picoCTF - Get aHEAD

Description

Get aHEAD

Find the flag being held on this server to get ahead of the competition http://mercury.picoctf.net:21939/

Hints:

Maybe you have more than 2 choices

Check out tools like Burpsuite to modify your requests and look at the responses

Approach

Trang Web cho phép chuyển màu nền giữa đỏ và xanh. Mã nguồn tương đối đơn giản:

<!doctype html>
<html>
<head>
    <title>Red</title>
    <link rel="stylesheet" type="text/css" href="//maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css">
	<style>body {background-color: red;}</style>
</head>
	<body>
		<div class="container">
			<div class="row">
				<div class="col-md-6">
					<div class="panel panel-primary" style="margin-top:50px">
						<div class="panel-heading">
							<h3 class="panel-title" style="color:red">Red</h3>
						</div>
						<div class="panel-body">
							<form action="index.php" method="GET">
								<input type="submit" value="Choose Red"/>
							</form>
						</div>
					</div>
				</div>
				<div class="col-md-6">
					<div class="panel panel-primary" style="margin-top:50px">
						<div class="panel-heading">
							<h3 class="panel-title" style="color:blue">Blue</h3>
						</div>
						<div class="panel-body">
							<form action="index.php" method="POST">
								<input type="submit" value="Choose Blue"/>
							</form>
						</div>
					</div>
				</div>
			</div>
		</div>
	</body>
</html>

Request chuyển màu đỏ là một GET request:

GET / HTTP/1.1
Host: mercury.picoctf.net:21939
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: vi,en-US;q=0.9,en;q=0.8
DNT: 1
Connection: close

Request chuyển mày xanh là một POST request:

POST /index.php HTTP/1.1
Host: mercury.picoctf.net:21939
Content-Length: 0
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://mercury.picoctf.net:21939
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Edg/122.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://mercury.picoctf.net:21939/
Accept-Encoding: gzip, deflate, br
Accept-Language: vi,en-US;q=0.9,en;q=0.8
DNT: 1
Connection: close

Thử thay HTTP method thành PUT và PATH thì background-color chuyển thành ?. Có thể thấy, màu nền dựa vào HTTP method. Thử dùng method HEAD thì thu được resppnse có flag như sau:

HTTP/1.1 200 OK
flag: picoCTF{r3j3ct_th3_du4l1ty_6ef27873}
Content-type: text/html; charset=UTF-8

Flag

Success

picoCTF{r3j3ct_th3_du4l1ty_6ef27873}

Quartz 🪬

Explorer

picoCTF - Get aHEAD

Description

Approach

Flag

Table of Contents