This challenge is really silly, but what is annoying, is that he was blocking the use of the Burp Suite
and mitmproxy
, but using postman
it is possible to make the requests!
Initially, I tried to do everything straight through the curl, but it did not work, I’m not sure exactly why, but I performed exactly the same curl
things on postman
and it worked:
In the first requests the challenge induced us to send the OPTIONS
to see the accepted methods:
Within OPTIONS
it would tell us that there were 2 parameters to be sent, however, we did not know where, so I tried to send the parameters in both GET
and POST
as well.
I noticed that none worked so I tested the two together in other methods until I got through the DELETE
method: