CMD + CTRL - ShadowBank
The CMD+CTRL Cyber Range suite features intentionally vulnerable applications and web sites that tempt players to steal money, find out their boss’s salary, purchase costly items for free, and conduct other nefarious acts.
March 19 - March 21 2020
CMD + CTRL March Hackness 2020
This year's March Hackness finally gave me a chance to dig into the ShadowBank scenario, which I'd left only 5 or 10 minutes to play with at my first CMD + CTRL event!
These vulnerable sites are part of an active commercial cyber-range, and they request that participants not post public write-ups, so this post won’t reveal any deep, dark secrets, just some general notes, thoughts, and findings.
I finally feel like I'm getting the hang of these website security assessments. I was able to knock off the simple encoding and IDOR vulnerabilities in pretty short order and spend some time with SQL injection and vulnerable services which I hadn't had a good chance to tackle in previous offerings. I have a much better handle on my tools, like sqlmap, hashcat, and metasploit, and I learned a lot more about SQLi than the basic attacks I'd seen and done in lessons and challenges up to this point.
It showed me some areas for improvement, like file upload exploitation and more SQL injection, and I was very happy with how far I've come since the last one!
FINAL RESULTS
ShadowBank – 41/48 challenges solved for 8220/11020 points
Rank 32/795 (326 with non-zero scores)