Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneKapyteinH1:895722
HistoryJun 10, 2020 - 11:42 p.m.

h1-ctf: [h1-2006 CTF] Multiple vulnerabilities leading to account takeover and two-factor authentication bypass allows to send pending bounty payments

2020-06-1023:42:09
kapytein
hackerone.com
137
JSON

Hi,

First things first, the flag of the CTF challenge.

{F863095}

Write-Up

I’ve published my write-up at https://kapytein.nl/texts/2020-06-10-h1-2006-ctf-writeup-2cf34abd3ed/, in order to avoid a lengthy report 😅.

TL;DR

  1. 2FA bypass as we control both values on the comparison.
  2. SSRF to software.bountypay.h1ctf.com to discover a BountyPay Android application.
  3. Solve Android challenges using deeplinks. Use leaked Authorization token for api.bountypay.h1ctf.com.
  4. Leaked staff ID on the badge of Sandra allows access to staff.bountypay.h1ctf.com via a POST /api/staff call on api.bountypay.h1ctf.com.
  5. Privilege escalation using GET CSRF.
  6. 2FA bypass via a CSS injection.

Thank you for organizing this challenge!

Impact

This allows an attacker to process bounty payments of customers.

JSON