Added Artisinal Handcrafted HTTP 3

PlatyPew · Sep 30, 2018 · a78dec6 · a78dec6
1 parent c80c65c
commit a78dec6
Show file tree

Hide file tree

Showing 2 changed files with 186 additions and 0 deletions.
diff --git a/Web Exploitation/Artisinal Handcrafted HTTP 3/README.md b/Web Exploitation/Artisinal Handcrafted HTTP 3/README.md
@@ -0,0 +1,152 @@
+# Artisinal Handcrafted HTTP 3
+Points: 300
+
+## Category
+Web Exploitation
+
+## Question
+>We found a hidden flag server hiding behind a proxy, but the proxy has some... _interesting_ ideas of what qualifies someone to make HTTP requests. Looks like you'll have to do this one by hand. Try connecting via `nc 2018shell1.picoctf.com 42496`, and use the proxy to send HTTP requests to `flag.local`. We've also recovered a username and a password for you to use on the login page: `realbusinessuser`/`potoooooooo`. 
+
+### Hint
+>_Be the browser._ When you navigate to a page, how does your browser send HTTP requests? How does this change when you submit a form?
+
+## Solution
+Doing an initial GET request for _/_, we can see a link to _/login_
+
+```html
+GET / HTTP/1.1
+Host: flag.local
+
+HTTP/1.1 200 OK
+x-powered-by: Express
+content-type: text/html; charset=utf-8
+content-length: 321
+etag: W/"141-LuTf9ny9p1l454tuA3Un+gDFLWo"
+date: Sun, 30 Sep 2018 14:26:00 GMT
+connection: close
+
+
+<html>
+
+<head>
+	<link rel="stylesheet" type="text/css" href="main.css" />
+</head>
+
+<body>
+	<header>
+		<h1>Real Business Internal Flag Server</h1>
+		<a href="/login">Login</a>
+	</header>
+	<main>
+		<p>You need to log in before you can see today's flag.</p>
+	</main>
+</body>
+
+</html>
+```
+
+When we do another GET request for _/login_, we can see the paramters of required. We can use the username and password provided in the question.
+
+```html
+GET /login HTTP/1.1
+Host: flag.local
+
+HTTP/1.1 200 OK
+x-powered-by: Express
+content-type: text/html; charset=utf-8
+content-length: 498
+etag: W/"1f2-UE5AGAqbLVQn1qrfKFRIqanxl9I"
+date: Sun, 30 Sep 2018 14:35:39 GMT
+connection: close
+
+
+<html>
+
+<head>
+	<link rel="stylesheet" type="text/css" href="main.css" />
+</head>
+
+<body>
+	<header>
+		<h1>Real Business Internal Flag Server</h1>
+		<a href="/login">Login</a>
+	</header>
+	<main>
+		<h2>Log In</h2>
+
+		<form method="POST" action="login">
+			<input type="text" name="user" placeholder="Username" />
+			<input type="password" name="pass" placeholder="Password" />
+			<input type="submit" />
+		</form>
+	</main>
+</body>
+
+</html>
+```
+
+When we send a POST request to _/login_ with the username and password, a cookie is set.
+
+```html
+POST /login HTTP/1.1
+Host: flag.local
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 38
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+
+user=realbusinessuser&pass=potoooooooo
+HTTP/1.1 302 Found
+x-powered-by: Express
+set-cookie: real_business_token=PHNjcmlwdD5hbGVydCgid2F0Iik8L3NjcmlwdD4%3D; Path=/
+location: /
+vary: Accept
+content-type: text/html; charset=utf-8
+content-length: 46
+date: Sun, 30 Sep 2018 14:37:38 GMT
+connection: keep-alive
+
+<p>Found. Redirecting to <a href="/">/</a></p>
+```
+
+All we have to do now is input in the cookie for _/_ and get the flag.
+
+```html
+GET / HTTP/1.1
+Host: flag.local
+Cookie: real_business_token=PHNjcmlwdD5hbGVydCgid2F0Iik8L3NjcmlwdD4%3D;
+
+HTTP/1.1 200 OK
+x-powered-by: Express
+content-type: text/html; charset=utf-8
+content-length: 438
+etag: W/"1b6-eYJ8DUTdkgByyfWFi6OJJSjopFg"
+date: Sun, 30 Sep 2018 14:38:54 GMT
+connection: close
+
+
+<html>
+	<head>
+		<link rel="stylesheet" type="text/css" href="main.css" />
+	</head>
+	<body>
+		<header>
+			<h1>Real Business Internal Flag Server</h1>
+			<div class="user">Real Business Employee</div>
+			<a href="/logout">Logout</a>
+		</header>
+		<main>
+			<p>Hello <b>Real Business Employee</b>!  Today's flag is: <code>picoCTF{0nLY_Us3_n0N_GmO_xF3r_pR0tOcol5_2e14}</code>.</p>
+		</main>
+	</body>
+</html>
+```
+
+Working solution [solve.py](solution/solve.py)
+
+### Flag
+`picoCTF{0nLY_Us3_n0N_GmO_xF3r_pR0tOcol5_2e14}`
diff --git a/Web Exploitation/Artisinal Handcrafted HTTP 3/solution/solve.py b/Web Exploitation/Artisinal Handcrafted HTTP 3/solution/solve.py
@@ -0,0 +1,34 @@
+#!/usr/bin/python
+
+from pwn import *
+import time
+import re
+
+s = remote('2018shell1.picoctf.com', 42496)
+
+time.sleep(1)
+print s.recv(),
+captcha = raw_input('')
+
+s.sendline(captcha)
+time.sleep(1)
+
+fail = s.recv().strip()
+
+if 'succeeded' in fail:
+	print 
+	req = '''GET / HTTP/1.1
+Host: flag.local
+Cookie: real_business_token=PHNjcmlwdD5hbGVydCgid2F0Iik8L3NjcmlwdD4%3D;
+'''
+
+	print req
+	s.sendline(req)
+	time.sleep(1)
+	source = s.recv()
+
+	print re.findall(r'(picoCTF\{.+\})', source)[0]
+else:
+	log.info('Wrong validation!')
+
+s.close()