GF - Insert coin: Hacking arcades for fun

thank you thank you thank you uh as I say if you want to take pictur during the presentation is okay for me and if I looks good tag me on Twitter because I need to change my teer picture so that's fine uh and also this is my first time speaking here in mid size and in 2019 I think I think it's not work okay uh

okay okay so 2019 I went to the first Conference of outside from Argentina and this one was besid so I'm so excited to be here today uh I'm Navaro I'm 26 I'm from Cordo Argentina it's like in the middle a small City small town I work in like application security engineer and sometime I do some medical hugging when I'm a little bit bored at home and that's the Twitter if you have any question later or something like that and for the picture too and also as a fun fact I love sneaker and also I made clothes so that's why I have a lot of that [ __ ] uh what you want to see today I

divided talk in 10 different stages so we're want to see a little bit of introduction how I found this arcade in Brazil uh about the company who is owner of the product of the system as some idors work authorization Security in Android a cont cover race condition a little bit they have a web page if you want to book at some arcade for ER par is bir days and that so a little bit of that web page some sze servers NFC and the conclussions exclaimer so maybe some of these techniques and procedures are not completely legal so I recommend don't do this one at your home and if you do this one just take care

and if you found something please report that stuff immediately so just don't being [ __ ] and be def facing websites and that stuff in AR there was so normal like two months ago they were def facing website from public universities or libraries and why so we can start right now the last year last decm I went to hauger to hackers in s Pao that's a really really nice conference so technical that but also they have a lot of parties from Friday to Sunday so in one of those parties I met a girl from Brazil and at the next day we went we went to get some beers and after some minutes we see that there

was an arcade place in front of the bar and then we say yeah sure we can go to play some games we enter into the place and there was a small machine like that one where you can get the car you can CH you can check your money and that and that's was running a really old version of Windows so I stay in front of the machine for like five minutes looking that that way and I say okay maybe when I come back to Argentina I going to what's I want to check what's going on over there so stage one that one was the car just the name of the of the company and that not not not much not not much data

so I Google it and I run a little Dory list we go we go Bas at the normal dictionaries and we didn't get a lot of data that was just a old version of PHP running Drupal and they have exposed the info.php as I say the version was from 200 19 and there's an interesting research from breadmore that's the C code if you want to read it is from 2011 and if you have the file blows on and and you get some lfi you can get some access and execute some commands and that but in this case we don't have the lfi so doesn't matter I run a little DNS search with dnsx and some found there

and so find that's the the gith Cod The giab Cure and we found normal domains but one subdomain called PL was the web application for check your salary and your history where did you play Charge some money and that so I tried to do some injection into that one but that didn't work because there was a middleware so you cannot do anything so you can just check the moments and charge some credit so I spent like two weeks in that stuff and I don't find anything in that and say okay maybe there's no talk this year there's no vulnerabilities here so after two weeks I turned I turn the car and I see at the bottom there

was a URL from another different company so I Googled it and there was Argentinian one and I say hey we are the worldwide worldwide leaders of creating system for amusement entertainment and blah blah blah not just arcade we have bowling we have skate park uh trampoline parks and everything and that was getting nice and they have a map with all the clients around the world public and there was that more than 2,000 installation and around 70 countries so definitely I say okay yeah I want to I want to check what's going on over there I run a little DNS search too and I found the API version two documentation um but you need if you

want to generate authorization token you need the API key and the API Secrets Just sh that string do a one and another Shan I don't know why and then you have the access token so if if you want to check some API that say okay that return at 200 status qu but on the body you can see a status sucess but the success is false and the status C is 4 403 and access denied but at certain point say okay we need the API key and the API secret that didn't work but what happen if we delete the version two if in the normal web application that didn't work well we are from Latin America

