Web Ring - Glamtariels Fountain Walkthrough

-

This is one of those challenges that was personally interesting, especially due to an Error I was making in the payload and and interesting challenge to implement XXE type attack. And this time it was definitely time for BurpSuite to be used (Free version is sufficient). As we progess through the doors upon completion of Borio Mine doors we are greeted and presented to look at an XXE type of challenge. When clicked at the fountain we are are redirected to the following URL https://glamtarielsfountain.com/

Difficulty Level 5/5

Where at the bottom of the page there are values Snack and Ticket. Which upon inspection of the JavaScript on the HTML page are nothing interesting and a rabbit hole to avoid with regards to cookie tampering or CSRF related attack.

It took some time for me to understand the different responses of the website and hit the reset button provided on the website accordingly.

 

Two Behaviours to note:


1.     If you see the following Response “Trying to TAMPER with Kringlecon’s……Please click him out of here”, then it means either you tampering with the cookie is not liked by the website or your cookie has expired and time to hit the rest button in either case. Check if the Snack and Ticket values are refreshed with new ones before you proceed

NOTE: image path starting with “static/images/Grinchun…..” in the response


2.     If you see the following Response “ Zoom, Zoom very Hasty, can’t do that yet!”. Then it means that you’ll have to wait until the 4 ring option appears and then try inject your XXE payload repeating one of those captured traffic in Burp.


Now in interacting with the website, we can drag and drop the icons from the right corner into the fountain or drop on the princess to collect more information. As we drag and drop items as per our hint, take notes on the Uppercase characters in from those messages. Example below


Where you can see as items get dropped on either of them, talking note of the Uppercase characters reveals more hints. (unsure what that eye was for, unsure if its an easter egg, was not interested to follow through :p)

Full list of uppercase characters

PATH, APP, TAMPER, SIMPLE FORMAT, RINGLIST, TYPE

 

And we near the end of the Drag of Drop game, we start seeing the rings icons show up. And the princess talking about silver rings being her favourite

Now lets capture one of the ring traffic for further steps of XXE injection. If you are beginner for using Burpsuite have pasted link in the troubleshoot section for Burp Academy that will help Burp and XXE related attacks

Based on the clues given through uppercase characters PATH, SIMPLE FORMAT (txt file ?) and RINGLIST (filename ?) lets try to retrieve file ringlist.txt from the previous identified image path with XML as an XXE payload to retrieve the file

 

Payload

<?xml version="1.0" encoding="UTF-8" ?>

 

<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///app/static/images/ringlist.txt"> ]>

<root>

  <imgDrop>&xxe;</imgDrop>

  <who>princess</who>

  <reqType>xml</reqType>

</root>

 

We also need to modify the conent-type parameter to XML with the intercepted request in Burp. Inorder to do this intercept one of the drag and drops request of the rings icon. Where in both request and reponse we will see JSON format, for XXE to be successful we should be able to change it to XML format with the request as we intercept. edit content-type to application/xml. Then add the XML payload instead of the JSON data in the request



Note: whitespaces can be an issue with the XML, so make sure the line breaks from your editor is all sorted out before you paste the payload in Burp

 

When queried for the ringlist, we were presented with the following image upon visiting the URL in the response

Text in the image: x_phial_pholder_2022, bluering.txt, redring.txt

 

Seems like redring.txt and bluering.txt are within the folder x_phial_pholder_2022, so if we modify our XXE payload as per the newly discovered folder path


The princess did mention heavily about her liking to Silverring , how about we force browse and look for silvering.txt via the XXE


We are presented with the following image upon visiting the URL in the response. 

Font in the image reads as goldring_to_be_deleted.txt, which leads us to inject our next payload grabbing this txt file.


Did not yield us the results we expected, but if we take a look at the response carefully, its hinting us something to do with the REQ and TYPE. So then if we move our injection into <reqType> tag guess that should work. So in our modified payload our external entity &xxe; will be moved into <reqType> Tag and the <imgDrop> tag will have default img1 value.


And if you navigate to the URL listed in the response, you hit the gold ring and the answer for the question is the URL of the this gold ring image. With that one of the toughest challenge is solved ;)

Troubleshoots

  • Avoid VSRF related rabbit holes
  • Avoid Cookie tampering related rabbit holes
  • If you see the following response “Trying to TAMPER with Kringlecon’s……Please click him out of here”, hit Reset button
  • If you see the following response “” , Wait until the silver ring or 4 rings show up, then start injecting the XXE payload. Or script yourself to the 4 rings stage if you hold a premium version of Burp
  • With XXE Payload, careful with whitespace (this made to circle around this challenge for hours  https://portswigger.net/web-security, https://portswigger.net/web-security/xxe
Full Map

Web Ring Unlocked !





Comments

Post a Comment

Popular posts from this blog

SANS Kringlecon 2022 Introduction

-
Image
What Challenges Should You Expect?   This year, the infamously precious 5 Golden Rings have been stolen, and Santa needs your help to recover them. Each ring represents a different quest to defeat cybersecurity obstacles to change the course of the future and defeat holiday treachery:   1. Tolkien Ring (Network Security) - Analyse a PCAP to identify malware, and then analyse logs and create IDS rules to detect such attacks. 2. Elfen Ring (SecDevOps and Supply Chain Attacks) – Identify malicious packages and then attack CI/CD processes to escape a container. 3. Web Ring (Web Application Vulnerabilities and Exploitation) - Identify XML External Entity (XXE) attack and leverage such vulnerabilities to gain access. 4. Cloud Ring (Cloud Security) - Analyse cloud configurations via the command line, identifying possible vulnerabilities and information leakage. 5. Burning Ring of Fire (Cryptocurrency, NFT, and Smart Contract Attacks) - Acquire and spend cryptocurrency, then analyse a
Read more

Tolkien Ring - Wireshark Practice walkthrough

-
Image
By now we should be ready to start out first challenge as part of the Tolkien Ring, which is in relation to Wireshark Difficulty Rating: 1/5 Hints Just have to follow thorough the questions asked in terminal, by analysing the suspicious.pcap file in Wireshark   Solutions 1. What kinds of objects can be exported in the pcap file ?  HTTP Open up suspicious.pcap file in Wireshark, using the export objects option available in Wireshark. Now we can export different types of objects depending on what’s been captured in this pcap. When you choose to export HTTP objects you get to see 3 files, while the export options will be empty.   2. Name of the biggest file you can export ?  app.php (808kB) Within Wireshark in the object export tab for HTTP, you get to see 3 files, among which the biggest file by size 808kb is app.php     3. Packet number where app.php starts ?   687 In the object export tab within Wireshark, first column indicated the starting packet number of the conversation for tha
Read more

Elfen Ring - Prison Escape Walkthrough

-
Image
Prison Escape Challenge Difficulty 3/5 Clone a code repository. Get hints for this challenge from Bow Ninecandle in the Elfen Ring. After completing the Clone with a difference challenge , Getting back on the boat and progressing further through the game, we meet Tinsel Upatree with a terminal named “Prison Escape”, once we click on the terminal we are presented with the following screen that details the challenge and Based on the question, we need to find a hex string that contains the flag that needs to be submitted Seems like we need to find a way to privilege escalate or escape from the limited sandbox to be able to complete the challenge. given we can get linpeas transferred to this system, we will have to manually perform initial enumeration. Based on the above screenshot, Seems like some sort of docker container and now ill have to narrow down the enumeration to docker container escape .  Using the following docker container escape reference cheatsheet, while attempting enumerat
Read more