CTFtime.org

Grandline

by kazkiti / PwnaSonic

Tags: rpo xss web 

Rating: 4.0

# ▼▼▼Grandline(Web:700pts) solved:16/753=2.1%▼▼▼
**This writeup is written by [@kazkiti_ctf](https://twitter.com/kazkiti_ctf)**

```
It was said to be hidden somewhere deep in the Grand Line, someone in the second part of Grand Line can capture it, could you tell them to give it for you. Let's start a trip in Grand Line
http://178.128.6.184/3915ef41890b96cc883ba6ef06b944805c9650ee/
```

---

## 【Investigation of functions】

```
・Source code can be viewed with debug parameters
・Sending URL to bot(Chrome) will access it (The URL is limited to http://localhost/)
```

---

Access URL `http://178.128.6.184/3915ef41890b96cc883ba6ef06b944805c9650ee/`

```
HTTP/1.1 200 OK
Date: Mon, 16 Jul 2018 02:18:31 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 1464
Connection: close
Content-Type: text/html; charset=UTF-8

<html lang="en">
<head>
<title>The Two piece Treasure</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">

<link rel="stylesheet" href="css/bootstrap.min.css">


<script src="js/jquery.min.js"></script>


<script src="js/bootstrap.min.js"></script>
</head>
<body>

<div class="container">
<div class="jumbotron">
<h1>GRAND LINE</h1>

Welcome to Grand Line, You are in the way to become Pirate King, now, let's defeat BigMom first


</div>
<input name='location' value='111.108.19.80' type='hidden'>
<input name='piece' value='Only whitebeard can see it, Gura gura gura' type='hidden'>
<h4>If you eat fruit, you can't swim</h4>



<form method="get" action="index.php">
<input type="text" name="eat" placeholder="" value="gomu gomu no mi">
<input type="submit">
</form>
</div>

</body>
</html>




<html lang="en">
<head>
<title>The Two piece Treasure</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">

<link rel="stylesheet" href="css/bootstrap.min.css">


<script src="js/jquery.min.js"></script>


<script src="js/bootstrap.min.js"></script>
</head>
<body>

";

?>

<div class="container">
<div class="jumbotron">
<h1>GRAND LINE</h1>

Welcome to Grand Line, You are in the way to become Pirate King, now, let's defeat BigMom first


</div>

";
if ($loca === "127.0.0.1" || $loca==="::1")
{
echo "<input name='piece' value='".$secret."' type='hidden'>";
}
else
{
echo "<input name='piece' value='Only whitebeard can see it, Gura gura gura' type='hidden'>";
}

?>

<h4>If you eat fruit, you can't swim</h4>



<form method="get" action="index.php">
<input type="text" name="eat" placeholder="" value="gomu gomu no mi">
<input type="submit">
</form>
Pirate, Let's go to your Grand Line

";
}
else
{
echo "

You need to eat 'gomu gomu no mi'

";
}
}

?>
</div>

</body>
</html>

";
```

Also, there are places where input characters are escaped but reflected.

---

## 【Identify the vulnerability】

---

### 1.Try CSS injection

In order to acquire secret, a CSS vulnerability is required on the same page as secret.

Therefore, there is only CSS injection by relative path overwriting attack.

There is a CSS relative path( `<link rel="stylesheet" href="css/bootstrap.min.css">`).

When confirming the response header of index.php, `Content-Type: text/html; charset=UTF-8` is given.

There is ``

bot is Chrome, so it is impossible

The reason is that in Chrome, when loading CSS, if Content-Type is not `text/css`, it will be an error and will not be executed.

---

### 2.Try RPO's XSS

I check the index.php

```

<script src="js/jquery.min.js"></script>


<script src="js/bootstrap.min.js"></script>
```

Reading in relative path.

