Welcome to HSBC&L's CTF Challenge! For this challenge we've decided to open up our very own, very legit banking service. The Happy Save Banking Corporation (and laundry service) automated banking solution is safe, simple, convenient and impervious to all hax. We ask you, the best, the brightest, the 3l33t, to call upon your 5k1llz and help us test our system and back up our entirely realistic claims.
While playing please observe these rules:

Rule 1

Please DO NOT tamper with the hardware. This is serious, please don't ruin the fun for everyone else.

Rule 2

The challenge is designed in such a way that participants can finish all of the challenges with a personal computer and smart card reader. Columbia students can borrow one from the Mudd Building CS Lounge, and Cooper students can find one in the Comms Lab.

Rule 3

Bribes are immoral, illegal and would tarnish the good name of HSBC(&L). Please do not test the integrity of any member of the under-paid, over worked HSBC(&L) team unless you have something really good to offer.

HSBC(&L) values our customer experience. To get started, please:

1. Get two bankcards and a smart card reader at the Columbia University or Cooper Union career office. Columbia Students will have to get a card reader from CRF.

For CSAW 2019 participants, come by our ATM location and speak to our representatives to open an account:

Thursday 11am-late - Makerspace, Tandon School of Engineering, 6 MetroTech Center, Rogers Hall, Room 118
Friday 9am-4pm - NYU Brooklyn Athletics Facility, 6 MetroTech Center
6 MetroTech Center, Brooklyn, NY 11201

2. Go to your school's HSBC&L ATM location and press the pupmoney button to get further instructions.

3. Read through the developer's portal (instructions are on the ATM receipt) and developer's page on the website for challenges, hints and rewards.

4. Register your name and cards at the leaderboard.

5. Start hacking!



There are 6 challenges in this CTF. Some of them have a flag in the form of<flag>.html, which will be an endpoint that gives you a new PIN number. Use this PIN with your debit card at the ATM to claim the cash -- the money is all yours! Use the money to party, or HACK THE PLANET. Each challenge has a different payout:

W1ND0WZ : $4
33PR0M : $6
L4UNDRY : $8
ST3G0 : $12
CR3D1T : $30
SM4RTC4RD : $40
TOTAL : $100

By the way, your default PIN is 1234.

Access the ATM web portal

To get started on the ATM web portal (important for most of these challenges), go up to the ATM and have it print you a self-portrait. It just takes the press of a button.


Flag: A string to insert in<flag>.html

A simple challenge to get you started. It's under the README on the ATM web portal.


Flag: A string to insert in<flag>.html

There’s something hidden in your debit card chip. Can you find out what it is?

Our debit infrastructure is dated. Our credit cards are using the latest and greatest EMV technology, but our debit cards use something older and simpler. Not all card readers support them (our ATM doesn't even support it, which is why it reads the magnetic stripe).

You'll need a smart card reader for this challenge - Don't forget to RTFM (the one with the good technical details).


Flag: There is no flag - you just need to find a way to get the refund

HSBC&L values customer satisfaction, especially when it comes to our laundering services. If any customer complains about clothing items damaged as a result of our services, we refund the claimed value of the item (no questions asked), and the customer can claim their reimbursement through our ATM web portal. Unfortunately for you, only approved HSBC&L staff can enter your complaints into our database. Can you find a way around our defenses and leave your pockets overflowing with cash?

1. Your Account ID for the login page is the same as your debit card number.

2. Try thinking with portals. Or at least see if they have any hints...


Flag: A string to insert in<flag>.html

Have you tried using your HSBC&L credit card with the ATM?

​ You'll need a specific online tool for a part of this challenge. Which tool? It's related to what the following two things have in common:

* kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk

* 337920


Flag: There is no flag - you just need to find a way to get the money

Your credit card application has been approved with $30 credit! Unfortunately, our smart card staff has forgotten to update the HSBC&L applet with your credit card number! It will take 9999 business days for us to send a new card to you – can you retrieve your $30 credit in the mean time? We understand that not a lot of people know about java cards and chip technology, so we offer a few guidelines for you to get started:

1. Try this APDU Command: 00A4040008A00000000333101000

2. The number on the back of your credit card is - you guessed it - your credit card number.

3. The "1337" Applet is a dummy applet for you to play with, you should use it to experiment before finding and manipulating the HSBC&L applet.

4. Don't forget, your default PIN is 1234


Flag: A string to insert in<flag>.html

Personal privacy and security has always been a top concern for HSBC&L. Therefore, we are developing a new applet that enforces Cardholder Verification Methods (CVM). Anyone who successfully bypass this will be given a monetary reward! Visit our ATM Portal for more details!