PWN.COLLEGE Talking Web

Complete solutions for Talking web pwn college. Complete writeup of all challenges

Challenge 1

Challenge 2

Challenge 3

Challenge 4

Challenge 5

Challenge 6

Challenge 7

Challenge 8

Challenge 9

Challenge 10

Challenge 11

Challenge 12

Challenge 13

Challenge 14

Challenge 15

Challenge 16

Challenge 17

Challenge 18

                                                       req4.python                                                                    
import requests

# Define the URL and headers
url = 'http://localhost?a=5c058979bd37fb3503512c58bd11c8b6&b=2ea09e1b%20c567af01%26b7e9b6c5%239a51c800'
headers = {
    'Host': '48f80bbb6183538f3d323f99d7c397fb'
}

# Send the GET request
response = requests.get(url, headers=headers)

# Print the response
print(response.text)

Challenge 19

Challenge 20

echo -e "POST / HTTP/1.1\r\nHost: localhost\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 34\r\n\r\na=eeb6c038eac69a4a652014ff7dabc2a8\r\n" | nc localhost 80

Challenge 21

import requests

# Define the URL and headers
url = 'http://localhost'

data={'a':'670e4fa6103d6c493ad241b2959c0ace'}
# Send the POST request
response = requests.post(url, data=data)
# Print the response
print(response.text)

Challenge 22

curl localhost -d'a=09084bc0ced7092b5b25fa997bf48df8&b=e3cc5d01%202802266d%2696574197%23ee3d8e3b'

Challenge 23

hacker@talking-web~level23:~$ echo -e "POST / HTTP/1.1\r\nHost: localhost\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 78\r\n\r\na=34418b28c1bd8f7875b9ea814fe8910f&b=712c2671%208187e24d%2639f2bac0%2399e800dc\r\n" | nc localhost 80
HTTP/1.1 200 OK
Server: Werkzeug/3.0.3 Python/3.8.10
Date: Wed, 31 Jul 2024 14:54:11 GMT
Content-Length: 58
Server: pwn.college
Connection: close

pwn.college{k0i2uG0ghQ2XEvZQJLcm85lmPMG.dBTOyMDL5QTM2QzW}

Challenge 24

import requests

# Define the URL and headers
url = 'http://localhost'

data={'a':'03ac7b18eea1c8cdac98e2f43bdbba2b','b':'179d5171 189a9751&d671a87f#65>
# Send the POST request
response = requests.post(url, data=data)
# Print the response
print(response.text)

Challenge 25

curl -H "Content-Type: application/json" -d '{"a":"value1"}' localhost

Challenge 26

echo -e "POST / HTTP/1.1\r\nHost: localhost\r\nContent-Type: application/json\r\nContent-Length: 40\r\n\r\n{\"a\":\"142c3c13b4bfc8da044d69998d75da0d\"}\r\n" | nc localhost 80
HTTP/1.1 200 OK
Server: Werkzeug/3.0.3 Python/3.8.10
Date: Wed, 31 Jul 2024 15:17:30 GMT
Content-Length: 58
Server: pwn.college
Connection: close

pwn.college{co1WKjSkwNrExurzl1L7UHonZ5p.dNTOyMDL5QTM2QzW}

Challenge 27

import requests

# Define the URL and headers
url = 'http://localhost'

data={'a':'3d33683d50e6291b6fdb74f3cb5f9927'}
# Send the POST request
response = requests.post(url, json=data)
# Print the response
print(response.text)

Challenge 28

curl -X POST localhost -H "Content-Type: application/json" -d '{"a": "dc7f7f3347fdb41e5c5823ac1793495b", "b": {"c": "361b9f79", "d": ["9d33c82d", "7bbb9b0e 28c1d450&25ff1c63#ad0888bc"]}}'

Challenge 29

echo -e "POST / HTTP/1.1\r\nHost: localhost\r\nContent-Type: application/json\r\nContent-Length: 125\r\n\r\n{\"a\": \"f4526161060c8cc0ed658b71c7bc5dd2\", \"b\": {\"c\": \"1f0da1fe\", \"d\": [\"86d7ab98\", \"8df6fc66 a482ffe5&347ce851#80bb9423\"]}}\r\n" | nc localhost 80HTTP/1.1 200 OK
Server: Werkzeug/3.0.3 Python/3.11.9
Date: Thu, 01 Aug 2024 17:09:24 GMT
Content-Length: 58
Server: pwn.college
Connection: close

pwn.college{MvnBatKEB_M0OUIiXu_H0qrECBk.dZTOyMDL5QTM2QzW}

Challenge 30

import requests

# Define the URL and headers
url = 'http://localhost'
data = {
    "a": "8c5402a42040dda391e23b48c0a650b2", 
    "b": {
        "c": "ebf001fe", 
        "d": ["023b07b0", "b6003939 e92a012a&9a2a763c#02944590"]
    }
}

# Send the POST request
response = requests.post(url, json=data)

# Print the response
print(response.text)

Challenge 31

Challenge 32

Challenge 33

Challenge 34

Challenge 35

Challenge 36

Challenge 37

The -b and -c parameters in curl are used to handle cookies:

  • -b or --cookie: This option specifies the file containing the cookies to be sent with the HTTP request. It can also be used to pass cookies directly in the request.

  • -c or --cookie-jar: This option specifies the file where cookies received from the server should be saved after the request is completed.

Challenge 38

#!/bin/bash

# Initialize the state and cookie
state=0
cookie=""

# Function to make an HTTP request and capture the response
make_request() {
    request="GET / HTTP/1.1\r\nHost: localhost\r\nConnection: close\r\n"
    if [ -n "$cookie" ]; then
        request+="Cookie: $cookie\r\n"
    fi
    request+="\r\n"

    response=$(echo -e "$request" | nc localhost 80)
    echo "$response"
}

# Function to extract the state and cookie from the response
extract_state_and_cookie() {
    response="$1"
    state=$(echo "$response" | grep -oP '(?<=state: )\d+')
    cookie=$(echo "$response" | grep -oP '(?<=Set-Cookie: )[^;]+')
}

# Infinite loop to handle stateful interactions
while true; do
    echo "Making request with state: $state..."
    
    # Make the request and capture the response
    response=$(make_request)
    
    # Extract the state and cookie from the response
    extract_state_and_cookie "$response"
    
    # Print the response, current state, and cookie
    echo "Response: $response"
    echo "Current State: $state"
    echo "Cookie: $cookie"
    
    # Increment the state
    state=$((state + 1))
    
    # Sleep for a short time before the next request to avoid rapid polling (optional)
    sleep 1
done

Challenge 39

import requests as r

host = "http://127.0.0.1/"

# First request
response1 = r.get(host)
cookie1 = response1.cookies

# Second request using cookies from the first response
response2 = r.get(host, cookies=cookie1)
cookie2 = response2.cookies

# Third request using cookies from the second response
response3 = r.get(host, cookies=cookie2)
cookie3 = response3.cookies

# Fourth request using cookies from the third response
response4 = r.get(host, cookies=cookie3)
cookie4 = response4.cookies 

# Print the response of the fourth request
print(response4.text)

Last updated