so that work and you get all the data from that amusement park in this case is in Orlando Florida and some in monotis uh and I did the another goter over the API and I found some endpoint with 200 okay and some data all of the most of them were were empty and a lot of them with 400 with a lot of Errors the same one who I show you sy error or just just access Deni so now we can move to the idor and the r authorization what is idor basically is when you try to access to the object H maybe that's your object and that's okay but maybe you if you want to ask for the 200 one and that's

not yours and the application say yeah sure here you go that's the ID basically so we can check we can check our car for example let's say okay this one is my car I have this money in that in that stuff I have those tickets and the image is just the same we show you but what happen if we going to ask for another car so we get we get access to that one in this case okay this one have $90 the those tickets without any token or something so just checking and the same with the customers and also there was a sequential ID so you ask for the customer number one and you get all the

data the first name the last name the phone the picture where they live where they play the car uh you have access to those car with the PIN code there was a pin code in the car but they didn't validate it so I don't know why they used it so that that was me after I found this [ __ ] h i I wrote a little Pine script to get some cars with some money inside and some tickets just for check if that was working and there was a demo demo web page and there was the 2,000 installation with the same stuff yes I come back to the web page and I start to see and I start to read the different

news about and they say okay we are in Brazil we are in Prague we are in Saudi Arabia we are in Spain we are in UK and there's another one most interesting for you I think I don't know if you know that place but there is a roller coaster close to here uh I don't want to say the name or anything so but they see you know wa one is um number four Android application when I was checking the API I found I found an endpoint who say you have different sources to get the car when one will be the kios at store the machine who I show you and the other one is the CRM mobile

so I came back to the to the application store and I didn't found it because it was in Argentina maybe I don't know so I went to the normal application normal place like APK combon APK pure op and there was a list with all the application s so I download one of those I compile that one just with EP tool or Java compilers and we get a code because this one was on a FCAT or something so that was all in plain test uh I run a little beauty fur just for make it more Beauty uh now we can filter so I I run a repb with the API key and the API Secrets theing URL account code and we

get all those data so we have the applic the the key and the secret that for the application number for the API version two and I get more application just to check if that was the same stuff and yes so the API endpoint was the same but that changed the API key and the API secret and the account code that's mean the end point is the same one but there was a heer called account code and each account code was a company that was XML like 13 13 characters so could be quite complicated to guess which one is twon uh so with that with that data we can just point to some company but also

we have Google and also we have the list of all the customers so maybe we can search a little bit but what I'm saying basically in this case we send a request to the to the API to the main AP to the main API with a cone code and then say okay this one is a amusement park from eador and if we search the name of the place the name of the amusement park and we send a request you the same one but without account code we have the same data so the API is the same one and we don't need the account code what about if we charge some money into that one uh we need the token we

have the API key we have the API secrets for Generate the token so we run it we get the token and now we can just consume the API and that's that there was a end point who where you can see all the different offers that they have like okay you can charge $200 and then you get more 50 for free and that and also there was a Endo for generated sales just the IDE of the offer the number of the card that you want to charge that money and and and that's it uh uh and also let's say if you want to do the online rearch automatically automat automat uh automatically we can say that

uh you can just set the parameters delivered in true and that's it so obviously I didn't run this because I don't want to be in jail and $200 at disy Argentina is a lot of money so about the end points into the application there was almost 30 in that one all of them went in plain test and also they have the parameters so you can read you can see the body or the query PN in some cases and there was an interesting endpoint called a customer that you can change the um yeah there was a post they they have the authorization token but they didn't validate that one uh and the body was the name the

email and the newsletter that was just a random bulum to get some spam in your mailbox but I think the interesting one was a mail because maybe we can do some stuff if we exploit that that thing because we don't need a token and or anything for the user so I cover and Rise condition I ask for my user and I say okay this one is the demo user and that's your last name and this one is your email uh but now we send the post without any token just with the account code and I said okay now I want to set the full test the email and that's it and that works so they don't have any

