Tanuki is a flashcard web app with an XML-based deck export and a JSON-driven restore endpoint. The server secretly round-trips your JSON through an XML template with DTD processing enabled — giving you a path to read arbitrary files off the server without any out-of-band channel. Your goal is to exfiltrate the flag at /app/flag.txt entirely in-band.
Objective: Log in to the application, obtain a JWT, and export an existing deck as a backup to read the raw XML format.
Context: The app seeds a default user. Once authenticated, a Bearer JWT is required for all /api/ calls. Exporting a deck returns its XML representation — read this file carefully before touching the restore endpoint.
Only reveal the ones you need. Claude tracks how many you used to calibrate the feedback.
Try common default credentials for a 'learner' type app. After login, inspect how the backup file is structured — every byte of it is a clue.
Log in with admin/learner (or similar seeded credentials) to get a JWT. Then call GET /api/decks/:id/backup and look at the DOCTYPE declaration in the returned XML.
POST to /api/auth/login with {"username":"admin","password":"learner"}, extract the token, then GET /api/decks/1/backup. Focus on the empty <!DOCTYPE backup [ ]> — an export file has no business carrying a DTD unless the parser processes it on the way back in.
Chat with a spoiler-safe tutor for this step. It uses only this lab spec and gives the smallest useful nudge first.
Tell the tutor what you tried, where you got stuck, or paste the response/error you are seeing.
Enjoying Hintru? Buy me a coffee ☕ ☕