SANS Holiday Hack Challenge 2024 - Act 1

cURLing

Difficulty: ❄ ❄ ❄ ❄
Team up with Bow Ninecandle to send web requests from the command line using Curl, learning how to interact directly with web servers and retrieve information like a pro!

Hints

cURL Manual

From: Bow Ninecandle
The official cURL man page has tons of useful information on how to use cURL.

cURL: Don’t squash

From: Bow Ninecandle
Take a look at cURL’s “–path-as-is” option; it controls a default behavior that you may not expect!

Silver trophy

1
2
3
Welcome to Curling Fun!  We will learn some basic curl commands while playing a round of curling.
-----------------------------------------------------------------------------------------------
Are you ready to begin? [y]es: yes
1
2
3
4
5
6
7
1) Unlike the defined standards of a curling sheet, embedded devices often have web servers on non-standard ports.  Use curl to retrieve the web page on host "curlingfun" port 8080.
If you need help, run the 'hint' command.
-----------------------------------------------------------------------------------------------
alabaster@curlingfun:~$ curl http://curlingfun:8080
You have successfully accessed the site on port 8080!

If you need help, please remember to run "hint" for a hint!
1
2
3
4
5
6
7
2) Embedded devices often use self-signed certificates, where your browser will not trust the certificate presented.  Use curl to retrieve the TLS-protected web page at https://curlingfun:9090/
-----------------------------------------------------------------------------------------------
alabaster@curlingfun:~$ curl -k https://curlingfun:9090
You have successfully bypassed the self-signed certificate warning!
Subsequent requests will continue to require "--insecure", or "-k" for short.

If you need help, please remember to run "hint" for a hint!
1
2
3
4
3) Working with APIs and embedded devices often requires making HTTP POST requests. Use curl to send a request to https://curlingfun:9090/ with the parameter "skip" set to the value "alabaster", declaring Alabaster as the team captain.
-----------------------------------------------------------------------------------------------
alabaster@curlingfun:~$ curl -k https://curlingfun:9090 -d skip=alabaster
You have successfully made a POST request!
1
2
3
4
4) Working with APIs and embedded devices often requires maintaining session state by passing a cookie.  Use curl to send a request to https://curlingfun:9090/ with a cookie called "end" with the value "3", indicating we're on the third end of the curling match.
-----------------------------------------------------------------------------------------------
alabaster@curlingfun:~$ curl -k https://curlingfun:9090 -b end=3
You have successfully set a cookie!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
5) Working with APIs and embedded devices sometimes requires working with raw HTTP headers.  Use curl to view the HTTP headers returned by a request to https://curlingfun:9090/
-----------------------------------------------------------------------------------------------
alabaster@curlingfun:~$ curl -k https://curlingfun:9090 -i
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 17 Nov 2024 21:32:00 GMT
Content-Type: text/plain;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Custom-Header: You have found the custom header!

You have successfully bypassed the self-signed certificate warning!
Subsequent requests will continue to require "--insecure", or "-k" for short.

If you need help, please remember to run "hint" for a hint!
1
2
3
4
6) Working with APIs and embedded devices sometimes requires working with custom HTTP headers.  Use curl to send a request to https://curlingfun:9090/ with an HTTP header called "Stone" and the value "Granite".
-----------------------------------------------------------------------------------------------
alabaster@curlingfun:~$ curl -k https://curlingfun:9090 -H "Stone:Granite"
You have successfully set a custom HTTP header!
1
2
3
4
7) curl will modify your URL unless you tell it not to.  For example, use curl to retrieve the following URL containing special characters: https://curlingfun:9090/../../etc/hacks
-----------------------------------------------------------------------------------------------
alabaster@curlingfun:~$ curl -k https://curlingfun:9090/../../etc/hacks --path-as-is
You have successfully utilized --path-as-is to send a raw path!
1
2
3
Great work! 
 
Once HHC grants your achievement, you may close this terminal.

Gold trophy

The instructions to get start on the gold trophy are in the file HARD-MODE.txt:

1
2
3
4
5
6
7
alabaster@curlingfun:~$ cat HARD-MODE.txt 
Prefer to skip ahead without guidance?  Use curl to craft a request meeting these requirements:

- HTTP POST request to https://curlingfun:9090/
- Parameter "skip" set to "bow"
- Cookie "end" set to "10"
- Header "Hack" set to "12ft"
1
2
alabaster@curlingfun:~$ curl -k https://curlingfun:9090 -d skip=bow -b end=10 -H "Hack:12ft"
Excellent!  Now, use curl to access this URL: https://curlingfun:9090/../../etc/button
1
2
alabaster@curlingfun:~$ curl -k https://curlingfun:9090/../../etc/button --path-as-is
Great!  Finally, use curl to access the page that this URL redirects to: https://curlingfun:9090/GoodSportsmanship
1
2
alabaster@curlingfun:~$ curl -k https://curlingfun:9090/GoodSportsmanship -L
Excellent work, you have solved hard mode!  You may close this terminal once HHC grants your achievement.