## curl 題目提到"HEAD"，用`curl --help all`看有什麼可以用的指令 ``` <略> I, --head Show document info only -H, --header <header/@file> Pass custom header(s) to server -h, --help <category> Get help for commands --hostpubmd5 <md5> Acceptable MD5 hash of the host public key --hostpubsha256 <sha256> Acceptable SHA256 hash of the host public key --hsts <file name> Enable HSTS with this cache file --http0.9 Allow HTTP 0.9 responses -0, --http1.0 Use HTTP 1.0 --http1.1 Use HTTP 1.1 --http2 Use HTTP 2 --http2-prior-knowledge Use HTTP 2 without HTTP/1.1 Upgrade --http3 Use HTTP v3 --http3-only Use HTTP v3 only --ignore-content-length Ignore the size of the remote resource -i, --include Include protocol response headers in the output <略> ``` **!注意!** 是大寫的I才是顯示head(document info)，小寫i是Include protocol response headers in the output ``` ┌──(kali㉿kali)-[~] └─$ curl -I http://mercury.picoctf.net:47967/index.php HTTP/1.1 200 OK flag: picoCTF{r3j3ct_th3_du4l1ty_cca66bd3} Content-type: text/html; charset=UTF-8 ``` ## burpsuite 題述說有兩種以上的request、題目有HEAD，加上hint提到burpsuite。送到burpsuite後戳一戳，可以發現紅色是用GET、藍色是用POST，查看看其他HTTP requests，找到HEAD這個方法([ref](https://notfalse.net/45/http-head-put-delete)) 從proxy的request送到repeater，然後把GET或POST改成HEAD，按下send後就可以得到含有flag的response