Home PicoCTF 2018 Web Exploitation 300: Artisinal Handcrafted HTTP 3
Writeup
Cancel

Web Exploitation 300: Artisinal Handcrafted HTTP 3

Challenge

We found a hidden flag server hiding behind a proxy, but the proxy has some… interesting ideas of what qualifies someone to make HTTP requests. Looks like you’ll have to do this one by hand.

Try connecting via nc 2018shell1.picoctf.com 26431, and use the proxy to send HTTP requests to flag.local. We’ve also recovered a username and a password for you to use on the login page: realbusinessuser/potoooooooo.

Solution

1
2
3
4
5
6
7
8
9
10
11
12
13
GET /
Host: flag.local

HTTP/1.1 200 OK
x-powered-by: Express
content-type: text/html; charset=utf-8
content-length: 321
etag: W/"141-LuTf9ny9p1l454tuA3Un+gDFLWo"
date: Sat, 06 Oct 2018 16:53:46 GMT
connection: close

<snip>
/login

So we access login:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
GET /login
Host: flag.local

HTTP/1.1 200 OK
x-powered-by: Express
content-type: text/html; charset=utf-8
content-length: 498
etag: W/"1f2-UE5AGAqbLVQn1qrfKFRIqanxl9I"
date: Sat, 06 Oct 2018 16:54:08 GMT
connection: close


                <html>
                        <head>
                                <link rel="stylesheet" type="text/css" href="main.css" />
                        </head>
                        <body>
                                <header>
                                        <h1>Real Business Internal Flag Server</h1>
                                        <a href="/login">Login</a>
                                </header>
                                <main>
                                        <h2>Log In</h2>

                                        <form method="POST" action="login">
                                                <input type="text" name="user" placeholder="Username" />
                                                <input type="password" name="pass" placeholder="Password" />
                                                <input type="submit" />
                                        </form>
                                </main>
                        </body>
                </html>

So let’s post the user/pass to that:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
POST /login
Host: flag.local
Content-Type: application/x-www-form-urlencoded
Content-Length: 38

user=realbusinessuser&pass=potoooooooo
HTTP/1.1 302 Found
x-powered-by: Express
set-cookie: real_business_token=PHNjcmlwdD5hbGVydCgid2F0Iik8L3NjcmlwdD4%3D; Path=/
location: /
vary: Accept
content-type: text/plain; charset=utf-8
content-length: 23
date: Sat, 06 Oct 2018 16:59:49 GMT
connection: close

Found. Redirecting to /%

And let’s fetch index with that cookie:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
GET /
Host: flag.local
Cookie: real_business_token=PHNjcmlwdD5hbGVydCgid2F0Iik8L3NjcmlwdD4%3D

HTTP/1.1 200 OK
x-powered-by: Express
content-type: text/html; charset=utf-8
content-length: 438
etag: W/"1b6-W7vAFWOkYXQgrhkzGj6dgZ9sfsg"
date: Sat, 06 Oct 2018 17:01:15 GMT
connection: close

<snip>
<p>Hello <b>Real Business Employee</b>!  Today's flag is: <code>picoCTF{0nLY_Us3_n0N_GmO_xF3r_pR0tOcol5_72f2}</code>.</p>

Flag

picoCTF{0nLY_Us3_n0N_GmO_xF3r_pR0tOcol5_72f2}