• Donald Ashdown

SANS KringleCon Objective 4

Objective

Challenge

In this challenge we are tasked with taking our total coin count above 1000 and this will result in Jack Frosts security team giving us a talking to.






So taking a look at the "Frosty Slots" application we proceed to play the game and check it out. But first we fire up burpsuite in order to intercept the requests and look for parameters we can modify.


Req 1


Looking at the first request we see some simple session information and the default values for the game, nothing special that we can modify and send to the slot machine.



Req 2


Looking at the second request we just see some view port and general page formatting information, nothing special.


Req 3

The third request shows us the script and files running and this is nothing special.


Req 4


Nothing here on the 4th request.


Req 5


Again nothing helpful, just the betting parameters in the response.


Req 6


Nothing here.






Request 7

This request however has some juicy info in the POST request that we can modify before sending to the slot machines. So we simply tamper and play around with the values until we eventually land on a negative integer overflow for the cpl value. As soon as we do this we notice our credits start going up, at which point we proceed to continually submit this request until we reach a 1000 credits or more.



At this point Jack Frosts security team kick us out and tells us "I'm going to have some bouncer trolls bounce you right out of this casino and there we have it!



1 view0 comments