=99999

This allows us to view statements for account 99999 and retrieve the flag.

RISC{one_of_the_statements_of_the_century_017b378f8127b557be756bdf12487bff}

Submitted Writeup

Thank you to Tom Lynch for submitting this writeup!

Making a Statement

Challenge description

There’s an account with id 99999 that has made some interesting transactions. See if you can find out more.

Approach

We can look at our own transactions first through dashboard.php and clicking View Transactions on one of our accounts.

Upon doing so we are redirected to statements.php?account=100003

Looks like the account id has been passed as a query parameter in the URL.

Changing the URL to statements.php?account=99999 reveals an account with one transaction with a description of RISC{one_of_the_statements_of_the_century_017b378f8127b557be756bdf12487bff}

So our flag is:

RISC{one_of_the_statements_of_the_century_017b378f8127b557be756bdf12487bff}