Blind Trust - TOKEN2

Base URL: http://nebula:5000

Background

The /api/submitlog/ endpoint accepts log submissions. The token is only issued when the log is submitted to the “Production system” in the correct format.

From Nothing to Working

Start point: the /help page documents /api/submitlog/ (with trailing slash) and the parameter entry=VALUE.

Iterations:

1. The /xml/upload_backup page states: “Please use the Production (non-backup) version of this endpoint.”
2. The /help page shows /api/submitlog/ with a trailing slash.
3. Initial attempts used /api/submitlog (no trailing slash) and received “Log recorded” but no token.
4. The X-Parser: Nebula header is required for XML parsing (derived from “SYSTEM NAME: NEBULA” on the home page).
5. The correct combination involves the trailing slash endpoint with proper headers and format.

Goal

Submit a log to the Production system using the correct format.

Command

curl -X POST "http://nebula:5000/api/submitlog/" \
  -H "X-Parser: Nebula" \
  -d 'entry=production'

Alternative approaches to try:

# With X-Environment header
curl -X POST "http://nebula:5000/api/submitlog/" \
  -H "X-Parser: Nebula" \
  -H "X-Environment: production" \
  -d 'entry=test'

# XML content type
curl -X POST "http://nebula:5000/api/submitlog/" \
  -H "X-Parser: Nebula" \
  -H "Content-Type: application/xml" \
  -d '<log>test</log>'

Expected Output

Look for:

TOKEN2::PCCC{BLT-xxxxxx}

Status

UNSOLVED - The exact combination was not discovered during the event. The trailing slash on /api/submitlog/ was identified as a key difference from what was tested, but time expired before validation.

Learn More

• https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/02-Test_Application_Platform_Configuration
• https://cwe.mitre.org/data/definitions/436.html