## PicoCTF 2021- GET aHEAD :::info :bulb: This is a writeup for the GET aHEAD challenge in PicoCTF. ::: ### :eight_spoked_asterisk: The Challenge Find the flag being held on this server to get ahead of the competition http://mercury.picoctf.net:15931/ ### :mag_right: Breakdown <p> Clicking on the instance link, we are redirected to a website with two buttons that change the website background to red and blue respectively. </p> ![Screenshot 2024-03-05 at 6.30.55 PM](https://hackmd.io/_uploads/r1-ur8STa.png) <p> The challenge name suggests something to do with HTTP methods since the words GET and HEAD are emphasized. </p> ### :mag_right: Some notes on HTTP Methods <p> The Hypertext Transfer Protocol (HTTP) works as a request-response protocol between a client and server. Example: A client (browser) sends an HTTP request to the server; then the server returns a response to the client. The response contains status information about the request and may also contain the requested content. The set of HTTP methods is given by: GET, POST, PUT, HEAD, DELETE, PATCH, OPTIONS, CONNECT, TRACE GET is used to request data from a specified resource. POST is used to send data to a server to create/update a resource. HEAD is almost identical to GET, but without the response body. In other words, if GET /users returns a list of users, then HEAD /users will make the same request but will not return the list of users. It is useful for checking what a GET request will return before actually making a GET request - a HEAD request can read the Content-Length header to check the size of the file, without actually downloading the file. </p> ### :mag_right: Solution Use the command line to enter ![Screenshot 2024-03-05 at 6.47.16 PM](https://hackmd.io/_uploads/SJ9HKIHa6.png) ### :triangular_flag_on_post: The Flag!! Running the shell command, we get the flag :::spoiler picoCTF{r3j3ct_th3_du4l1ty_82880908}:::