DefendTheWeb Playground Challenge HTTP method

DefendTheWeb.net, previously called HackThis.co.uk, is a very famous and well-known interactive security platform where you can learn and challenge your skills.. It contains challenges from several different cybersecurity fields.

I’ve decided to have a bit of fun and try to solve every single challenge presented, from the easiest to the hardest. (although easy and hard will be different depending on your skillset and field of expertise).

As I do with any challenge website, I WILL NEVER post the flag in cleartext, as it kills the fun and thrill of finding it, however I will post my way (or ways) of getting there. This is done in respect of the website’s security and non-disclosure policy, even when it doesn’t have one ;).

Challenge HTTP method / Intro

This challenge is rated as intro, so it should be fairly easy to solve. This time the author only gives us a simple description:

Use the POST method to send the password ‘fa3f32e66b’ to this page

So it is obviously simple, we need to use HTTP Post Method to send the password mentioned to this page to move forward.

There are several different ways to do that:

  • Install the Google Chrome Tamper extension (or any similar extension for another browser), to intercept the request, change it and forward it.
  • Intercept the request with a Interceptor Proxy such as Burp Suite (I like it a lot), OWASP ZAP, to change it and forward it.

Let’s do the second way, by accessing DefendTheWeb using our Burp Suite software to intercept that. After doing this, we get the following request (with session and auth_remember redacted hehe):

GET /playground/http-method HTTP/2
Host: defendtheweb.net
Cookie: i3_access=false; PHPSESSID=[REDACTED]; auth_remember=[REDACTED]; cookies_dismissed=1
Sec-Ch-Ua: "Chromium";v="91", " Not;A Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.101 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close

Notice that there is no place at all where we can get our password in, also this request is in GET, not POST. First I tried simply changing the GET to POST, and also adding the “?password=78c0d26799” to the same request and forward it, but to no avail:

POST /playground/http-method?password=78c0d26799 HTTP/2
Host: defendtheweb.net
Cookie: i3_access=false; PHPSESSID=[REDACTED]; auth_remember=[REDACTED]; cookies_dismissed=1
Sec-Ch-Ua: "Chromium";v="91", " Not;A Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.101 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close

I also tried to pass the password on the body but it didn’t work:

POST /playground/http-method HTTP/2
Host: defendtheweb.net
Cookie: i3_access=false; PHPSESSID=[REDACTED]; auth_remember=[REDACTED]; cookies_dismissed=1
Sec-Ch-Ua: "Chromium";v="91", " Not;A Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.101 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close

?password=78c0d26799

Then I realized that this request is not exactly what the server is expecting, so I tried to find other challenges I solved that could be passing passwords as well, so I could reuse then to try to solve this one. I found the request I was looking for in another challenge called “Intro 1”:

POST /playground/intro1 HTTP/2
Host: defendtheweb.net
Cookie: i3_access=false; PHPSESSID=t56qorih79jooq7jcq8u474u96; auth_remember=d27c9c87c8fa107187ddb3ecc383940e11af69b6f9c5336274f5b47a4e10cf65; cookies_dismissed=1
Content-Length: 517
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="91", " Not;A Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: https://defendtheweb.net
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary4uWbd4T8he3z7FfX
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.101 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://defendtheweb.net/playground/intro1
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close

------WebKitFormBoundary4uWbd4T8he3z7FfX
Content-Disposition: form-data; name="token"

62fb103ded322ecf8969996d6cc5ec1c0d7627ed749705794671bae134509a5d
------WebKitFormBoundary4uWbd4T8he3z7FfX
Content-Disposition: form-data; name="formid"

bfaa86bb2b7484e3aab65d53047ea2d7
------WebKitFormBoundary4uWbd4T8he3z7FfX
Content-Disposition: form-data; name="username"

a
------WebKitFormBoundary4uWbd4T8he3z7FfX
Content-Disposition: form-data; name="password"

b
------WebKitFormBoundary4uWbd4T8he3z7FfX--

I sent that request to Burp Suite Repeater and also did a few changes here, basically changing GET for POST, changing the page for the one in the challenge, changing the password for the password given in the challenge and forwarded the request.

POST /playground/http-method HTTP/2
Host: defendtheweb.net
Cookie: i3_access=false; PHPSESSID=t56qorih79jooq7jcq8u474u96; auth_remember=d27c9c87c8fa107187ddb3ecc383940e11af69b6f9c5336274f5b47a4e10cf65; cookies_dismissed=1
Content-Length: 526
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="91", " Not;A Brand";v="99"
Sec-Ch-Ua-Mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: https://defendtheweb.net
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary4uWbd4T8he3z7FfX
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.101 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://defendtheweb.net/playground/http-method
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close

------WebKitFormBoundary4uWbd4T8he3z7FfX
Content-Disposition: form-data; name="token"

62fb103ded322ecf8969996d6cc5ec1c0d7627ed749705794671bae134509a5d
------WebKitFormBoundary4uWbd4T8he3z7FfX
Content-Disposition: form-data; name="formid"

bfaa86bb2b7484e3aab65d53047ea2d7
------WebKitFormBoundary4uWbd4T8he3z7FfX
Content-Disposition: form-data; name="username"

a
------WebKitFormBoundary4uWbd4T8he3z7FfX
Content-Disposition: form-data; name="password"

78c0d26799
------WebKitFormBoundary4uWbd4T8he3z7FfX--

There we have it. I hope you enjoyed this challenge as I also did. See you on the next one.

Related posts