Tags: web
Rating:
# Agent Keith
```
Keith was looking at some old browsers and made a site to hold his flag.
https://agent-keith.web.chal.hsctf.com
```
When we visit the site, we're immediately told our user-agent along with an access denied message.
Looks like a user-agent spoofing challenge. Let's go ahead and look at the source code for hints as to what our user-agent should be.
```html
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover">
<title>agent-keith</title>
<link rel="stylesheet" href="http://localhost:8002/static/style.css">
</head>
<body>
<main>
<h2>If you're not Keith, you won't get the flag!</h2>
Your agent is: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36
Flag: Access Denied
Looks like the user-agent that we need is
```
NCSA_Mosaic/2.0 (Windows 3.1)
```
Let's go ahead and make a request to the web page using Python in order to spoof our user-agent.
```
$ python
Python 3.7.3 (default, Mar 26 2019, 21:43:19)
[GCC 8.2.1 20181127] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> requests.get("https://agent-keith.web.chal.hsctf.com/", headers={"User-Agent": "NCSA_Mosaic/2.0 (Windows 3.1)"}).content
b'\n<html lang="en">\n <head>\n <meta charset="utf-8">\n <meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover">\n <title>agent-keith</title>\n <link rel="stylesheet" href="http://localhost:8002/static/style.css">\n </head>\n <body>\n <main>\n <h2>If you\'re not Keith, you won\'t get the flag!</h2>\n
Your agent is: NCSA_Mosaic/2.0 (Windows 3.1)
\nFlag: hsctf{wow_you_are_agent_keith_now}
\n \n </main>\n </body>\n</html>'The flag is in the body.
```
hsctf{wow_you_are_agent_keith_now}
```