Tags: web 

Rating:

# ▼▼▼Methods(Web:50)、95/484=19.6%▼▼▼
**This writeup is written by [@kazkiti_ctf](https://twitter.com/kazkiti_ctf)**

---

```
Make the server give you the flag. Navigate to the problem page from here.
Secondary instance (slightly different, but same solution) running at 52.90.229.46:2233.
Author: Steven Su

Hint
I don't think you get it.
```

-----

Methodという名前なので、`OPTIONS`で使えるメソッドを確認してみる。


```
OPTIONS / HTTP/1.1
Host: 52.90.229.46:2233
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: ja,en-US;q=0.9,en;q=0.8
Connection: close
```

```
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Allow: GET, OPTIONS, HEAD, DELETE
Content-Length: 0
Server: Werkzeug/0.12.2 Python/3.5.2
Date: Sun, 03 Dec 2017 21:59:36 GMT
```

`Allow: GET, OPTIONS, HEAD, DELETE`

-----

あまり使われない`DELETE`メソッドを送信してみる

```
DELETE / HTTP/1.1
Host: 52.90.229.46:2233
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: ja,en-US;q=0.9,en;q=0.8
Connection: close
```

```
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 52
Server: Werkzeug/0.12.2 Python/3.5.2
Date: Sun, 03 Dec 2017 21:57:41 GMT

tpctf{so_post_and_get_are_not_the_only_http_methods}
```

`tpctf{so_post_and_get_are_not_the_only_http_methods}`