Sending requests to a Web server via Curl, Netcat, and Python to Access Sensitive files and data | 2024
Note: The below notes were taken while I was solving the Lab for the first time. I have simplified the steps while recording the Above video. Please checkout the Above video for Simplified methods.
Introduction to Pwn College
pwn.college is an online platform that offers training modules for cybersecurity professionals. It helps students and others learn about and practice core cybersecurity concepts.
Pwn.college is an education platform for students (and other interested parties) to learn about, and practice, core cybersecurity concepts in a hands-on fashion. In martial arts terms, it is designed to take a “white belt” in cybersecurity to becoming a “blue belt”, able to approach (simple) CTFs and wargames. Our philosophy is “practice makes perfect”.
The platform is maintained by an awesome team of hackers at Arizona State University. It powers much of ASU’s cybersecurity curriculum, and is open, for free, to participation for interested people around the world!
Talking to Web — Accessing Files
Level 1 — Send an HTTP request using curl
curl localhost
Level 2: Send an HTTP request using nc
nc -v localhost 80 GET /flag #Hit Enter
Level 3: Send an HTTP request using python
import requests
host = "<http://127.0.0.1:80/flag>"
r = requests.get(host)
print(r.text)
python3 FILE_NAME.py
Level 4: Set the host header in an HTTP request using curl
curl localhost/flag -H 'Host: a704cd4f0bc3b6bc9ac864fe113514b1'
Level 5: Set the host header in an HTTP request using nc
echo -e "GET /flag HTTP/1.1\\r\\nHost:
54b7ada9efe2fe3bad7818b1b5a65330\\r\\n\\r\\n" | nc localhost 80
Level 6: Set the host header in an HTTP request using python
import requests
host = "<http://127.0.0.1:80/flag>"
h= {"Host":"f9e84c83115d25e09d53f13b00f4b75c"}
r = requests.get(host, headers=h)
print(r.text)
Level 7: Set the path in an HTTP request using curl
curl localhost/080c932e13d03e058d2b155137c18566
Level 8: Set the path in an HTTP request using nc
nc -n 127.0.0.1 80
GET /cefdb209b8626deae1dda7f9345a1921
#Enter once or twice
Level 9: Set the path in an HTTP request using python
import requests
host = "<http://127.0.0.1:80/192ecb96a6926ef8db5265754ff334fa>"
r = requests.get(host)
print(r.text)
Level 10: URL encode a path in an HTTP request using curl
curl localhost/a2d76052%203d8ec7ef/a39b0452%203b09476f
Level 11: URL encode a path in an HTTP request using nc
nc localhost 80
GET /91745e5b%20062f7450/b35217c4%20ee8a47a6
#Enter once or twice
Level 12: URL encode a path in an HTTP request using python
import requests
import urllib.parse as ur
host = "<http://127.0.0.1:80>"
path = "/06221968 f84898ac/550a8f31 b98e1531"
url = host + ur.quote(path)
r = requests.get(url)
print(r.text)
Level 13: Specify an argument in an HTTP request using curl
curl localhost/?a=902e04fc41165df2b3063fa33beb719a
Level 14: Specify an argument in an HTTP request using nc
nc localhost 80
GET /?a=f55b073fec2c283dd7f3260a3c57b639
Enter Once or Twice
Level 15: Specify an argument in an HTTP request using python
import requests
host = "<http://127.0.0.1:80>"
path = "/?a=1e30afba5cc53eaade2ce97b7adadad3"
url = host + path
r = requests.get(url)
print(r.text)
Level 16: Specify multiple arguments in an HTTP request using curl
Use the python code to URL Encode
python -c "import urllib.parse as ur; print(ur.quote('paste_the_string_here_to_encode'))"
curl "localhost/?a=853ce33c75fc30dc48a18b65283d786d&b=71daf681%20827086cf%2618e2b48f%23a2b688c5"
Level 17: Specify multiple arguments in an HTTP request using nc
nc localhost 80
GET /?a=2d3ce1c448e6f20c37e54ff246b39ca9&b=f1168950%204023f362%2619f2731f%23dcc53871
Level 18: Specify multiple arguments in an HTTP request using python
import requests
import urllib.parse as up
host = "<http://127.0.0.1:80/?">
param1 = "a=ba4be4f0151557d70982e1951bd527a8"
param2 = "aa18b72a 11bac7d6&aea36aef#3f272df1"
url = host + param1 + '&b=' + up.quote(param2)
print("Encoded Url:" + url)
r = requests.get(url)
print(r.text)
Encoded Url: http://127.0.0.1:80/?a=ba4be4f0151557d70982e1951bd527a8&b=aa18b72a11bac7d6%26aea36aef%233f272df1
Level 19: Include form data in an HTTP request using curl
curl -X POST localhost -d "a=1f94c790004da233114828d18b9f3dc8"
Level 20: Include form data in an HTTP request using nc
echo -e "POST / HTTP/1.1\\r\\n\\r\\nContent-Length: 34\\r\\n\\r\\na=73f470c86a0c774d9f2bc9aed94b9fd0" | nc 127.0.0.1 80
Level 21: Include form data in an HTTP request using python
import requests as r
host = "<http://127.0.0.1:80/>"
data = {"a":"8725d8fe3190da3dfd42e8016b1582ef"}
response = r.post(host, data)
print(response.text)
Level 22: Include form data with multiple fields in an HTTP request using curl
curl -X POST "localhost" -d "a=e66c5d0674fd628190e194f84a79e5f6" -d "b=424a3732%2062c3f72b%26047ddf89%23efc2a88b"
Level 23: Include form data with multiple fields in an HTTP request using nc
Content-Length is Important and \r is not important.
