Wei's

PicoCTF - Who are you?

22 Sep 2022 picoCTF 

Challenge

Tags

PicoCTF 2021 / Web Exploitation

Description

Let me in. Let me iiiiiiinnnnnnnnnnnnnnnnnnnn
http://mercury.picoctf.net:52362/

Writeup

Note that everyone ‘s port and flag are different!

  1. Visit this site, it says: Only people who use the official PicoBrowser are allowed on this site! So I use ThunderClient to request website and change User-Agent in the header to PicoBrowser.
  2. It says: I don’t trust users visiting from another site. So we can add the key of Referer with the value http://mercury.picoctf.net:52362/ to the header and request website again.
  3. It says: Sorry, this site only worked in 2018. So we can add the key of Date with the value 1 Jan 2018 to the header and request website again.
  4. It says: I don’t trust users who can be tracked. So we can add the key of DNT which means do not track with the value 1 to the header and request website again.
  5. It says: This website is only for people from Sweden. So we can add the key of X-Forwarded-For, which can change the originating IP, with the value random Sweden IP address to the header and request website again.
  6. It says: You’re in Sweden but you don’t speak Swedish? So we can add the key of Accept-Language with the value sv to the header and request website again. Then we can get the flag! ٩(^ᴗ^)۶
  7. Header should be like : remix

Related posts

Archive

solidity picoCTF Go ethernaut linux blockchain sql react smart-contract typescript solana javascript java ethereum css Linux zsh ubuntu next.js jekyll hardhat golang ethers Secureum Rust web wallet vscode truffle shell rpc notion notes nodejs nextjs mocha html github git geth express eslint docker cloudflare Vim DSA