Skip to content

CURLing Master

Location: West Wing

Problem

I am Holly Evergreen, and now you won't believe:
Once again the striper stopped; I think I might just leave!
Bushy set it up to start upon a website call.
Darned if I can CURL it on - my Linux skills apall.

Could you be our CURLing master - fixing up this mess?
If you are, there's one concern you surely must address.
Something's off about the conf that Bushy put in place.
Can you overcome this snag and save us all some face?

  Complete this challenge by submitting the right HTTP 
  request to the server at http://localhost:8080/ to 
  get the candy striper started again. You may view 
  the contents of the nginx.conf file in 
  /etc/nginx/, if helpful.

Hints

Holly Evergreen introduces the terminal challenge by saying:

Hi, I'm Holly Everygreen.

Oh that Bushy!

Sorry to vent, but that brother of mine did something strange.

The trigger to restart the Candy Striper is apparently an arcane HTTP call or 2.

I sometimes wonder if all IT folk do strange things with their home networks...

Holly also provides a link to a webpage on HTTP/2.0 Basics: https://developers.google.com/web/fundamentals/performance/http2/

Solution

The challenge hints that we need to send a request using HTTP2 to the web server on localhost port 8080. The initial attempt results in a strange series of non alphanumeric characters. A check of the files in the home directory reveal a .bash_history that would contain commands executed by this user during previous sessions. Using the history command, we can see that curl was executed with the --http2-prior-knowledge option, which means to use HTTP2 directly without upgrading from HTTP/1.1. Resubmitting the request gives us some HTML that states we need to post "status=on" to activate the candy striper, so we add the -d option and that gives us the win.

elf@b2d082a5b5b2:~$ curl http://localhost:8080
   ����elf@b2d082a5b5b2:~$ 

elf@b2d082a5b5b2:~$ ls -la
total 24
drwxr-xr-x 1 elf  elf  4096 Dec 14 16:15 .
drwxr-xr-x 1 root root 4096 Dec 14 16:14 ..
-rw-r--r-- 1 elf  elf   464 Dec 14 16:13 .bash_history
-rw-r--r-- 1 elf  elf   220 May 15  2017 .bash_logout
-rw-r--r-- 1 elf  elf  3543 Dec 14 16:15 .bashrc
-rw-r--r-- 1 elf  elf   675 May 15  2017 .profile

elf@f72adf5c13df:~$ history
    1  netstat -ant
    2  ncat --broker -nlvp 9090
    3  echo "\302\257\_(\343\203\204)_/\302\257" >> /tmp/shruggins
    4  cat /tmp/shruggins
    5  curl --http2-prior-knowledge http://localhost:8080/index.php

elf@f72adf5c13df:~$ curl --http2-prior-knowledge http://localhost:8080/index.php
<html>
 <head>
  <title>Candy Striper Turner-On'er</title>
 </head>
 <body>
 <p>To turn the machine on, simply POST to this URL with parameter "status=on"

 </body>
</html>

elf@1a747f9db027:~$ curl -d "status=on" --http2-prior-knowledge http://localhost:8080/index.php
<html>
 <head>
  <title>Candy Striper Turner-On'er</title>
 </head>
 <body>
 <p>To turn the machine on, simply POST to this URL with parameter "status=on"

Unencrypted 2.0? He's such a silly guy.
That's the kind of stunt that makes my OWASP friends all cry.
Truth be told: most major sites are speaking 2.0;
TLS connections are in place when they do so.

-Holly Evergreen
<p>Congratulations! You've won and have successfully completed this challenge.
<p>POSTing data in HTTP/2.0.

</body>
</html>

Answer: curl -d "status=on" --http2-prior-knowledge http://localhost:8080/index.php