Hacking BugPoc’s 18 Game (XSS challenge) hosted by The XXS rat
2021-01-21 18:19:16 Author: medium.com(查看原文) 阅读量:247 收藏

GrumpinouT

Why does my title say “Hacking” when it’s just an XSS challenge? Because I didn’t solve the challenge, I hacked the game.

When you open the challenge page, the first thing you see is this:

Challenge page

Challenge page

This is a game called “18 Game” and its goal is to have three cards of which the sum adds up to 18. This is done by selecting one card from each pile, and after your three cards are selected, you will know if you’ve won or not.

So is there a strategy of some sort to win this game? No. The cards that you select are randomly selected in a popup window that opens once you clicked a card.

Popup to randomly pick a card

Popup to randomly pick a card

The popup sends a post message to it’s opener, with the randomly chosen card. When inspecting this post message, we see that de data contains the values guess, indexesand str.

  • guess contains the actual card number
  • indexes contains the position of the card
  • str contains a string to be displayed at the homepage of the game.

At this point I feel really stupid because if I took an actual look at the entire message, and not only the data, I would have seen that the nonce is also being sent, which is what was needed to solve the challenge. If you want to know the solution of the challenge itself, check out this awesome writeup by Holme!

Data in post message

Data in post message

So this guess looks really interesting, the number of the card is being sent to the opener. Does this mean we can send our own post message to the opener? Yes, we can! In this case, the home page didn’t verify the domain where the post message was coming from, so we can just open this page from our own site and send it a message with our own choice of card. Also, the str variable was vulnerable to html injection, but it turns out this was not needed for the challenge.

Three messages later I finally won the game!

Winning screen

Winning screen

I decided to create a tool to make you win the game every time without needing to spend time looking at post requests, because what is even more beautiful than popping an alert? Popping a winning screen of course!

The first thing I did was copy paste a lot of BugPoc’s code and replace the back of the cards with fronts of cards. Then I added a home screen to explain how the tool works and to open the game when the start button is clicked.

Start screen of my tool

Start screen of my tool

Image for post

My tool

So when you clicked the start button, a new tab will be opened with the 18 Game. Then you have to go back to my page and you will see all possible cards per pile. Here you can select 1 card per pile. (in theory multiple cards per pile is possible, but I didn’t allow it because BugPoc also blocked this.)

Cards selected

Cards selected

When you select a card, you see a red border to know which card you selected. If you now have a look at the 18 Game’s tab, you will see the cards you selected are also here visible.

Cards in the 18 Game

Cards in the 18 Game

If you select your last card in my tool, and the sum adds up to 18, you will get the following message.

Winning message in my tool

Winning message in my tool

If you now go to the game’s tab, you will see the victory screen!

If the sum of your cards does not add up to 18, you will see the following message.

Losing message in my tool

Losing message in my tool

If you want to test the tool out yourself, you can find it at https://grumpinout.be/RAT

Thanks TheXSSRat and BugPoc for the fun challenge and nice CSP bypass!


文章来源: https://medium.com/bugbountywriteup/hacking-bugpocs-18-game-xss-challenge-hosted-by-the-xxs-rat-f3f1adc04c8?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh