GET aHEAD

Vanya Verma
2 min readSep 15, 2021

--

Category: Web Exploitation

Tools Used: Burp Suite

Read Up: HTTP Methods

pico CTF

Today I will be solving the “Get aHEAD” challenge from picoCTF. The challenge is an easy/beginner-level web exploitation challenge. Let’s dive right into it!

https://play.picoctf.org/practice/challenge/132

It appears that we’re given a link. A button changes the color of the web page when we open the link. So the background color changes to red when you click on “choose red”, and it changes to blue when you click on “choose blue”.

http://mercury.picoctf.net:45028/index.php?

As this page does not do anything else, we’ll have to dig deeper to figure out how to utilize it. Clicking on each of the two buttons on the website will result in HTTP requests being sent. Let’s check them out. To do this, we can use a tool called Burp Suite developed by Portswigger. Burp Suite supports manipulating HTTP requests and viewing their responses. Web application testing is conducted using it the most often.

Since I’m using KALI LINUX, I have it pre-installed. Let’s click on the “choose red” button to intercept its request, and examine it, and do the same for the “choose blue” button.

Burp Suite

Clicking on the red button triggers a “GET” request, as you can see. Alternatively, a “POST” request is sent to the server by clicking the blue button.

Given that each of the buttons uses a different HTTP method, we might be able to change the method and get the flag. Let’s swap “GET” for “HEAD”, as mentioned in the hint. Right-click on the HTTP request and select “send to repeater”. After that, click on Send in the repeater tab. The flag is visible in the response panel.

BINGO !!!

Replacing “GET” with “HEAD”

--

--