Skip to main content

THM | AoC 2025 | Day 08

· 3 min read

AoC 2025 | Day 08 Logo

Day-08: Prompt injection

SUMMARY

On Day 08 (Prompt injection), we first explain the theory behind autonomous AI agents, then exploit a calendar‑management AI by extracting a hidden token via a log‑reading function and using it to call a privileged "reset_holiday" function, restoring the correct Christmas setting.

Prompt Injection - Sched-yule conflict

Storyline

"Sir BreachBlocker III corrupted Wareville’s Christmas Calendar AI, causing it to display Easter instead of Christmas. The AI is locked with developer tokens, and the only solution is to exploit it and reset the calendar to its original Christmas state."

Agentic AI Hack

Theory

Agentic AI extends large language models (LLMs) beyond static text generation, giving them the ability to plan, act, and adapt with minimal supervision. While LLMs excel at predicting words, storing knowledge, and following instructions, they are limited to their training data, can hallucinate facts, and are vulnerable to prompt injection, jailbreaking, and data poisoning.

Chain‑of‑thought (CoT) prompting improves LLM reasoning by having the model produce explicit intermediate steps, but it still lacks external grounding, leading to outdated or incorrect answers.

ReAct (Reason + Act) combines reasoning with tool use: the model alternates between verbal thought traces and concrete actions (e.g., web searches, API calls), allowing dynamic planning, real‑time knowledge retrieval, and reduced hallucination.

Modern LLMs support function calling, where developers register tools via JSON schemas. The model can invoke these tools (e.g., a web‑search function) when needed, receive results, and incorporate them into its final response.

Without robust validation, such autonomous agents can be targeted by attackers who interfere with their processes, creating new security risks.

Exploitation

We attempt to manipulate a calendar‑management AI agent that incorrectly sets December 25 to “Easter.” By examining the agent’s “Thinking” (chain‑of‑thought) log, the we discover three exposed functions: reset_holiday, booking_a_calendar, and get_logs.

Although reset_holiday initially rejects the request due to a missing token, we use get_logs to extract the hidden token "TOKEN_SOCMAS". With this token, we successfully invoke reset_holiday, restoring the calendar’s Christmas date. This highlights how the agent’s reasoning logs can leak internal function details and authentication tokens.

Q & A

Question-1: What is the flag provided when SOC-mas is restored in the calendar?

THM{<flag>}

Question-2: If you enjoyed today's room, feel free to check out the Defending Adverserial Attacks room, where you will learn how to harden and secure AI models.

No answer needed