validation so i i r record a little bit about that but I'm so bad editing videoos so sorry I mean I did my best with the application in the Macbook so we had the account demo account take cover that one is your email food test now we're going to go to web Hood get that email send the post without any token and then say Okay status success this one is your new email we come back to the login we ask for the reset the password because this is this is not our account send me the password we receive the

email I usually post use a speedcam or something here but as I say I cannot do it we re the password correctly we said just one two

three uh now we want to look it in with the other with a new with a new email

sorry and that's it we have for the same account and the user never receive a email and say hey your email was challenged that was you or not so once we get into the profile we we can get access to all the cars and the history and all the person live basically so race condition is when you want to get some different process at the same time uh you have some different cases that one is the cure code for the port sger lab so that that's really nice uh basically you want to you want to use the same proc at the same time but you have different attacks could be so complicated than that but in this

case I just write the well this one was the offer that's say hey install the application in your phone and you're going to get 300 tickets so I wrote a little python script just normal one I mean I just send in just a post and that's it and 100 threats nothing complicated nothing so hard so I run it and that was five hits and we check the history and we get all the tickets into our account and in this case we just ticket but there was another one like hey you want to get $200 or $100 and more points and obviously I didn't try that one too uh about the bookings uh I found that that stuff on

the application say Okay online booking start reservation i r a gobas over there and we have a lot of a lot of folder exposed but the most important one was the TMP the blow on data the TMP have some XML logs store data and some about the endp point you you get some apis over there you have some values but it's not so much important in private data I mean it is but not too much the I wrote The Python script too to get some interesting file because there was a lot of picture just the logo and that stuff there was not so much nice data and I found that found three different folders called factur

Argentina that's mean like invoices Argentina and when I enter that one they had ch certificates and I search a little bit and in Argentina they use the stuff to say hey I this company and I pay or I receive this money from that person so you can do some funny stuff with that with that one but if we have the certificates we need the invoices over there so in the data there was all the invoices from Argentina with a lot of customer data the address the phone how they pay with which car and that and there was almost 600 700 data and about in booking manager one of the end points was called post and I say SE the reservation but

last name or reservation code and you have the stuff the input and search but what happen if you if you just click search without any data you get all the reservations so you get all the customer you get all the data uh who they are how many person how they pay but I those one those one are new this one I think this one was from us from April March when I was working the talk but also the web page was a little bit weird because they have a lot of Errors into the application you can get some you can read some code over there you have some M injections too and also there was a fun stuff that

you can tip for the waiter but you can see the negative tip so it's less money that you have to pay um say servers as I say at the beginning sometimes I little B Bor in my home and maybe Sunday I open shoot and I start to find something just to have some fun and it is Cas a phone they have the sendex public so you can create an account without any validation I mean you can just set random email and that's it and you can get some videos inside I mean they they have a lot of network Maps like okay this one the infrastructure you can get some API Secrets some password some API key so

they have a lot of videos with a lot of data there was a gokart in here in us too who using the same stuff and they have the administration panel public so you can get all the user from the API the name where they live the ages uh that was we token or firew so you can use some DDOS and that's it and and also they have public the panels I mean when you are on the cting you have all the all the monitors over there so you can see that stuff Sho is not so funny but you can see it about Spain there was a big amusement different Amusement part from the same company and

they have published this stuff that was is like the administration panel for each amusement park I tried to do some sqi and that and that didn't work but they had spos the web pack so you can read all the code from the application and they have API that you can check the different machines and that give you the status and the the public IP for that machine the format machine so you can get some fun from that way too uh you have all the the rows there was just four but also they have the login part and they say you remember the first Jon who I show you with all the status access status file that was

something similar and I say okay if the status quo is 100 just give me the token that's see it go away but if if the status qu is 47 do something but this if it is 420 do another stuff I say okay what is 420 at the beginning I was thinking I think this was talking about weed or something like that but no that say for20 that give you another screen could say okay you can reset the password for the user that you want to use that you want to do so this was a random user and you can set the new password and that's it no validations no token anything so this like the same

type I showed you at the beginning about the NFC I don't want to go in deep with this one because the card to be honest was so simple but there is interesting article from Jim Alonso from Spain who show you the different vulnerabilities in the NFC in the M classic system and that and in my case I use the flippers zero um so I read it there was a my classic you have some data like the manufacturer the uid each blog is the car have 16 block with each 16 six 16 sector with four block each one you have one for the key and that but in this case the the car was almost empty the key was by default just

