PicoCTF
Challenges: Web Exploitation
Name: GET aHEAD
This blog provides a solution to the GET aHEAD challenge, which is part of the picoCTF Web Exploitation category.
Find the flag being held on this server to get ahead of the competition.
*http://mercury.picoctf.net:45028/*
When you click on the web page's buttons, the background colors change accordingly. Click on both buttons and intercept the traffic on the burp suite, However, no interesting endpoint is observed.
The challenge name is “Get aHEAD” It seems we have a hint about the name.
intercept the request in the burp suite, change the GET HTTP method to HEAD, and observe the response.
When we send the request, we can see that the Flag is revealed in the response.
*http://mercury.picoctf.net:45028/*
Open the provided link in your browser and notice that it displays two buttons on the web page that can change the colours accordingly.
When you click on the web page's buttons, the background colors change accordingly. Click on both buttons and intercept the traffic on the burp suite, However, no interesting endpoint is observed.
The challenge name is “Get aHEAD” It seems we have a hint about the name.
As we all know the HTTP HEAD method is almost identical to the GET method, but the only difference is that it will not return any response body. For example, if GET/users return a record of users, then HEAD/users make the same request, but it will not return any of the users’ records.
When we send the request, we can see that the Flag is revealed in the response.
And it’s straightforward, Successfully solved the challenge.
0 comments:
Post a Comment