The Advent of Cyber: Day 12: Web timing attacks: If I can't steal their money, I'll steal their joy! (TryHackMe)
In this article, we’ll cover Web Timing Attacks Attacks—If you'd like to WPA, press the star key! writeup as the Day 12 challenge of the Advent of Cyber event challenge. This is the second time I’m using Burp Suite, and I am just getting to navigate it, from the settings of allowing Burp Suite to run without a sandbox then turning off the intercept and navigating between the browser, Burp Suite’s Proxy and repeater is just an interesting learning experience. We’re still at Wareville for SOC-mas!
First, follow the walkthrough as written, and try doing it yourself till you find the balance of $-4500. Start the machine then add the browser setting, under proxy turn off the intercept, open HTTPS History, open the browser, on the browser log in as a tester, and transfer $500 to account number 111. This will open up the /transfer history on the proxy and it will allow us to send it to the repeater
Once we’ve sent it to the repeater we’ll use CTRL+R to open it up to 10 on the repeater then we’ll click on the + icon and select the create tab called funds, mark all the 10 then where we’ve Send button, we’ll now see a drop-down icon and we’ll select the send group in parallel then click on it. Going back to the browser we’ll see a balance of $-4500.
- What is the flag value after transferring over $2000 from Glitch's account?
THM{WON_THE_RACE_007}
Having understood how this works, we’ll now be able to answer our questions. We’re supposed to log in to Glitch’s account, credentials are provided, we’ll transfer to an account, visit the burp suite, select the transfer, and send to the repeater, this time we’ll CTRL+R, four times, then create a tab, select the 4 since we’re expected to spend more than $2000 on glitch’s account, and naming the tab, then changing from send button to send group in parallel button and clicking on it. Once we’ve clicked we’ll visit our browser and see a balance of $1500 with our flag.
Thank you for reading through this article. You can leave a comment with your thoughts: areas to improve or other suggestions and questions if any. Till the next one, stay secure!