# PWN.COLLEGE Talking Web ### Challenge 1
### Challenge 2
### Challenge 3
### Challenge 4
### Challenge 5

double enter at the end of host

### Challenge 6
### Challenge 7
### Challenge 8
### Challenge 9
### Challenge 10
### Challenge 11
### Challenge 12
### Challenge 13
### Challenge 14
### Challenge 15
### Challenge 16

url encode & , space and % in argument b

### Challenge 17
### Challenge 18 ``` req4.python import requests # Define the URL and headers url = 'http://localhost?a=5c058979bd37fb3503512c58bd11c8b6&b=2ea09e1b%20c567af01%26b7e9b6c5%239a51c800' headers = { 'Host': '48f80bbb6183538f3d323f99d7c397fb' } # Send the GET request response = requests.get(url, headers=headers) # Print the response print(response.text) ```
### Challenge 19

-d is used to send form data

### Challenge 20 ``` echo -e "POST / HTTP/1.1\r\nHost: localhost\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 34\r\n\r\na=eeb6c038eac69a4a652014ff7dabc2a8\r\n" | nc localhost 80 ```
### Challenge 21 ``` import requests # Define the URL and headers url = 'http://localhost' data={'a':'670e4fa6103d6c493ad241b2959c0ace'} # Send the POST request response = requests.post(url, data=data) # Print the response print(response.text) ```
### Challenge 22 ``` curl localhost -d'a=09084bc0ced7092b5b25fa997bf48df8&b=e3cc5d01%202802266d%2696574197%23ee3d8e3b' ```
### Challenge 23 ``` hacker@talking-web~level23:~$ echo -e "POST / HTTP/1.1\r\nHost: localhost\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 78\r\n\r\na=34418b28c1bd8f7875b9ea814fe8910f&b=712c2671%208187e24d%2639f2bac0%2399e800dc\r\n" | nc localhost 80 HTTP/1.1 200 OK Server: Werkzeug/3.0.3 Python/3.8.10 Date: Wed, 31 Jul 2024 14:54:11 GMT Content-Length: 58 Server: pwn.college Connection: close pwn.college{k0i2uG0ghQ2XEvZQJLcm85lmPMG.dBTOyMDL5QTM2QzW} ```
### Challenge 24 ``` import requests # Define the URL and headers url = 'http://localhost' data={'a':'03ac7b18eea1c8cdac98e2f43bdbba2b','b':'179d5171 189a9751&d671a87f#65> # Send the POST request response = requests.post(url, data=data) # Print the response print(response.text) ```

no need to manually encode

### Challenge 25 ``` curl -H "Content-Type: application/json" -d '{"a":"value1"}' localhost ```
### Challenge 26 ``` echo -e "POST / HTTP/1.1\r\nHost: localhost\r\nContent-Type: application/json\r\nContent-Length: 40\r\n\r\n{\"a\":\"142c3c13b4bfc8da044d69998d75da0d\"}\r\n" | nc localhost 80 HTTP/1.1 200 OK Server: Werkzeug/3.0.3 Python/3.8.10 Date: Wed, 31 Jul 2024 15:17:30 GMT Content-Length: 58 Server: pwn.college Connection: close pwn.college{co1WKjSkwNrExurzl1L7UHonZ5p.dNTOyMDL5QTM2QzW} ```
### Challenge 27 ``` import requests # Define the URL and headers url = 'http://localhost' data={'a':'3d33683d50e6291b6fdb74f3cb5f9927'} # Send the POST request response = requests.post(url, json=data) # Print the response print(response.text) ```
### Challenge 28 ``` curl -X POST localhost -H "Content-Type: application/json" -d '{"a": "dc7f7f3347fdb41e5c5823ac1793495b", "b": {"c": "361b9f79", "d": ["9d33c82d", "7bbb9b0e 28c1d450&25ff1c63#ad0888bc"]}}' ```
### Challenge 29 ``` echo -e "POST / HTTP/1.1\r\nHost: localhost\r\nContent-Type: application/json\r\nContent-Length: 125\r\n\r\n{\"a\": \"f4526161060c8cc0ed658b71c7bc5dd2\", \"b\": {\"c\": \"1f0da1fe\", \"d\": [\"86d7ab98\", \"8df6fc66 a482ffe5&347ce851#80bb9423\"]}}\r\n" | nc localhost 80HTTP/1.1 200 OK Server: Werkzeug/3.0.3 Python/3.11.9 Date: Thu, 01 Aug 2024 17:09:24 GMT Content-Length: 58 Server: pwn.college Connection: close pwn.college{MvnBatKEB_M0OUIiXu_H0qrECBk.dZTOyMDL5QTM2QzW} ```
### Challenge 30 ``` import requests # Define the URL and headers url = 'http://localhost' data = { "a": "8c5402a42040dda391e23b48c0a650b2", "b": { "c": "ebf001fe", "d": ["023b07b0", "b6003939 e92a012a&9a2a763c#02944590"] } } # Send the POST request response = requests.post(url, json=data) # Print the response print(response.text) ```
### Challenge 31

dash L option

### Challenge 32

Manually make 2xrequests

### Challenge 33

python auto handles redirects

### Challenge 34

first inspect the header to get the cookie value

Now set the cookie

### Challenge 35

You do need to set the host

### Challenge 36
### Challenge 37
The `-b` and `-c` parameters in `curl` are used to handle cookies: * `-b` or `--cookie`: This option specifies the file containing the cookies to be sent with the HTTP request. It can also be used to pass cookies directly in the request. * `-c` or `--cookie-jar`: This option specifies the file where cookies received from the server should be saved after the request is completed. ### Challenge 38 ``` #!/bin/bash # Initialize the state and cookie state=0 cookie="" # Function to make an HTTP request and capture the response make_request() { request="GET / HTTP/1.1\r\nHost: localhost\r\nConnection: close\r\n" if [ -n "$cookie" ]; then request+="Cookie: $cookie\r\n" fi request+="\r\n" response=$(echo -e "$request" | nc localhost 80) echo "$response" } # Function to extract the state and cookie from the response extract_state_and_cookie() { response="$1" state=$(echo "$response" | grep -oP '(?<=state: )\d+') cookie=$(echo "$response" | grep -oP '(?<=Set-Cookie: )[^;]+') } # Infinite loop to handle stateful interactions while true; do echo "Making request with state: $state..." # Make the request and capture the response response=$(make_request) # Extract the state and cookie from the response extract_state_and_cookie "$response" # Print the response, current state, and cookie echo "Response: $response" echo "Current State: $state" echo "Cookie: $cookie" # Increment the state state=$((state + 1)) # Sleep for a short time before the next request to avoid rapid polling (optional) sleep 1 done ```
### Challenge 39 ``` import requests as r host = "http://127.0.0.1/" # First request response1 = r.get(host) cookie1 = response1.cookies # Second request using cookies from the first response response2 = r.get(host, cookies=cookie1) cookie2 = response2.cookies # Third request using cookies from the second response response3 = r.get(host, cookies=cookie2) cookie3 = response3.cookies # Fourth request using cookies from the third response response4 = r.get(host, cookies=cookie3) cookie4 = response4.cookies # Print the response of the fourth request print(response4.text) ```
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.cavementech.com/pentesting-quick-reference/boxes-machines/pwn.college-talking-web.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.