FFF and in the second Block in the first one you have the info about the company but in the second one you have that stuff and when you decode as that one it's just the number of the car so there's no validations so you can just ch your car and use the different card that you want to use uh and also I went to Spain like one month ago I think to elar ha that's a nice conference too and after the talk one guy come to me and say hey I went to the amusement par with my kids last week and they have the card here if you want to read it I said sure let's go uh was

the same empty car just a number over there so B basically have the same vulnerabilities that all the all the cars around the world but for those TS you need a flipper zero or some different tool for NFC for NFC so I come back to the application and I to read the code and that say okay if you if you don't have IOS iOS and NFC play is okay do something so I continue reading and say okay maybe this one is a little bit interesting I open I download application here from us I use my that phone in this case so we loed into our account

account and there was a part in the application that you can get access to all your cars and also you can emulate those car with your phone so you don't need a flipper Z or something like that to do that just get the application get a phone with NFC uh you have the account cover stuff too so you can get all the cards in your phone and that's it we are close to finish I don't know what time is it but I think we're okay what we can do basically we can get access we can get the data for all the customers we can emulate car access to them charge some money or air multip

multiple times the same prices and what about here in us here is one of the country with most clients that they have but what about here in Vegas but first of all just try to don't do something to bit after this one um they have some stuff here they have an amusement park and arcade in some somewhere somewhere here uh they have an arcade in another place random place I don't know which one and they have there's a new place there is a bar bar Barcade or Bar Arcade that's the new one I saw on Twitter like one month ago and is somewhere there too so but please I say don't don't be an [ __ ]

please well at 2024 we still having some shitty vulnerabilities and misconfiguration so you can go to the basis and pH interesting and and get a little bit of damage in that stuff and theob culture could help out to the company because if you are fixing the vulnerabilities at the beginning you don't need to wait until they are in the production and make all the plug that we always have security ucation and training for all the person blah blah blah the normal stuff I mean not not for the security or the developers just for the whole company uh there was upd because I present this talking beside Colombia in April and at the moment they never

replied to me but after that stuff I think they saw the talk or something and we had a meeting over there in Colombia I was scared of [ __ ] over that and we Mee and say okay let's work together it's fine okay I doing this one for free but if you want to pay it's okay I just want to report it to you and you need to fix it it's fine and that was on April in May I write the report and say and send I send the report to them and they never reply to me so uh I did my best at least so uh if you found something please report it don't be having some fun I

mean you can report in the write the talk and present here in besides but don't be the facing website or just made some [ __ ] stuff over there and if someone send you a reer place a little pay a little bit of attention you don't need to pay them but say hey thank you for report this one to me we're going to work on this one and that's it and that's almost all because tomorrow there's the other version of the talk in Sky talks and at 3 p.m. I think yeah at 3 p.m. and there will be more data that I can show you right now with that camera pointing to me but but if you want to get more

sensitive data you can go there tomorrow uh for the entrance you need the T you need a token that they are doing that stuff over there and also you need to give me a beer I think that was on the documentation I know way but that's all people thank you so much

thanks uh any questions cool can you use the desk thanks I saw a hand thank you hey great presentation um I missed the part where you were first exploiting the API how did you get the API token or how did you no I mean I get a token from the Android application ah okay uh but most of the Point didn't have any validation or something like that they they don't they only validate the token in the Char in the for charge money so that's it uh time for one more all right thank you so much thank you