echo -e "POST / HTTP/1.0\\nHost: 127.0.0.1\\nContent-Length: 74\\nContent-Type: application/x-www-form-urlencoded\\n\\na=e460a465c39581ea2b9ed927da9fc1c7&b=465b23dd 4175a51f%261264b27d#fe30c862" | nc localhost 80
OR
Save the below code in a file. ex: request. Type cat request | nc [localhost](<http://localhost>) 80
POST / HTTP/1.0
Host: 127.0.0.1
Content-Length: 74
Content-Type: application/x-www-form-urlencoded
a=e460a465c39581ea2b9ed927da9fc1c7&b=465b23dd 4175a51f%261264b27d#fe30c862
Level 24: Include form data with multiple fields in an HTTP request using python
import requests as r
host = "<http://127.0.0.1:80/>"
data = {
"a":"e4c285ef8bd95dd0e8fb6e3d3956652f",
"b":"8dac482c 3c8dc902&68fe868d#1e2c37d6"
}
res = r.post(host, data)
print(res.text)
Level 25: Include json data in an HTTP request using curl
Use Double quotes for JSON values
curl -X POST localhost -H 'Content-Type: application/json' -d '{"a":"6d0e19ad4142c65391ab709e3b1e8306"}'
Level 26: Include json data in an HTTP request using nc
request file
POST / HTTP/1.0
Host: 127.0.0.1
Content-Length: 41
Content-Type: application/json
{"a":"d4c66c7e920fe7b7b1b464a74abcd08b"}
cat request | nc [localhost](<http://localhost>) 80
Level 27: Include json data in an HTTP request using python
Learn the Name of arguments for a function. For post(), we have URL, json
, and headers
as keyword arguments
json=data
- if we mention this, it will automatically add content type as application/json
import requests as r
host = "<http://127.0.0.1:80/>"
data = {"a":"3b39c5f5fd5b27bf291893f4d8d07797"}
response = r.post(host, json=data)
print(response.text)
Level 28: Include complex json data in an HTTP request using curl
curl -X POST localhost -H "Content-Type: application/json" -d '{"a": "5d63c68ec666d8ad27c1e2603d50509f", "b": {"c": "9200d306", "d": ["4e8a42ca", "96ae680f 42fda862&cbbdd048#fe6c0cc7"]}}'
Level 29: Include complex json data in an HTTP request using nc
request
POST / HTTP/1.0
Host: 127.0.0.1
Content-Length: 122
Content-Type: application/json
{
"a":"c039fd54b04c973f4db4c05911700aa9",
"b":{"c":"800ed4d2", "d":["c23c3805", "caeb2477 98b0d510&1c4bd996#d2f30b7f"]}
}
Level 30: Include complex json data in an HTTP request using python
import requests as r
host = "<http://127.0.0.1:80/>"
data = {
"a": "7ecdee328e44c2e2f32221dbd4eade7e",
"b": {"c": "04aea63b", "d": ["f2f55fc0", "25fd588e e1ebb16e&e76d7948#93b46a3a"]}
}
response = r.post(host, json=data)
print(response.text)
Level 31: Follow an HTTP redirect from HTTP response using curl
curl localhost
curl localhost/c7bb792929e2468dbeddac0ae013ca14
Level 32: Follow an HTTP redirect from HTTP response using nc
hacker@talking-web~level32:~$ nc localhost 80
GET /
<h1>Redirecting...</h1>
<p>You should be redirected to URL: <a href="/e7c84368b9f07201b2a821428b368609">/e7c84368b9f07201b2a821428b368609</a>. If not, click the link.
