Tanuki is a flashcard web app with an XML-based deck export and a JSON-driven restore endpoint. The server secretly round-trips your JSON through an XML template with DTD processing enabled — giving you a path to read arbitrary files off the server without any out-of-band channel. Your goal is to exfiltrate the flag at /app/flag.txt entirely in-band.
Objetivo: Determine what Content-Type and body structure the restore endpoint actually requires — it will silently succeed regardless of input, so you need a way to verify that data was truly processed.
Contexto: POST /api/decks/:id/restore always responds 'Backup restored successfully' and creates a new deck. Sending raw XML (application/xml, text/xml, multipart) appears to work but produces only an empty 'Untitled Deck'. The real contract is different. The :id in the URL is cosmetic — any value works.
Revela solo las que necesites. Claude lleva la cuenta de cuántas usaste para calibrar la retroalimentación.
The endpoint claims success no matter what you send. How can you tell the difference between 'accepted and processed' vs 'silently ignored'? Try changing the Content-Type and body format.
Try sending a JSON body instead of XML. Use Content-Type: application/json with keys that mirror the deck schema (name, description, category, cards). Check whether a real deck with your data appears afterward.
POST to /api/decks/1/restore with Content-Type: application/json and body {"name":"Demo","description":"d","category":"c","cards":[{"front":"Q1","back":"A1"}]}. Then GET /api/decks to confirm a new deck was created with those exact values.
¿Te gusta Hintru? Buy me a coffee ☕ ☕