Requests: Challenges

Here are some "self study" challenge for dealing with requests.

Complete each challenge to get a flag, which you can submit on zaphod

Requests Challenges

Being able to change the request headers sent to the server can be useful to change behaviour.

Task

For this task you need to modify the Request Headers at challenges/setUA

Change the request type, and the User agent to the values on the VM.

Sometimes its good to take a closer look at the responses sent back

Task

Take a look at the Request and Response chain for the /challenge/theResponse page

Its also good to use Automation to scrape pages and deal with them. For example dealing with form submissions and CSRF tokens

Task

Try using something like python requests to complete /challenge/automation

We might need to fiddle with more than just a Client side cookie values

Task

In challenges/cookieChallenge Try to set the correct cookie value to get Admin

Client side cookie approach has some advantages. However, it relies on a the secret key being truly secret.

In Flask, if we can leak the key in some way, then we could use it to add our own data to the session cookie.

Hardtask

In challenges/sessionChallenge Using the key provided in the Challenge VM. Modify the session to set the Admin token.