hacker@talking-web~level32:~$ nc localhost 80
GET /e7c84368b9f07201b2a821428b368609
pwn.college{QwpGa7MUc.....}
Level 33: Follow an HTTP redirect from HTTP response using python
import requests as r
host = "<http://localhost/>"
response = r.get(host)
print(response.text)
Level 34: Include a cookie from HTTP response using curl
curl -X GET -L localhost --cookie "c54cf1108e4d2d80033f84fe768494c9”
Level 35: Include a cookie from HTTP response using nc
Level 36: Include a cookie from HTTP response using python
import requests as r
host = "<http://127.0.0.1/>"
response = r.get(host)
print(response.text)
Level 37: Make multiple requests in response to stateful HTTP responses using curl
curl -X GET <http://127.0.0.1:80/request1> --cookie-jar cookies.txt --cookie cookies.txt
curl -X GET <http://127.0.0.1:80/request2> --cookie-jar cookies.txt --cookie cookies.txt
curl -X GET <http://127.0.0.1:80/request3> --cookie-jar cookies.txt --cookie cookies.txt
curl -X GET <http://127.0.0.1:80/request4> --cookie-jar cookies.txt --cookie cookies.txt
Level 38: Make multiple requests in response to stateful HTTP responses using nc
request file
GET / HTTP/1.0 Host: 127.0.0.1 Cookie: session=dummy
hacker@talking-web~level38:~$ cat request | nc localhost 80
HTTP/1.1 302 FOUND
Server: Werkzeug/3.0.1 Python/3.8.10
Date: Wed, 14 Feb 2024 05:30:02 GMT
Content-Length: 9
Location: /
Server: pwn.college
Vary: Cookie
Set-Cookie: session=eyJzdGF0ZSI6MX0.ZcxP2g.qquwMGlsSuxPJF2laE0kQnP1p7c; HttpOnly; Path=/
Connection: close
state: 1
hacker@talking-web~level38:~$ nano request
hacker@talking-web~level38:~$ cat request | nc localhost 80
HTTP/1.1 302 FOUND
Server: Werkzeug/3.0.1 Python/3.8.10
Date: Wed, 14 Feb 2024 05:30:33 GMT
Content-Length: 9
Location: /
Server: pwn.college
Vary: Cookie
Set-Cookie: session=eyJzdGF0ZSI6Mn0.ZcxP-Q.yMzlpS8TkWqH28_o2Gwxgenx-Ts; HttpOnly; Path=/
Connection: close
state: 2
hacker@talking-web~level38:~$
hacker@talking-web~level38:~$ nano request
hacker@talking-web~level38:~$ cat request | nc localhost 80
HTTP/1.1 302 FOUND
Server: Werkzeug/3.0.1 Python/3.8.10
Date: Wed, 14 Feb 2024 05:31:09 GMT
Content-Length: 9
Location: /
Server: pwn.college
Vary: Cookie
Set-Cookie: session=eyJzdGF0ZSI6M30.ZcxQHQ.udw6tF3YXZAehG2qFN46UhfyxJI; HttpOnly; Path=/
Connection: close
state: 3
hacker@talking-web~level38:~$ nano request
hacker@talking-web~level38:~$ cat request | nc localhost 80
HTTP/1.1 200 OK
Server: Werkzeug/3.0.1 Python/3.8.10
Date: Wed, 14 Feb 2024 05:31:37 GMT
Content-Length: 58
Server: pwn.college
Vary: Cookie
Set-Cookie: session=eyJzdGF0ZSI6NH0.ZcxQOQ.9ZgSDmh15pAL269RJg5y9MiPADU; HttpOnly; Path=/
Connection: close
pwn.college{UqwPYVSh7xexPUjKL9THhVKrryR.....}
Level 39: Make multiple requests in response to stateful HTTP responses using python
import requests as r
host = "<http://127.0.0.1/>"
response1 = r.get(host)
cookie1 = response1.cookies
response2 = r.get(host, cookies=cookie1)
cookie2 = response2.cookies
response3 = r.get(host, cookie2)
cookie3 = response3.cookies
response4 = r.get(host, cookie3)
cookie4 = response4.cookies
print(response4.text)
Thank you for Reading!!
Happy Hunting ~
Author: Karthikeyan Nagaraj ~ Cyberw1ng