Holiday Hack 2024: cURLing

• Holiday Hack 2024
• 0️⃣ Prologue
• Elf Connect
• Elf Minder 9000
• 1️⃣ Act 1
• cURLing
• Frosty Keypad
• Hardware Hacking 101
• 2️⃣ Act 2
• Mobile Analysis
• Drone Path
• PowerShell
• Snowball Showdown
• Microsoft KC7
• 3️⃣ Act 3
• Santa Vision
• Elf Stack
• Frostbit

Introduction

To the left of center of the front yard is Bow Ninecandle next to a curling sheet:

He’s excited about the curl command line utility for interacting with HTTP servers:

Bow Ninecandle

Well hello there! I’m Bow Ninecandle, bright as a twinkling star! Everyone’s busy unpacking, but I’ve grown quite bored of that. Care to join me for a lovely game?

Oh Joy! Today, We’re diving into something delightful: the curling challenge—without any ice, but plenty of sparkle!

No icy brooms here though! We’re all about Curl, sending web requests from the command line like magic messages.

So, have you ever wielded Curl before? If not, no worries at all, my friend!

It’s this clever little tool that lets you whisper directly to web servers. Pretty neat, right?

Think of it like sending secret scrolls through the interwebs, awaiting a wise reply!

To begin, you can type something like curl https://example.com. Voilà! The HTML of the page appears, like conjuring a spell!

Simple enough, huh? But oh, there’s a whole world of magic you can cast with Curl!

We’re just brushing the surface here, but trust me—it’s a hoot and a half!

If you get tangled up or need help, just give me a shout! I’m here to help you ace this curling spectacle.

So, are you ready to curl those web requests like a pro? Let’s see your magic unfold!

cURLing

This terminal involves following a series of instructions to get the silver and then gold solution. I’ll walk through each in detail in this video:

Silver

The commands run for each challenge are as follows:

1. Unlike the defined standards of a curling sheet, embedded devices often have web servers on non-standard ports. Use curl to retrieve the web page on host “curlingfun” port 8080.

   curl curlingfun:8080

2. Embedded devices often use self-signed certificates, where your browser will not trust the certificate presented. Use curl to retrieve the TLS-protected web page at https://curlingfun:9090/.

   curl -k https://curlingfun:9090

3. Working with APIs and embedded devices often requires making HTTP POST requests. Use curl to send a request to https://curlingfun:9090/ with the parameter “skip” set to the value “alabaster”, declaring Alabaster as the team captain.

   curl -k https://curlingfun:9090/ -d 'skip=alabaster'

4. Working with APIs and embedded devices often requires maintaining session state by passing a cookie. Use curl to send a request to https://curlingfun:9090/ with a cookie called “end” with the value “3”, indicating we’re on the third end of the curling match.

   curl -k https://curlingfun:9090/ -b 'end=3'

5. Working with APIs and embedded devices sometimes requires working with raw HTTP headers. Use curl to view the HTTP headers returned by a request to https://curlingfun:9090/.

   curl -k https://curlingfun:9090/ -v

6. Working with APIs and embedded devices sometimes requires working with custom HTTP headers. Use curl to send a request to https://curlingfun:9090/ with an HTTP header called “Stone” and the value “Granite”.

   curl -k https://curlingfun:9090/ -H "Stone: Granite"

7. curl will modify your URL unless you tell it not to. For example, use curl to retrieve the following URL containing special characters: https://curlingfun:9090/../../etc/hacks.

   curl -k https://curlingfun:9090/../../etc/hacks --path-as-is

With that, I’ve got the silver solution.

Gold

In alabaster user’s home directory there’s a HARD-MODE.txt file:

alabaster@curlingfun:~$ ls
HARD-MODE.txt  HELP
alabaster@curlingfun:~$ cat HARD-MODE.txt 
Prefer to skip ahead without guidance?  Use curl to craft a request meeting these requirements:

- HTTP POST request to https://curlingfun:9090/
- Parameter "skip" set to "bow"
- Cookie "end" set to "10"
- Header "Hack" set to "12ft"

I’ll send that request, using -d to specify parameters (and make it default to POST request), -b to set a cookie, and -H to set a header:

alabaster@curlingfun:~$ curl -k https://curlingfun:9090/ -d 'skip=bow' -b 'end=10' -H "Hack: 12ft"
Excellent!  Now, use curl to access this URL: https://curlingfun:9090/../../etc/button

The next challenge requires a directory traversal, so I’ll need the --path-as-is flag:

alabaster@curlingfun:~$ curl -k https://curlingfun:9090/../../etc/button --path-as-is
Great!  Finally, use curl to access the page that this URL redirects to: https://curlingfun:9090/GoodSportsmanship

Just like above, I can use -I or -v to get a redirection target:

alabaster@curlingfun:~$ curl -k -I https://curlingfun:9090/GoodSportsmanship
HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 13 Nov 2024 02:02:51 GMT
Content-Type: text/html
Content-Length: 178
Location: https://curlingfun:9090/SpiritOfCurling.php
Connection: keep-alive

alabaster@curlingfun:~$ curl -k https://curlingfun:9090/SpiritOfCurling.php
Excellent work, you have solved hard mode!  You may close this terminal once HHC grants your achievement.

Outro

Bow is impressed:

Bow Ninecandle

Bravo! Look at you, curling through that like a true web wizard!

You zipped through that challenge faster than a curling stone on enchanted ice!

Wait… did you just slice and dice it all into three commands? My stars, you’re a Curling conjurer!

Alabaster is glad I played:

Alabaster Snowball

cURL-ing sure is fun huh! I bet you made Bow’s day by playing with him. Everyone over here was too busy, and everyone on Wombley’s side just refused to play. I wonder what’s gotten into them.

As is Wombley:

Wombley Cube

Swell idea, playing cURL with Bow. Why don’t you keep doing that.

Even Noel is grateful:

Noel Boetie

Bow asked me to play a round of cURLing with him, but I was just too exhausted. I’m happy someone finally joined him!

« 1️⃣ Act 1Frosty Keypad »