Kappa

“Great things are not done by impulse, but by a series of small things brought together.”

Web Requests

• CRUD API
• ~ Questions

Questions

HyperText Transfer Protocol (HTTP)

To get the flag, start the above exercise, then use cURL to download the file returned by '/download.php' in the server shown above.

kappa@kappa-Aspire-Z5600:~$ curl '94.237.62.184:40933/download.php'
HTB{64$!c_cURL_u$3r}kappa@kappa-Aspire-Z5600:~$

HTTP Requests and Responses

What is the HTTP method used while intercepting the request? (case-sensitive)?

GET

Send a GET request to the above server, and read the response headers to find the version of Apache running on the server, then submit it as the answer. (answer format: X.Y.ZZ)

kappa@kappa-Aspire-Z5600:~$ curl '94.237.62.184:40933' -v

          *   Trying 94.237.62.184:40933...
          * Connected to 94.237.62.184 (94.237.62.184) port 40933 (#0)
          > GET / HTTP/1.1
          > Host: 94.237.62.184:40933
          > User-Agent: curl/7.81.0
          > Accept: */*
          > 
          * Mark bundle as not supporting multiuse
          < HTTP/1.1 200 OK
          < Date: Thu, 02 Jan 2025 19:03:22 GMT
          < Server: Apache/2.4.41 (Ubuntu)
          < Vary: Accept-Encoding
          < Content-Length: 348
          < Content-Type: text/html; charset=UTF-8


          * Connection #0 to host 94.237.62.184 left intact
          kappa@kappa-Aspire-Z5600:~$
        

2.4.41

HTTP Headers

The server above loads the flag after the page is loaded. Use the Network tab in the browser devtools to see what requests are made by the page, and find the request to the flag.

http://83.136.253.216:44629/flag_327a6c4304ad5938eaf0efb6cc3e53dc.txt

• headers_flag.png

HTB{p493_r3qu3$t$_m0n!t0r}

GET

Authenticate to with user "admin" and password "admin"

The exercise above seems to be broken, as it returns incorrect results. Use the browser devtools to see what is the request it is sending when we search, and use cURL to search for 'flag' and obtain the flag.

kappa@kappa-Aspire-Z5600:~$ curl http://94.237.54.116:36361/search.php\?search\=flag -u admin:admin
flag: HTB{curl_g3773r}
kappa@kappa-Aspire-Z5600:~$

POST

Obtain a session cookie through a valid login, and then use the cookie with cURL to search for the flag through a JSON POST request to '/search.php'

kappa@kappa-Aspire-Z5600:~$ curl -X POST -d 'username=admin&password=admin' http://94.237.54.116:40408/ -i

          HTTP/1.1 200 OK
          Date: Thu, 02 Jan 2025 19:48:16 GMT
          Server: Apache/2.4.41 (Ubuntu)
          Set-Cookie: PHPSESSID=bm21tgunjsu3sc7fiaje6dd2mc; path=/
          Expires: Thu, 19 Nov 1981 08:52:00 GMT
          Cache-Control: no-store, no-cache, must-revalidate
          Pragma: no-cache
          Vary: Accept-Encoding
          Content-Length: 1554
          Content-Type: text/html; charset=UTF-8
        

kappa@kappa-Aspire-Z5600:~$ curl -X POST -d '{"search":"flag"}' -b 'PHPSESSID=bm21tgunjsu3sc7fiaje6dd2mc' -H 'Content-Type: application/json' http://94.237.54.116:40408/search.php

["flag: HTB{p0$t_r3p34t3r}"]kappa@kappa-Aspire-Z5600:~$

CRUD API

First, try to update any city's name to be 'flag'. Then, delete any city. Once done, search for a city named 'flag' to get the flag.

kappa@kappa-Aspire-Z5600:~$ curl -X DELETE http://94.237.54.116:31664/api.php/city/london
kappa@kappa-Aspire-Z5600:~$ curl -X DELETE http://94.237.54.116:31664/api.php/city/leeds
kappa@kappa-Aspire-Z5600:~$ curl http://94.237.54.116:31664/api.php/city/flag
[{"city_name":"flag","country_name":"HTB{crud_4p!_m4n!pul4t0r}"}]kappa@kappa-Aspire-Z5600:~$

HTB{crud_4p!_m4n!pul4t0r}

Web Requests

1. HyperText Transfer Protocol (HTTP)
2. Hypertext Transfer Protocol Secure (HTTPS)
3. HTTP Requests and Responses
4. HTTP Headers
5. HTTP Methods and Codes
6. GET
7. POST
8. CRUD API
9. ~ Questions