Note: The below notes were taken while I was solving the Lab for the first time. I have simplified the steps while recording the Above video. Please checkout the Above video for Simplified methods.

pwn.college is an online platform that offers training modules for cybersecurity professionals. It helps students and others learn about and practice core cybersecurity concepts.

Pwn.college is an education platform for students (and other interested parties) to learn about, and practice, core cybersecurity concepts in a hands-on fashion. In martial arts terms, it is designed to take a “white belt” in cybersecurity to becoming a “blue belt”, able to approach (simple) CTFs and wargames. Our philosophy is “practice makes perfect”.

The platform is maintained by an awesome team of hackers at Arizona State University. It powers much of ASU’s cybersecurity curriculum, and is open, for free, to participation for interested people around the world!

Level 1 — Send an HTTP request using curl

curl localhost

nc -v localhost 80 GET /flag #Hit Enter

import requests

host = "<http://127.0.0.1:80/flag>"

r = requests.get(host)
print(r.text)

python3 FILE_NAME.py

curl localhost/flag -H 'Host: a704cd4f0bc3b6bc9ac864fe113514b1'

echo -e "GET /flag HTTP/1.1\\r\\nHost: 54b7ada9efe2fe3bad7818b1b5a65330\\r\\n\\r\\n" | nc localhost 80

import requests

host = "<http://127.0.0.1:80/flag>"
h= {"Host":"f9e84c83115d25e09d53f13b00f4b75c"}

r = requests.get(host, headers=h)
print(r.text)

curl localhost/080c932e13d03e058d2b155137c18566

nc -n 127.0.0.1 80

GET /cefdb209b8626deae1dda7f9345a1921

#Enter once or twice

import requests
host = "<http://127.0.0.1:80/192ecb96a6926ef8db5265754ff334fa>"
r = requests.get(host)
print(r.text)

curl localhost/a2d76052%203d8ec7ef/a39b0452%203b09476f

nc localhost 80

GET /91745e5b%20062f7450/b35217c4%20ee8a47a6

#Enter once or twice

import requests
import urllib.parse as urhost = "<http://127.0.0.1:80>"
path = "/06221968 f84898ac/550a8f31 b98e1531"url = host + ur.quote(path)r = requests.get(url)
print(r.text)

curl localhost/?a=902e04fc41165df2b3063fa33beb719a

nc localhost 80
GET /?a=f55b073fec2c283dd7f3260a3c57b639

Enter Once or Twice

import requestshost = "<http://127.0.0.1:80>"
path = "/?a=1e30afba5cc53eaade2ce97b7adadad3"url = host + pathr = requests.get(url)
print(r.text)

Use the python code to URL Encode

python -c "import urllib.parse as ur; print(ur.quote('paste_the_string_here_to_encode'))"

curl "localhost/?a=853ce33c75fc30dc48a18b65283d786d&b=71daf681%20827086cf%2618e2b48f%23a2b688c5"

nc localhost 80 
GET /?a=2d3ce1c448e6f20c37e54ff246b39ca9&b=f1168950%204023f362%2619f2731f%23dcc53871

import requests
import urllib.parse as up

host = "<http://127.0.0.1:80/?">
param1 = "a=ba4be4f0151557d70982e1951bd527a8"
param2 = "aa18b72a 11bac7d6&aea36aef#3f272df1"url = host + param1 + '&b=' + up.quote(param2)
print("Encoded Url:" + url)
r = requests.get(url)
print(r.text)

Encoded Url: http://127.0.0.1:80/?a=ba4be4f0151557d70982e1951bd527a8&b=aa18b72a11bac7d6%26aea36aef%233f272df1

curl -X POST localhost -d "a=1f94c790004da233114828d18b9f3dc8"

echo -e "POST / HTTP/1.1\\r\\n\\r\\nContent-Length: 34\\r\\n\\r\\na=73f470c86a0c774d9f2bc9aed94b9fd0" | nc 127.0.0.1 80

import requests as rhost = "<http://127.0.0.1:80/>"data = {"a":"8725d8fe3190da3dfd42e8016b1582ef"}response = r.post(host, data)print(response.text)

curl -X POST "localhost" -d "a=e66c5d0674fd628190e194f84a79e5f6" -d "b=424a3732%2062c3f72b%26047ddf89%23efc2a88b"

Content-Length is Important and \r is not important.

echo -e "POST / HTTP/1.0\\nHost: 127.0.0.1\\nContent-Length: 74\\nContent-Type: application/x-www-form-urlencoded\\n\\na=e460a465c39581ea2b9ed927da9fc1c7&b=465b23dd 4175a51f%261264b27d#fe30c862" | nc localhost 80

OR

Save the below code in a file. ex: request. Type cat request | nc [localhost](<http://localhost>) 80

POST / HTTP/1.0 
Host: 127.0.0.1
Content-Length: 74 
Content-Type: application/x-www-form-urlencodeda=e460a465c39581ea2b9ed927da9fc1c7&b=465b23dd 4175a51f%261264b27d#fe30c862

import requests as rhost = "<http://127.0.0.1:80/>"data = {
	"a":"e4c285ef8bd95dd0e8fb6e3d3956652f",
	"b":"8dac482c 3c8dc902&68fe868d#1e2c37d6"
	}res =  r.post(host, data)print(res.text)

