Points: 20
Tags: picoCTF 2021, Web Exploitation
Author: MADSTACKS
Description:
Find the flag being held on this server to get ahead of the competition
http://mercury.picoctf.net:47967/
Hints:
1. Maybe you have more than 2 choices
2. Check out tools like Burpsuite to modify your requests and look at the responses
Challenge link: https://play.picoctf.org/practice/challenge/132
The challenge name strongly suggests that you should access the page with the HEAD HTTP request method.
Let's use the curl tool to do that
┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2021/Web_Exploitation/GET_aHEAD]
└─$ curl -I http://mercury.picoctf.net:47967
HTTP/1.1 200 OK
flag: picoCTF{<REDACTED>}
Content-type: text/html; charset=UTF-8And as expected, there is the flag as a custom HTTP header.
For additional information, please see the references below.