Hello folks, this is the official write-up for a Web CTF challenge at Qualification for ASCWG 2023.

Challenge Name: Gr00t Description: Groot is a greet player. believe me!! you can use it to win the game.

points: 900

First, let’s check the challenge link

There were two pages, index.php and groot.php.

Static Analysis

First we need to see the html source so we can understand it:

index.php

There were CSP declared at meta tag:

<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-eval' 'self'; object-src 'none'">

This basically means that we are allowed to

• Evaluate custom expressions in the eval() function.
• Include individual script files that appear under the challenge domain

We are not allowed to inject custom scripts directly into the HTML page. This means we can’t inject things like *<script>alert(1)</script>* or *<img src=x onerror=alert(1)>*.

The same meta tag can be found in frame.html.

Now let’s look at frame.js. This is included in the frame.html page.

So we got our first foothold!