---

```

```

there is `/*` at the beginning

---

```

Comments

terjanqJuly 16, 2018, 11 a.m.

Since I never heard of this type of attack I have made quick research and there are few false statements in your write-up:

> But, the bot is described as Chrome, so it is impossible
> The reason is that in Chrome, when loading CSS, if Content-Type is not text/css, it will be an error and will not be executed.

This is not true. It is being executed but only until `` is reached. Which is very interesting and if we removed this tag (or commented it via ``) then the http://178.128.6.184/3915ef41890b96cc883ba6ef06b944805c9650ee/index.php/*/a%7B%7D%20body%7Bbackground:red%7D/ will work. This header somehow breaks the whole stylesheet even though it is in the comment section. Very interesting.

Another interesting fact is that javascript does treat `

terjanqJuly 16, 2018, 11:01 a.m.

Another interesting fact is that javascript does treat `

terjanqJuly 16, 2018, 11:03 a.m.

Sorry for the spam, didn't know I cannot use grave accent character.

Since I never heard of this type of attack I have made quick research and there are few false statements in your write-up:

> But, the bot is described as Chrome, so it is impossible
> The reason is that in Chrome, when loading CSS, if Content-Type is not text/css, it will be an error and will not be executed.

This is not true. It is being executed but only until is reached. Which is very interesting and if we removed this tag (or commented it via ) then the http://178.128.6.184/3915ef41890b96cc883ba6ef06b944805c9650ee/index.php/*/a%7B%7D%20body%7Bbackground:red%7D/ will work. This header somehow breaks the whole stylesheet even though it is in the comment section. Very interesting.

Another interesting fact is that javascript does treat

terjanqJuly 16, 2018, 11:04 a.m.

holly *** this website sucks

https://pastebin.com/raw/GJypyJc8

kazkitiJuly 16, 2018, 1:10 p.m.

1.About CSS error
Yes. I ran it with comments prefixed, but it has been confirmed that it will not run on the latest version of Chrome.
http://178.128.6.184/3915ef41890b96cc883ba6ef06b944805c9650ee/index.php/*/{} *{background-color:red}/

Also, css was executed when the file in the local environment was read with extension .css

2.About treatment of +
http://178.128.6.184/3915ef41890b96cc883ba6ef06b944805c9650ee/index.php/*/alert(%60%2b%20does%20work%20%60);(function()%7B%7D)(/*/
It is described with an input character + in form. In the actual request I sent it at% 2b. I tried this behavior at 178.128.6.184, + worked, but it did not work on bot. Probably I think that setting of bot is the cause.

terjanqJuly 16, 2018, 4:56 p.m.

You misunderstood me because the website removed half of my comments. It is the full comment in raw: https://pastebin.com/raw/GJypyJc8

And what I meant is that it is totally not true that Chrome will not execute CSS sent with content type text/html. It throws a warning not an error: Resource interpreted as Stylesheet but transferred with MIME type text/html

And actually the CSS by visiting the URL(http://178.128.6.184/3915ef41890b96cc883ba6ef06b944805c9650ee/index.php/*/a%7B%7D%20body%7Bbackground:red%7D/) is being executed untill it reaches DOCTYPE:HTML tag and it breaks there.

Put manually the
a{} body{background:red}
anywhere before DOCTYPE:HTML Tag and then
a{} body{background:yellow!}
somewhere after the tag.

The background will turn into red

terjanqJuly 16, 2018, 5:09 p.m.

This is exactly the same page with commented DOCTYPE:HTML:
http://terjanq.cf/meepwn/grandline/index.php/*/a%7B%7D%20body%7Bbackground:red%7D/

See that it's working no matter of HTTP response. Also, I just upgraded to the latest version of Chrome and the warning has even disappeared.

kazkitiJuly 17, 2018, 3:42 a.m.

It is the site that I referred.
http://delivery.acm.org/10.1145/3190000/3186090/p237-arshad.html?ip=182.171.250.216&id=3186090&acc=OPEN&key=4D4702B0C3E38B35%2E4D4702B0C3E38B35%2E4D4702B0C3E38B35%2E6D218144511F3437&__acm__=1531812842_e03ba93d67b0737f0f62da6d25fbdc62

If the site has a definition of DOCTYPE, the browser will strictly confirm the Content-Type.
OK?