Use Double quotes for JSON values

curl -X POST localhost -H 'Content-Type: application/json' -d '{"a":"6d0e19ad4142c65391ab709e3b1e8306"}'

request file

POST / HTTP/1.0
Host: 127.0.0.1
Content-Length: 41
Content-Type: application/json{"a":"d4c66c7e920fe7b7b1b464a74abcd08b"}

cat request | nc [localhost](<http://localhost>) 80

Learn the Name of arguments for a function. For post(), we have URL, json , and headers as keyword arguments

json=data - if we mention this, it will automatically add content type as application/json

import requests as rhost = "<http://127.0.0.1:80/>"data = {"a":"3b39c5f5fd5b27bf291893f4d8d07797"}response = r.post(host, json=data)
print(response.text)

curl -X POST localhost -H "Content-Type: application/json" -d '{"a": "5d63c68ec666d8ad27c1e2603d50509f", "b": {"c": "9200d306", "d": ["4e8a42ca", "96ae680f 42fda862&cbbdd048#fe6c0cc7"]}}'

request

POST / HTTP/1.0
Host: 127.0.0.1
Content-Length: 122
Content-Type: application/json{
"a":"c039fd54b04c973f4db4c05911700aa9",
"b":{"c":"800ed4d2", "d":["c23c3805", "caeb2477 98b0d510&1c4bd996#d2f30b7f"]}
}

import requests as rhost = "<http://127.0.0.1:80/>"data = {
	"a": "7ecdee328e44c2e2f32221dbd4eade7e", 
	"b": {"c": "04aea63b", "d": ["f2f55fc0", "25fd588e e1ebb16e&e76d7948#93b46a3a"]}
}response = r.post(host, json=data)
print(response.text)

curl localhost

curl localhost/c7bb792929e2468dbeddac0ae013ca14

hacker@talking-web~level32:~$ nc localhost 80
GET /<h1>Redirecting...</h1>
<p>You should be redirected to URL: <a href="/e7c84368b9f07201b2a821428b368609">/e7c84368b9f07201b2a821428b368609</a>. If not, click the link.hacker@talking-web~level32:~$ nc localhost 80
GET /e7c84368b9f07201b2a821428b368609pwn.college{QwpGa7MUc.....}

import requests as rhost = "<http://localhost/>"response = r.get(host)
print(response.text)

curl -X GET -L localhost --cookie "c54cf1108e4d2d80033f84fe768494c9”

• Sending an HTTP request to Get the Cookie. Have to add a blank line at the end of the request
• Cookie: then cookie is name of cookie parameter.

GET / HTTP/1.0 
Host: 127.0.0.1

GET /flag HTTP/1.0
Host: 127.0.0.1
Cookie: cookie=fb9afec07818525d0090815cb87c03b2

import requests as rhost = "<http://127.0.0.1/>"response = r.get(host)
print(response.text)

curl -X GET <http://127.0.0.1:80/request1> --cookie-jar cookies.txt --cookie cookies.txt
curl -X GET <http://127.0.0.1:80/request2> --cookie-jar cookies.txt --cookie cookies.txt
curl -X GET <http://127.0.0.1:80/request3> --cookie-jar cookies.txt --cookie cookies.txt
curl -X GET <http://127.0.0.1:80/request4> --cookie-jar cookies.txt --cookie cookies.txt

request file

GET / HTTP/1.0 Host: 127.0.0.1 Cookie: session=dummy

hacker@talking-web~level38:~$ cat request | nc localhost 80HTTP/1.1 302 FOUND
Server: Werkzeug/3.0.1 Python/3.8.10
Date: Wed, 14 Feb 2024 05:30:02 GMT
Content-Length: 9
Location: /
Server: pwn.college
Vary: Cookie
Set-Cookie: session=eyJzdGF0ZSI6MX0.ZcxP2g.qquwMGlsSuxPJF2laE0kQnP1p7c; HttpOnly; Path=/
Connection: closestate: 1
hacker@talking-web~level38:~$ nano request hacker@talking-web~level38:~$ cat request | nc localhost 80
HTTP/1.1 302 FOUND
Server: Werkzeug/3.0.1 Python/3.8.10
Date: Wed, 14 Feb 2024 05:30:33 GMT
Content-Length: 9
Location: /
Server: pwn.college
Vary: Cookie
Set-Cookie: session=eyJzdGF0ZSI6Mn0.ZcxP-Q.yMzlpS8TkWqH28_o2Gwxgenx-Ts; HttpOnly; Path=/
Connection: closestate: 2
hacker@talking-web~level38:~$ 
hacker@talking-web~level38:~$ nano request 
hacker@talking-web~level38:~$ cat request | nc localhost 80
HTTP/1.1 302 FOUND
Server: Werkzeug/3.0.1 Python/3.8.10
Date: Wed, 14 Feb 2024 05:31:09 GMT
Content-Length: 9
Location: /
Server: pwn.college
Vary: Cookie
Set-Cookie: session=eyJzdGF0ZSI6M30.ZcxQHQ.udw6tF3YXZAehG2qFN46UhfyxJI; HttpOnly; Path=/
Connection: closestate: 3
hacker@talking-web~level38:~$ nano request 
hacker@talking-web~level38:~$ cat request | nc localhost 80
HTTP/1.1 200 OK
Server: Werkzeug/3.0.1 Python/3.8.10
Date: Wed, 14 Feb 2024 05:31:37 GMT
Content-Length: 58
Server: pwn.college
Vary: Cookie
Set-Cookie: session=eyJzdGF0ZSI6NH0.ZcxQOQ.9ZgSDmh15pAL269RJg5y9MiPADU; HttpOnly; Path=/
Connection: closepwn.college{UqwPYVSh7xexPUjKL9THhVKrryR.....}

import requests as rhost = "<http://127.0.0.1/>"response1 = r.get(host)
cookie1 = response1.cookiesresponse2 = r.get(host, cookies=cookie1)
cookie2 = response2.cookiesresponse3 = r.get(host, cookie2)
cookie3 = response3.cookiesresponse4 = r.get(host, cookie3)
cookie4 = response4.cookies print(response4.text)