WEB REQUESTS

HTTP

To get the flag, start the above exercise, then use cURL to download the file returned by '/download.php' in the server shown above.

root@oco:~$ curl -O 83.136.252.14:39709/download.php
root@oco:~$ cat download.php
 * HTB{64$!c_cURL_u$3r}

HTTP REQUESTS & RESPONSES

What is the HTTP method used while intercepting the request? (case-sensitive)

root@oco:~$ curl 83.136.252.14:39709 -v
 > GET / HTTP/1.1
 * GET

Send a GET request to the above server, and read the response headers to find the version of Apache running on the server, then submit it as the answer. (answer format: X.Y.ZZ)

root@oco:~$ curl 83.136.252.14:39709 -v
< Server: Apache/2.4.41 (Ubuntu)
 *

HTTP HEADERS

The server above loads the flag after the page is loaded. Use the Network tab in the browser devtools to see what requests are made by the page, and find the request to the flag.

root@oco:~$ BROWSER > {targetSite:port} > F12 > Network
 * look for the request made by the target server named "flag..."
    - /flag_327a6c4304ad5938eaf0efb6cc3e53dc.txt

root@oco:~$ curl 94.237.63.109:54711/flag_327a6c4304ad5938eaf0efb6cc3e53dc.txt
 * HTB{p493_r3qu3$t$_m0n!t0r}

GET

The exercise above seems to be broken, as it returns incorrect results. Use the browser devtools to see what is the request it is sending when we search, and use cURL to search for 'flag' and obtain the flag.

#identify the format of the search parameter
root@oco:~$ BROWSER > {targetSite:port} > F12 > Network
 * admin:admin
 search: {anything}
 * search.php?search=anything
 
root@oco:~$ curl 'http://admin:[email protected]:57706/search.php?search=flag'
 flag: HTB{curl_g3773r}

POST

Obtain a session cookie through a valid login, and then use the cookie with cURL to search for the flag through a JSON POST request to '/search.php'

root@oco:~$ BROWSER > http://83.136.252.57:47707
 * admin:admin
root@oco:~$ BROWSER > http://83.136.252.57:47707 > F12 > Storage > Cookies
 * select the target site to view the session cookie authentication
 * PHPSESSID:frlr2o1op4m2n1bkhiqqs8i5cr
root@oco:~$ BROWSER > http://83.136.252.57:47707 > F12 > Network
 * click on the trash icon to clear all requests; make a new search query to see what requests get sent
 * select the request POST method then the Request tab to see
    - script.js IOT to see the search.php function
root@oco:~$ curl -X POST -d '{"search":"flag"}' -b 'PHPSESSID=frlr2o1op4m2n1bkhiqqs8i5cr' -H 'Content-Type: application/json' http://83.136.252.57:47707/search.php -iv
 * HTB{p0$t_r3p34t3r}

CRUD API

First, try to update any city's name to be 'flag'. Then, delete any city. Once done, search for a city named 'flag' to get the flag.

root@oco:~$ curl http://targetServer:port/api.php/city/ | jq
root@oco:~$ curl -X PUT http://targetServer:port/api.php/city/London -d '{"city_name":"flag"}' -H 'Content-Type: application/json'
root@oco:~$ curl -X DELETE http://targetServer:port/api.php/city/cityName
root@oco:~$ curl -s http://targetServer:port/api.php/city/flag | jq
 {
   "city_name": "flag",
   "country_name": "HTB{crud_4p!_m4n!pul4t0r}"
 }

PreviousPRACTICAL EXERCISES NextINTRO TO WEBAPPS

Last updated 3 months ago