Rating: 4.3
## [See original writeup on site](https://barelycompetent.dev/post/ctfs/2021-04-11-ritsecctf/#revolution)
### Revolution
> The robots are taking over. They are posting their propaganda everywhere. Go here to find out more about it.
>
> 34.69.61.54:8799
>
> Might want to check out Robots first.
> Hint: Almost all the important information you need is on the root page. Read carefully.
>
> THE HINTS ARE FREE.
>
> * **Hint 1**: Repeat the propoganda in your crafted message to the leaders at the proper address.
> * **Hint 2**: Make sure you aren't encoding your message when sending it. Just use plain text when sending.
> * **Hint 3**: Use your head [2]
The site looks like this:
{{< image src="/img/CTFs/2021/ritsecCTF/revolition-home.gif" alt="revolition-home.gif" >}}
I tried `/robots.txt` first, which results in a 404. As does `/flag`, `/FLAG`, etc... So that doesn't seem to be it.
After stumbling around the site trying various words mentioned on the home page, I ended up trying the `/revolution` route, as mentioned in the bottom of the page:
```bash
curl http://34.69.61.54:8799/revolution
```
... response:
```html
<title>405 Method Not Allowed</title>
<h1>Method Not Allowed</h1>
The method is not allowed for the requested URL.
Which is better than a 404! That means the page/route exists there, we just aren't passing it the right options. I tried `GET/POST/OPTIONS`/etc, but none of which where allowed.
I looked at the hints at this point, and the third of which caught my attention:
> * **Hint 3**: Use your head [2]
So how about we try sending a [`--head`](https://beamtic.com/head-request-curl) request?
```bash
curl --HEAD http://34.69.61.54:8799/revolution
```
```html
HTTP/1.0 405 METHOD NOT ALLOWED
Content-Type: text/html; charset=utf-8
Allow: OPTIONS, UNLOCK
Content-Length: 178
Server: Werkzeug/1.0.1 Python/3.7.3
Date: Sat, 10 Apr 2021 14:27:21 GMT
```
Nice, so `UNLOCK` looks like what we want. If we try sending just that:
```bash
curl -X UNLOCK http://34.69.61.54:8799/revolution
```
... we get back:
```html
<html>
<head>
<title>404 ;)</title>
</head>
<body>
<h1>404 ;)</h1>
</body>
</html>
```
Now, we just need to figure out the "right crafted message"...
> Send me the right crafted message and you can join the revolution. Only then can we unlock your full potiential.
The challenge description/hint mention _head 2_. Originally, I thought this only meant to refer to the `--head` option to learn about the `UNLOCK`. But after a while, my teammate datajerk mentioned:
> H2's?
Which, when looking at the website, made sense. This correlated to each of the **Friendly**, **Caring**, **Laws**, **Protect** sections.
As such, I sent this payload:
```curl
curl -X UNLOCK -H "User-Agent: Robot-Queto-v1.2" http://34.69.61.54:8799/revolution -d 'Friendly Caring Laws Protect'
```
But no dice. After quite some time (a few hours) and talking with the author, I learned that the challenge description was updated to be made quite a bit more clear.
I noticed now:
> They expect a special type of request and only have the ability to read plain text from a special agent. ONLY SEND PLAIN TEXT DATA.
The _ONLY SEND PLAIN TEXT DATA_ is what stood out to me. As it turns out, [the -d flag will by default send `Content-Type: application/x-www-form-urlencoded`](https://stackoverflow.com/a/43056956). Per that SO comment, we can specify `text/plain` explicitly like so, and this gives the flag:
```bash
curl -X UNLOCK -H "Content-Type: text/plain" -H "User-Agent: Robot-Queto-v1.2" http://34.69.61.54:8799/revolution -d 'Friendly Caring Laws Protect'
```
Flag is `RS{W3lc0me_t0_th3_R3volut1on}`.
