Kassiopia's Blog

Our next task takes us away from Frosty’s Beach to Rudolph’s Rest. Noel Boetie has the task for us. He’s used ChatNPT to help him with writing his Penetration Testing Report but it looks like it’s made some errors. It’s our job to assist him in finding and marking these hallucinations.

The proper way to do this would be to analyze each finding for the hallucinations and mark them accordingly but there is an easier, if more ham-fisted method. When we submit the report for verification a POST request is made to https://hhc23-reportinator-dot-holidayhack2023.ue.r.appspot.com/check. The body of this request is a form with 9 inputs. 0 indicates that the finding is true and 1 indicates a hallucination. This means that we can write a python script using the requests library to just test all possible values. The script can be seen below.

import requests, itertools
headers = {
    'Accept':'*/*',
    'Accept-Encoding':'gzip, deflate, br',
    'Cookie':'ReportinatorCookieYum=eyJ1c2VyaWQiOiJiYWRkMjRmMC05MzJmLTQ1NmQtYWVlMC03ZDM0MTdjNDY0OTQifQ.ZXCsCg.fMoNCmeLGOtxWNBIdxkoewiC0AI',
    'Origin':'https://hhc23-reportinator-dot-holidayhack2023.ue.r.appspot.com',
    'Referer':'https://hhc23-reportinator-dot-holidayhack2023.ue.r.appspot.com/?&challenge=reportinator&username=Kevroded&id=96b641a5-e5a2-425b-b637-0b2774d8d1a8&area=ci-rudolphsrest&location=39,25&tokens=&dna=ATATATTAATATATATATATATATATATATATTATAGCATATATATATATATTAATATATATATATATTAGCATATTATAATATATATATATATGCATATATATATATTAGCATATTACG',
    'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36'
}
for i in itertools.product([0,1], repeat=9):
    data = {
        'input-1':i[0],
        'input-2':i[1],
        'input-3':i[2],
        'input-4':i[3],
        'input-5':i[4],
        'input-6':i[5],
        'input-7':i[6],
        'input-8':i[7],
        'input-9':i[8]
    }
    response = requests.post(url='https://hhc23-reportinator-dot-holidayhack2023.ue.r.appspot.com/check', headers=headers, data=data)
    if 'FAILURE' not in response.text:
        print(i)
        break

This will return (0, 0, 1, 0, 0, 1, 0, 0, 1) meaning that findings 3, 6, and 9 contain errors. Entering these into the prompt and submitting will complete the task.