 What's going on everybody? My name is John Hammond and welcome back to another Pico CTF 2018 video This challenge is called artisanal handcrafted HTTP 3. It has 300 points in the web exploitation category It has about 924 solves so kind of in the middle not in the same 2000 range But not in the low 500 range between some of the challenges surrounding it So interesting challenge right the prompter says we found a hidden flag server hiding behind a proxy But the proxy has some interesting ideas of what qualifies someone to make HTTP requests Looks like you'll have to do this one by hand try connecting to this netcat session and use the proxy to send HTTP requests to Flag.local we also recover username and password if you to use them login page real business user and whatever that is So let's go ahead and copy this right? Let's just move into a terminal see if we can get a simple connect on a sage script going Just pasting that one line to connect to it not entirely necessary Right, but good practice for what we're doing and just crank that to ch mod plus x and then we can connect it gives us a Capture each time you could probably write something to just determine what figlet or toilet font that this is and then Automate that capture, but you don't entirely have to we're gonna be doing this as kind of stated by hand So we'll just copy and paste whatever we're doing with our payloads or at least our input as we move forward So simply five minus five is zero in this case and it says validation succeeded commence HTTP Okay, so nope real prompts here just to kind of a blank line We're sitting pretty but we do want to make some HTTP requests The most common one we would expect is just get right all capital get and then we need a location following it by space so the forward slash is just the root location and Maybe you or I or whatever individual doesn't entirely know the kind of proper Perfect syntax for HTTP. That's fine. At least we can get an inkling when it responds to us if I hit Enter here it tells me HTTP forward slash one dot one So it will want a version and it will also want a missing host header. Okay, so let's try that again Let's do the capture here five plus one is six get forward slash and then HTTP forward slash 1.1 for version and then it wants a host header so headers would follow the verb following the HTTP request and Just wants the host here. You can say host colon to specify the value for this Flag dot local as was suggested in the challenge prompt So two new lines here and it gives us a response. It says, okay, 200. Okay success power bri I'm sorry powered by express probably the Node.js framework. It gives us some source code here HTML It says a real business internal flag server We see a link to log in and you have to log in before you can see today's flag Okay, let's start to try and put this in some notes for us We know we can get the root directory with this syntax Just getting the root forward slash here and then flag dot local Now let's do that exact same thing except the location that we want is forward slash login. So let's copy this Connect again five times nine. Oh quick mess 45 Enter here and we get all of this output. That's not very visible. So we do that one more time Okay, so now we have a login form We see the post method here and it's sending it to the login page to variables that we're working with the Username and the password. Thankfully, we were already given that in the challenge prompt So we can go ahead and make this post request as well Now this has a little more syntax to it than we're probably already used to get is very very simple, right? But posts can have a little bit more headers that come with it when I was first solving this challenge I figured, okay, let's actually look up the syntax for a post request in HTTP So I saw this MDN right this page from Mozilla developers here And they actually had a lot of the real formal I hope like headers that I need between the content type the content length Etc. You can scroll down and see an example of the syntax So you supply your variables at the very bottom and you've probably seen that before in burp suite or whatever other Pen testing stuff or maybe you've done this before with web requests But we do need the content type and content length So if we were to write this out, we would actually end up submitting a post request to login, right? With our variables user equals at least according to that output The name of that variable is user and the name of the pass is pass So we can take what we're given here with real business user and the pass whatever this is 8% pass equals that and We will get the content type According to Mozilla Firefox should be application forward slash x double double form URL encoded. So application x double double form URL encoded and then the content length we can Highlight and sublime text to see what this is 38 characters. So let's say 38 here great Now let's go ahead and copy this Bring it to our shell Six times nine us. Oh boy. 63. No, that's seven fifty four. Goodness gracious All right found return set cookie real business token is equal to this and then a path is set for us So it looks like we did successfully log in it would redirect us to the forward slash So now we have a cookie that we can actually use to authenticate Let's go ahead and add that as a header, right cookie equals all this and then let's do the get forward slash host flag local, etc now we can Reconnect three times six eighteen Submit and there we go. Hello real business employee today's flag is Pico CTF only use non-gmo transfer protocols That's funny. Cool. So if we wanted to we could make a get flag script with this Perhaps save this in a file and redirect it to it or do some cat here doc, whatever. Let's try that You get some get some flexing with a here doc Let's do bin bash, right? and We want to put this in CTF YouTube Pico Additional or artisanal Get flag that SH cat something until EOF, right? I'm trying to figure out this syntax. Yeah, EOF, right? That should echo all those new lines So now if I mark that as executable with get flag we can run that. Oh What is that? peculiar Let's go to Google Google rescue us Google cat here doc. I typed Google into Google forward slash forward slash EOF and then There we go Now let's pipe that into our net cat connection or in our case connect on SH Which should be fine to use run get flag. Oh, we need to do the validation. Never mind. I guess we can't go ahead and paste that in maybe if we wanted to Put those together you could use probably Pone tools and Python to Manually do the validation and then send that information and then carve out the flag or just simply, you know Deal with the fact that we have received the flag once we can save it submit it And that is good enough for us in this case. So let's mark that as complete save this flag And we can go ahead and submit it for 300 points paste And we're moving Must be logged in lost connection. Cool. Whatever. We're just gonna roll with it. That's in the video Thanks so much for watching guys. Hope you enjoyed this interesting thing with using net cat for HTTP request kind of just copying pasting the payloads that we've been building out and Exploring do throughout our manual testing. So before I go want to give a quick shout out to the people who support me on patreon Thank you so much. Can't say it enough one dollar a month on patreon I'll give you a special shout out just like this at the end of every video It's just a little feel-good feeling some warm fuzzies in your heart helping out a dude put some food on the table $5 a month or more will give you early access if you're gonna release on YouTube before it goes live So if I record a couple of videos and put them in a shared Google Drive folder YouTube I'll normally have it scheduled or gradually release videos if you want the content right when it's ready right when it's hot That's the best way to do it just five dollars a month And I am grateful for your support. Please do join our join our discord server link in the description It is a cool community full of CTF players programmers and hackers a lot of smart people They're certainly smarter than me and just a really cool place to hang out with the community So please do like comment and subscribe. Hope to see you in a later video and take care