Slot Machine Investigation

Information

FrostFest - Frost Tower Lobby

Slot Machine Investigation

Difficulty: 2/5

Test the security of Jack Frost's slot machines. What does the Jack Frost Tower casino security team threaten to do when your coin total exceeds 1000? Submit the string in the server data.response element. Talk to Noel Boetie outside Santa's Castle for help.

Conversation

Pasted image 20220908213515 Pasted image 20220908213522

https://owasp.org/www-community/attacks/Web_Parameter_Tampering

Parameter Tampering It seems they're susceptible to parameter tampering.

Intercepting Proxies Web application testers can use tools like Burp Suite or even right in the browser with Firefox's Edit and Resend feature

Solution

Ok, this wasn't getting caught by Burp, but I could see it in my Network tab of web inspector. Pasted image 20220908213607

Ok, I can spin directly: Pasted image 20220908213617

I tried changing my bet amount to a negative number but it didn't work at all.

Next I tried changing the numline to a negative number. This worked, and I got something about something appearing suspicious in the response. Pasted image 20220908213625

Now that I'm over 1000 credit: Pasted image 20220908213632

The string:

I'm going to have some bouncer trolls bounce you right out of this casino!

Next: obj-5

Cyber Security Notebook

Slot Machine Investigation

Information

Conversation

Solution