How do we load websites?
What request verb is used to retrieve page content?
GETWhat port do web servers normally listen on?
80What’s responsible for making websites look fancy?
CSS
HTTP — Verbs and request formats
HTTP request methods:
Responses: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status
OVERVIEW
- 100–199: Information
- 200–299: Successes (200 OK is the “normal” response for a GET)
- 300–399: Redirects (the information you want is elsewhere)
- 400–499: Client errors (You did something wrong, like asking for something that doesn’t exist)
- 500–599: Server errors (The server tried, but something went wrong on their side)
What verb would be used for a login?
POSTWhat verb would be used to see your bank balance once you’re logged in?
GETDoes the body of a GET request matter? Yea/Nay
NayWhat’s the status code for “I’m a teapot”?
418What status code will you get if you need to authenticate to access some content, and you’re unauthenticated?
401
Cookies, tasty!
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
MINI CTF Task :
Flags used :
-X flag = allows us to specify the request type, eg -X POST-d flag = Sends the specified data in a POST request to
the HTTP server, in the same way that a browser does when
a user has filled in an HTML form and presses the submit
button.-c, --cookie-jar <filename>
(HTTP) Specify to which file you want curl to write all cookies after a completed operation. Curl writes all cookies from its in-memory cookie storage to the given file at the end of operations.-b, --cookie <data|filename>
(HTTP) Pass the data to the HTTP server in the Cookie header. It is supposedly the data previously received from the server in a "Set-Cookie:" line. The data should be in the format "NAME1=VALUE1; NAME2=VALUE2".
QA:
What’s the GET flag?
root@ip-10–10–156–89:~# curl -X GET 10.10.71.86:8081/ctf/get
thm{162520bec925bd7979e9ae6*******9f}What’s the POST flag?
root@ip-10–10–156–89:~# curl -X POST 10.10.71.86:8081/ctf/post -d “flag_please”
thm{3517c902e22def9c6e09b9****40ba09}What's the "Get a cookie" flag?
root@ip-10–10–156–89:~# curl -X GET 10.10.71.86:8081/ctf/getcookie -c “Cookies!”
Check your cookies!root@ip-10–10–156–89:~# ls
‘Check your cookies!’ ‘Cookies!’ Desktop Downloads Instructions Pictures Postman Scripts thinclient_drives Tools -X
root@ip-10–10–156–89:~# cat Cookies!
# Netscape HTTP Cookie File
# https://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.10.10.71.86 FALSE / FALSE 0 flag thm{91b1ac2606f36b935f46***8213d7ebd}What's the "Set a cookie" flag?
root@ip-10–10–156–89:~# curl — -cookie “flagpls=flagpls” 10.10.71.86:8081/ctf/sendcookie
thm{c10b5cb7546f359d19c747***d0f47b3}
