# ▼▼▼Grandline(Web:700pts) solved:16/753=2.1％▼▼▼  
**This writeup is written by [@kazkiti_ctf](https://twitter.com/kazkiti_ctf)**

```  
It was said to be hidden somewhere deep in the Grand Line, someone in the
second part of Grand Line can capture it, could you tell them to give it for
you. Let's start a trip in Grand Line  
http://178.128.6.184/3915ef41890b96cc883ba6ef06b944805c9650ee/  
```

\---

## 【Investigation of functions】

```  
・Source code can be viewed with debug parameters  
・Sending URL to bot(Chrome) will access it (The URL is limited to
http://localhost/)  
```

\---

Access URL `http://178.128.6.184/3915ef41890b96cc883ba6ef06b944805c9650ee/`

↓

```  
HTTP/1.1 200 OK  
Date: Mon, 16 Jul 2018 02:18:31 GMT  
Server: Apache/2.4.18 (Ubuntu)  
Vary: Accept-Encoding  
Content-Length: 1464  
Connection: close  
Content-Type: text/html; charset=UTF-8

<html lang="en">  
<head>  
<title>The Two piece Treasure</title>  
<meta charset="utf-8">  
<meta name="viewport" content="width=device-width, initial-scale=1">  
  
<link rel="stylesheet" href="css/bootstrap.min.css">

  
<script src="js/jquery.min.js"></script>

  
<script src="js/bootstrap.min.js"></script>  
</head>  
<body>

<div class="container">  
<div class="jumbotron">  
<h1>GRAND LINE</h1>  

Welcome to Grand Line, You are in the way to become Pirate King, now, let's
defeat BigMom first

  
</div>  
<input name='location' value='111.108.19.80' type='hidden'>  
<input name='piece' value='Only whitebeard can see it, Gura gura gura'
type='hidden'>  
<h4>If you eat fruit, you can't swim</h4>  
![](images/grandline.png)  
  
  
<form method="get" action="index.php">  
<input type="text" name="eat" placeholder="" value="gomu gomu no mi">  
<input type="submit">  
</form>  
</div>

</body>  
</html>

  
  
  
<html lang="en">  
<head>  
<title>The Two piece Treasure</title>  
<meta charset="utf-8">  
<meta name="viewport" content="width=device-width, initial-scale=1">  
  
<link rel="stylesheet" href="css/bootstrap.min.css">

  
<script src="js/jquery.min.js"></script>

  
<script src="js/bootstrap.min.js"></script>  
</head>  
<body>

";

?>

<div class="container">  
<div class="jumbotron">  
<h1>GRAND LINE</h1>  

Welcome to Grand Line, You are in the way to become Pirate King, now, let's
defeat BigMom first

  
</div>  
  
";  
if ($loca === "127.0.0.1" || $loca==="::1")  
{  
echo "<input name='piece' value='".$secret."' type='hidden'>";  
}  
else  
{  
echo "<input name='piece' value='Only whitebeard can see it, Gura gura gura'
type='hidden'>";  
}

?>

<h4>If you eat fruit, you can't swim</h4>  
![](images/grandline.png)  
  
  
<form method="get" action="index.php">  
<input type="text" name="eat" placeholder="" value="gomu gomu no mi">  
<input type="submit">  
</form>  
Pirate, Let's go to your Grand Line

";  
}  
else  
{  
echo "

You need to eat 'gomu gomu no mi'

";  
}  
}  
  
?>  
</div>

</body>  
</html>

";  
```

↓

Also, there are places where input characters are escaped but reflected.

\---

## 【Identify the vulnerability】

\---

### 1.Try CSS injection

In order to acquire secret, a CSS vulnerability is required on the same page
as secret.

Therefore, there is only CSS injection by relative path overwriting attack.

↓

There is a CSS relative path( `<link rel="stylesheet"
href="css/bootstrap.min.css">`).

↓

When confirming the response header of index.php, `Content-Type: text/html;
charset=UTF-8` is given.

There is ``

bot is Chrome, so it is impossible

The reason is that in Chrome, when loading CSS, if Content-Type is not
`text/css`, it will be an error and will not be executed.

\---

### 2.Try RPO's XSS

I check the index.php

↓

```  
  
<script src="js/jquery.min.js"></script>

  
<script src="js/bootstrap.min.js"></script>  
```

↓

Reading in relative path.

\---

```

```

↓

there is `/*` at the beginning

\---

```