Tanuki is a flashcard web app with an XML-based deck export and a JSON-driven restore endpoint. The server secretly round-trips your JSON through an XML template with DTD processing enabled — giving you a path to read arbitrary files off the server without any out-of-band channel. Your goal is to exfiltrate the flag at /app/flag.txt entirely in-band.
Objective: Log in to the application, obtain a JWT, and export an existing deck as a backup to read the raw XML format.
Context: The app seeds a default user. Once authenticated, a Bearer JWT is required for all /api/ calls. Exporting a deck returns its XML representation — read this file carefully before touching the restore endpoint.
Only reveal the ones you need. Claude tracks how many you used to calibrate the feedback.
Try common default credentials for a 'learner' type app. After login, inspect how the backup file is structured — every byte of it is a clue.
Log in with admin/learner (or similar seeded credentials) to get a JWT. Then call GET /api/decks/:id/backup and look at the DOCTYPE declaration in the returned XML.
POST to /api/auth/login with {"username":"admin","password":"learner"}, extract the token, then GET /api/decks/1/backup. Focus on the empty <!DOCTYPE backup [ ]> — an export file has no business carrying a DTD unless the parser processes it on the way back in.
Enjoying Hintru? Buy me a coffee ☕ ☕