Let me in. Let me iiiiiiinnnnnnnnnnnnnnnnnnnn
http://mercury.picoctf.net:34588/
-
This challenge is pretty interesting one and it has 200 points in return. I visited the URL on browser and there is a GIF saying "Who are you?" and above that there is a clue sentence:
-
I understood the thing here, I need to change the user agent. So, I opened postman client and hit the URL again setting the
User-Agent=PicoBrowserin the header part of the request.I don't trust users visiting from another site.
-
So now it says that I am not trusted. Referer header can make me trusted to the website but Referer value must be same as the host website, in this case it's
http://mercury.picoctf.net:34588/I need to setupReferer=http://mercury.picoctf.net:34588/in the request header with previous user-agent config.Sorry, this site only worked in 2018.
-
Now I need to time travel back to the year 2018 when Iron Man was alive. I just set
Date=2018in header and boom, it worked.I don't trust users who can be tracked.
-
So, now I have to make me untrackable. Okay, I am gonna do it by sending Do not track request in the header. I set
DNT=1in the header config and hit the URL again and got response:This website is only for people from Sweden.
-
How can I go to Sweden now only to visit one webpage! That doesn't makes sense. Well there is another way we can pretend to be in Sweden modifying headers. I just set the value of
X-Forwarded-Forproperty to an ip address of sweden. I got an swedish ip address searching in Google.You're in Sweden but you don't speak Swedish?
-
Let's setup language in the header.
Accept-Language=sv
-
Hurray! I got the flag...
Throught the full process MDN docs helped me a lot