How to gain access into a bank's web application (THM Lab session)
First step is to setup your environment with the appropriate system (linux distribution) like Kali-linux or Parrot, But I will be using the interface offered by THM(Try Hack Me).
You need to find the web application's domain name through reconnaissance (as for me, it was already provided)
Next thing is to discover any hidden directories and web pages which may contain loopholes that can be exploited, and it can be achieved by using the command:
gobuster: is a command line application used to bruteforce the website to find hidden directories
-u : used to state the website we are scanning
-w: takes a list of words to iterate through to find hidden directories
wordlist.txt: contains a list of names for directories which we iterate to compare with the searches made of the domain
http://fakebank.com
As you can see on the image above, we found two hidden pages and to discover more about them, we will type in the website to see what they contain
Upon seraching in the /bank-transfer directory we were able to access the transfer platform easily and with that we can easily transfer money from a bank's client account to ours.
Upon entrying infirmation into the blank boxes, you will be able to transfer cash as seen below
As a pentester working for a company, you will be brought about to perfrom similar tasks (in the real-world).