Thursday, August 9, 2018

TJCTF - Request Me Writeup

by Guilherme "k33r0k" Assmann

This challenge is really silly, but what is annoying, is that he was blocking the use of the Burp Suite and mitmproxy, but using postman it is possible to make the requests!

Initially, I tried to do everything straight through the curl, but it did not work, I’m not sure exactly why, but I performed exactly the same curl things on postman and it worked:

In the first requests the challenge induced us to send the OPTIONS to see the accepted methods:

Within OPTIONS it would tell us that there were 2 parameters to be sent, however, we did not know where, so I tried to send the parameters in both GET and POST as well.

I noticed that none worked so I tested the two together in other methods until I got through the DELETE method:

Capture the Flag , Writeup