Open the door to the Boria Mines. Help Alabaster Snowball in the Web Ring to get some hints for this challenge.
Let's just right-click -> show frame source on the lock window to find out the destination: https://hhc22-novel.kringlecon.com
. The interesting parts here are:
...
<div class="iframes">
<iframe src='/pin1' class='pin1'></iframe>
<iframe src='/pin2' class='pin2'></iframe>
<iframe src='/pin3' class='pin3'></iframe>
<iframe src='/pin6' class='pin6'></iframe>
<iframe src='/pin5' class='pin5'></iframe>
<iframe src='/pin4' class='pin4'></iframe>
...
<script src="conduit.js"></script>
<script src="app.js"></script>
...
Let's look at the source for Pin1:
<form method='post' action='pin1'>
<!-- @&@&&W&&W&&&& -->
<input class='inputTxt' name='inputTxt' type='text' value='' autocomplete='off' />
<button>GO</button>
Why not just try that string mentioned in the comments? Indeed it's unlocking the first Pin.
Let's look at the source for Pin2:
<form method='post' action='pin2'>
<!-- TODO: FILTER OUT HTML FROM USER INPUT -->
<input class='inputTxt' name='inputTxt' type='text' value='' autocomplete='off' />
<button>GO</button>
As we want to connect dots on different levels, let's try to use HTML <br>
mixed with Uniface characters to draw the lines:
█──╮─────────
───╰──╮──────
──────╰─────█
resulting in
<br>█──╮─────────<br>───╰──╮──────<br>──────╰─────█
Let's look at the source for Pin3:
<form method='post' action='pin3'>
<!-- TODO: FILTER OUT JAVASCRIPT FROM USER INPUT -->
<input class='inputTxt' name='inputTxt' type='text' value='' autocomplete='off' />
<button>GO</button>
Guess the same technique should be working here as well. At the first try I didn't work, seems the color code must match here as well, so let's include this information as well:
──────╭─────█
──╭───╯──────
█─╯──────────
resulting in
<font color="blue">──────╭─────█<br>──╭───╯──────<br>█─╯──────────</font>
The first three pins were open to unlock the gate.
We get following hints:
Early parts of this challenge can be solved by focusing on Glamtariel's WORDS.
Another hint should be available if the remaining locks are also solved, so let's carry on.
Let's look for the source of Pin4:
...
<script>
const sanitizeInput = () => {
const input = document.querySelector('.inputTxt');
const content = input.value;
input.value = content
.replace(/"/, '')
.replace(/'/, '')
.replace(/</, '')
.replace(/>/, '');
}
</script>
...
<form method='post' action='pin4'>
<input class='inputTxt' name='inputTxt' type='text' value='' autocomplete='off' onblur='sanitizeInput()' />
<button>GO</button>
</form>
This time we have a slightly different pattern. In addition there is a sanitization implemented. As the whole string gets sanitized only for the first occurence of the shown characters we can just "duplicate" them.
o
█───────────█
█───────────█
█───────────█
resulting in
o █───────────█ █───────────█ <<font color=""blue">>█───────────█</font>
Let's look for the source of Pin5:
...
<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; style-src 'self'">
...
<script>
const sanitizeInput = () => {
const input = document.querySelector('.inputTxt');
const content = input.value;
input.value = content
.replace(/"/gi, '')
.replace(/'/gi, '')
.replace(/</gi, '')
.replace(/>/gi, '');
}
</script>
...
<form method='post' action='pin5'>
<input class='inputTxt' name='inputTxt' type='text' value='' autocomplete='off' onblur='sanitizeInput()' />
<button>GO</button>
Okay, this time the sanitization catches all occurences. Maybe it's easier to "tweak" the client-side code. We'll open Burp Suite and use the built-in proxy. Just submit any character in the text field while intercept is on, select Action -> Do intercept -> Response to this request.
Afterwards we'll submit:
o
█─╭─────────█
█╭╯────╭────█
█╯╭────╯───█
█─│
resulting in
o <font color="red">█─╭─────────█</font> <font color="red">█╭╯──</font><font color="blue">──╭────█</font> <font color="red">█╯</font><font color="blue">╭────╯───█ █─│</font>
Let's look for the source of Pin6:
...
<meta http-equiv="Content-Security-Policy" content="script-src 'self'; style-src 'self'">
...
<form method='post' action='pin6'>
<input class='inputTxt' name='inputTxt' type='text' value='' autocomplete='off' />
<button>GO</button>
</form>
No sanitization in place? Ok let's just submit a proper pattern :-)
█───────────█
█─────────╮─█
█─╮───────╰─█
█─╰──────╮──█
█────────┃
resulting in
<font color="lime">█───────────█</font> <font color="red">█─────────╮─█</font> <font color="blue">█─╮───────</font><font color="red">╰─█</font> <font color="blue">█─╰──────╮──█ █────────┃</font>
The final solution looks like this:
We get following hints:
Sometimes we can hit web pages with XXE when they aren't expecting it!