master
Raw Download raw file

Blind Trust

⚠️ A flawed deployment. A layered defense. Four secrets buried in static — only the bold can decrypt the chaos.

NICE Work Roles

NICE Tasks

  • T0280: Identify and validate vulnerabilities in the system
  • T0653: Identify and recommend methods for exploiting target systems
  • T0269: Conduct exploitation of targets using identified vulnerabilities
  • T0650: Conduct target and technical analysis of systems and vulnerabilities

Background

⚠️ In the wake of a major whistleblower leak, a shadowy government contractor — Nebula Dynamics — accidentally deployed a test version of its internal document processing system to a public-facing server. Intelligence suggests it parses sensitive XML-based threat reports. You’re tasked with infiltrating the system and extracting the classified tokens buried deep within the code.

Getting Started

The target website can be found at:

http://nebula:5000

Begin your hunt — enumerate the application and find its secrets (tokens).

Token Format

e.g. ✅ TOKEN1: PCCC{BLT-alphanumeric_string}

Discovery Phase Operations

Everything is not as it seems. Thoroughly investigate all presented functionality to determine the vulnerabilities in the Telemetry system.

Objectives

  • Inspect the site’s XML-driven components for unusual behavior.
  • Discover indirect access methods through lesser-known routes.
  • Demonstrate control over backend communications by crafting non-standard HTTP payloads.
  • Collect all four embedded access tokens hidden across the app’s layers.

System and Tool Credentials

system/tool location
Nebula http://nebula:5000

Note

You do not need root access to the server to complete this challenge. Tokens are awarded through completion of the objectives.

Token 1 – All About Telemetry (850 points)

Exploit an XML parsing vulnerability in the telemetry submission interface to retrieve sensitive internal data from /etc/passwd.

Token 2 – The Submission (850 points)

Submit a log to the Production system using the correct format to retrieve this token. All incorrect submissions will be simply logged without token issuance.

Token 3 – SSRF (854 points)

Successfully send a report in the correct format using the /report/render endpoint (SSRF via XML).

Token 4 – Debug Mode (854 points)

Determine a way to enable Debug Mode and access the /internal/notes endpoint.