GET aHEAD

Description: Find the flag being held on this server to get ahead of the competition
Difficulty: Easy

🔎 Solution

The challenge presents a webpage with two buttons: Choose Red and Choose Blue. By clicking both and observing the traffic in Burp Suite, we can see that Choose Red triggers a GET request to /index.php?, while Choose Blue sends a POST request to /index.php.

Knowing that HTTP supports several methods like GET, POST, PUT, and HEAD, and considering the challenge is titled GET aHEAD, it seems to hint at the use of the HEAD method. The HEAD method is similar to GET, but it only retrieves the response headers without the body. It's often used for checking what a GET request would return - useful for tasks like caching, checking content type, or in this case, perhaps revealing hidden data.

By sending the GET request from /index.php? to Repeater and modifying the HTTP method from GET to HEAD, the server responds with the flag in the headers - confirming this was the intended path to solve the challenge.

🚩Flag

picoCTF{r3j3ct_th3_du4l1ty_2e5ba39f}

🔎 Solution​

🚩Flag​

🔎 Solution

🚩Flag