Web Ring - Open Boria Mine Door Wlakthrough
After hearing more hints from Alabaster Snowball upon completion of Boria PCAP mining challenge, we walk to Hal TandyBuck who asks us to unlock the Boria Mine door. Upon accessing the terminal we are presented with a HTML/Graphics programming challenge. Where we need to link up two color sensors in each panel and link them up all together to open the mine door.
Hints collected on this challenge give us some direction around what needs to be done in order to connect the color sensor and what controls we need to bypass.
Challenge Difficulty 3/5
1. The locks take input, render some type of image, and process on the back end to unlock. To start, take a good look at the source HTML/JavaScript.
2. Developers use both client- and server-side input validation to keep out naughty input. (input validation bypasses ?)
3. Understanding how Content-Security-Policy works can help with this challenge. (maybe we will have to use Burp?)
After doing a bit of reading from the following Reference URLs below is quick primer for SVGs (Scalable Vectr Graphics)
- https://developer.mozilla.org/en-US/docs/Web/SVG/Tutorial
- https://www.w3.org/Graphics/SVG/IG/resources/svgprimer.html
Example SVG code
Green highlights opening and closing of SVG section
Red highlights type of Vectr image we are planning to draw, rectangle and line would be 2 I have used to solve this challenge
Yellow highlights the positioning of this Vectr graphics which we will be tweaking more with
Blue highlights we will be tweaking this to match the color of the sensors and depending on Rectangle or line, some properties get added or removed.
Note: Ocasionally I have used Viewbox to expand the SVG viewport to avoid my vectr being truncated by default position and dimensions.
With this as an initial template, below codes will unlock the boria mine door as per the order of the svg provided
1. <svg xmlns=”http://www.w3.org/2000/svg"><rect x="0" y="10" height="30" width="200" fill="white" stroke="white" stroke-width="2"/></svg>
2. <svg viewBox="0 0 100 100" xmlns=”http://www.w3.org/2000/svg"><line x1="-5" y1="35" x2="220" y2="150" stroke-width="20" stroke="white"/></svg>
3. <svg viewBox="0 0 100 100" xmlns=”http://www.w3.org/2000/svg"><line x1="-5" y1="50" x2="220" y2="-20" stroke-width="20" stroke="blue"/></svg>
This unlocks the minedoor, but you can continue to solve the further challenge for hint and additional kringlecoins. So the same way the 4th SVG code below, that has 2 Vectrs that need to be drawn, where I have used two rectangles.
4. <svg viewBox="0 0 100 100" xmlns=”http://www.w3.org/2000/svg"><rect x="0" y="10" height="20" width="100" fill="white" stroke="white" stroke-width="2"/><rect x="0" y="50" height="20" width="100" fill="blue" stroke="blue" stroke-width="2"/></svg>
Now when we try to connect the 5th box of red and blue sensors we are being presented with an error as below instead of the Vectr Graphics being drawn
Based on the output we can see that our Opening and Closing brackets are being filtered. So we add an additional opening and closing brace to all places, which will bypass the input filter. Input validation reference : https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
5. <<svg viewBox="0 0 100 100" xmlns=”http://www.w3.org/2000/svg">><<line x1="-5" y1="50" x2="220" y2="-60" stroke-width="10" stroke="red"/>><<line x1="-5" y1="75" x2="220" y2="-20" stroke-width="10" stroke="blue"/>><</svg>>
Now for the 6th box we need to match the Green sensor with the exact color and to do that we will use the “rgb(0,255,0)” color values. And this code have added 1 rectangle that connects the green sensor and 2 lines that connect the red and blue sensors. Based on the hint provided am supposed to be bypassing content-security policy by intercepting the traffic, but for some reason the my input got accepted and unlocked all 6 of them.
6. <svg viewBox="0 0 100 100" xmlns=”http://www.w3.org/2000/svg"><rect x="0" y="12" height="10" width="200" fill="rgb(0,255,0)" stroke="rgb(0,255,0)" stroke-width="2"/><line x1="-5" y1="37" x2="220" y2="77" stroke-width="10" stroke="red"/><line x1="-5" y1="57" x2="220" y2="150" stroke-width="10" stroke="blue"/></svg>
Troubleshoots
Christmasmajic.js was a rabbit hole file, that I went into, happily killed time and learned some good things about Javascript Deobfuscation by melissa Bischoping (not related to this challenge).
Comments
Post a Comment