Tags: telnet web
Rating:
# ▼▼▼Artisinal Handcrafted HTTP 3 - Points: 300 ▼▼▼
**This writeup is written by [@kazkiti_ctf](https://twitter.com/kazkiti_ctf)**
```
We found a hidden flag server hiding behind a proxy, but the proxy has some... _interesting_ ideas of what qualifies someone to make HTTP requests. Looks like you'll have to do this one by hand. Try connecting via nc 2018shell2.picoctf.com 46083, and use the proxy to send HTTP requests to `flag.local`. We've also recovered a username and a password for you to use on the login page: `realbusinessuser`/`potoooooooo`.
Hint: _Be the browser._ When you navigate to a page, how does your browser send HTTP requests? How does this change when you submit a form?
```
---
## 【Access to GET /】
`# telnet 2018shell2.picoctf.com 46083`
↓
```
Trying 18.224.157.204...
Connected to 2018shell2.picoctf.com.
Escape character is '^]'.
Real Business Corp., Internal Proxy
Version 2.0.7
To proceed, please solve the following captcha:
__ _____
/ | |____ | ______
`| | ______ / / |______|
| | |______| \ \ ______
_| |_ .___/ / |______|
\___/ \____/
```
↓
>` -2`
↓
```
Validation succeeded. Commence HTTP.
```
↓
```
GET / HTTP/1.1
Host: flag.local
```
↓
```
HTTP/1.1 200 OK
x-powered-by: Express
content-type: text/html; charset=utf-8
content-length: 321
etag: W/"141-LuTf9ny9p1l454tuA3Un+gDFLWo"
date: Sat, 06 Oct 2018 16:04:45 GMT
connection: close
<html>
<head>
<link rel="stylesheet" type="text/css" href="main.css" />
</head>
<body>
<header>
<h1>Real Business Internal Flag Server</h1>
Login
</header>
<main>
You need to log in before you can see today's flag.
↓
```
Connection closed by foreign host.
```
---
## 【Access to GET /login】
Start with `# telnet 2018shell2.picoctf.com 46083` as well
↓
```
GET /login HTTP/1.1
Host: flag.local
```
↓
```
HTTP/1.1 200 OK
x-powered-by: Express
content-type: text/html; charset=utf-8
content-length: 498
etag: W/"1f2-UE5AGAqbLVQn1qrfKFRIqanxl9I"
date: Sat, 06 Oct 2018 16:05:47 GMT
connection: close
<html>
<head>
<link rel="stylesheet" type="text/css" href="main.css" />
</head>
<body>
<header>
<h1>Real Business Internal Flag Server</h1>
Login
</header>
<main>
<h2>Log In</h2>
<form method="POST" action="login">
<input type="text" name="user" placeholder="Username" />
<input type="password" name="pass" placeholder="Password" />
<input type="submit" />
</form>
</main>
</body>
</html>
```
↓
The parameter names were found to be `user` and `pass`
---
## 【Access to POST /login】
Start with `# telnet 2018shell2.picoctf.com 46083` as well
↓
```
POST /login HTTP/1.1
Host: flag.local
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
user=realbusinessuser&pass=potoooooooo
```
↓
```
HTTP/1.1 302 Found
x-powered-by: Express
set-cookie: real_business_token=PHNjcmlwdD5hbGVydCgid2F0Iik8L3NjcmlwdD4%3D; Path=/
location: /
vary: Accept
content-type: text/plain; charset=utf-8
content-length: 23
date: Sat, 06 Oct 2018 16:45:47 GMT
connection: close
Found. Redirecting to /
```
↓
I get `real_business_token=PHNjcmlwdD5hbGVydCgid2F0Iik8L3NjcmlwdD4%3D`
---
## 【Access to GET / with Cookie】
Start with `# telnet 2018shell2.picoctf.com 46083` as well
↓
```
GET / HTTP/1.1
Host: flag.local
Cookie: real_business_token=PHNjcmlwdD5hbGVydCgid2F0Iik8L3NjcmlwdD4%3D
```
↓
```
HTTP/1.1 200 OK
x-powered-by: Express
content-type: text/html; charset=utf-8
content-length: 438
etag: W/"1b6-W7vAFWOkYXQgrhkzGj6dgZ9sfsg"
date: Sat, 06 Oct 2018 16:47:14 GMT
connection: close
<html>
<head>
<link rel="stylesheet" type="text/css" href="main.css" />
</head>
<body>
<header>
<h1>Real Business Internal Flag Server</h1>
<div class="user">Real Business Employee</div>
Logout
</header>
<main>
Hello Real Business Employee! Today's flag is: picoCTF{0nLY_Us3_n0N_GmO_xF3r_pR0tOcol5_72f2}
.
↓
`picoCTF{0nLY_Us3_n0N_GmO_xF3r_pR0tOcol5_72f2}`