TryHackMe — Web Fundamentals
[Task 1] Introduction and objectives
We’ll cover HTTP requests and responses, web servers, cookies and then put them all to use in a mini Capture the Flag at the end.
[Task 2] How do we load websites?
What request verb is used to retrieve page content?
Ans.GET request verb is used to retrieve page content
What port do web servers normally listen on?
Ans.Port listen on 80
What’s responsible for making websites look fancy?
Ans.CSS
[Task 3] More HTTP — Verbs and request formats
What verb would be used for a login?
Ans.POST verb used for a login
What verb would be used to see your bank balance once you’re logged in?
Ans.GET verb would be used to see your bank balance
Does the body of a GET request matter? Yea/Nay
Ans.Nay
What’s the status code for “I’m a teapot”?
Ans.418
What status code will you get if you need to authenticate to access some content, and you’re unauthenticated?
Ans.401
[Task 4] Cookies, tasty!
So what exactly cookies are it allows server to store and retrieve data from client and stored in a file on the client side which contains only text only not executable code and it cannot exceed 4K in size and allows for retaining state with the client’s help such as Session Management and User Preferences.
Why cookies ?
Because HTTP is Stateless means every request you make over http treated as independently
- what independently means that the server does not retain state for clients
- You have to give introduction everytime.
[Task 5]Mini CTF
Tasks
There’s a web server running on http://MACHINE_IP:8081. Connect to it and get the flags!
- GET request. Make a GET request to the web server with path /ctf/get
- POST request. Make a POST request with the body “flag_please” to /ctf/post
- Get a cookie. Make a GET request to /ctf/getcookie and check the cookie the server gives you
- Set a cookie. Set a cookie with name “flagpls” and value “flagpls” in your devtools (or with curl!) and make a GET request to /ctf/sendcookie
This is quite easy walkthrough you can use burpsuite if you want or you can follow their instructions
What’s the GET flag?
Ans To find GET just hit this url http://MACHINE_IP:8081/ctf/get and you will find flag thm{162520bec925bd7979e9ae65a725f99f}
What’s the POST flag?
Ans. By using command curl http://MACHINE_IP:8081/ctf/post -X POST — data “flag_please” you will get code thm{3517c902e22def9c6e09b99a9040ba09}
What’s the “Get a cookie” flag?
Ans.By going inspect element you will find cookies thm{91b1ac2606f36b935f465558213d7ebd}
What’s the “Set a cookie” flag?
Ans.thm{c10b5cb7546f359d19c747db2d0f47b3}