Web Fundamentals Room
The link for this lab is located here: https://tryhackme.com/room/webfundamentals
This room is designed as a basic intro to how the web works. It covers HTTP requests and responses, web servers, cookies and then puts them all to use in a mini CTF at the end.
Task 2 - How Do We Load Websites?
Initially, when we request a website on the Internet, a DNS request is made. DNS (Domain Name System) takes website names (google.com) and translates them to IP addresses. The IP address uniquely identifies each internet connected device (your phone, smart TV, desktop, tablet, smart thermometer, etc…..). IP addresses are four groups of numbers, ranging from 0-255 (eg.. 192.168.0.1)
Once the browser knows the server’s IP address, it can ask the server for the web page. This is done via an HTTP GET request. GET is an example of an HTTP verb, which are different types of requests you can make to a web server.
The server responds to the GET request with the web page content. If the web page is loading extra resources, like JavaScript images or CSS files, those get retrieved in separate GET requests.
For most websites, these requests will use HTTPS which is the secured (encrypted) version of HTTP. HTTPS uses TLS 1.3 in order to communicate without:
Other parties being able to read the data
Other parties being able to modify the data
A web server is software that receives and responds to HTTP(S) requests. Some of the most popular include Apache, Nginx and Microsoft IIS.
By default, HTTP runs on port 80 and HTTPS runs on port 443.
The content of the web page is normally a combination of HTML, CSS and JavaScript.
HTML defines the structure of the page
CSS changes the look of the page
JavaScript makes pages interactive or loads extra content
Questions
Q1:What request verb is used to retrieve page content?
A: GETQ2: What port do web servers normally listen on?
A: 80Q3: What is responsible for making websites look fancy?
A: CSS
Task 3 - More HTTP (Verbs and Request Formats)
There are 9 different HTTP “verbs”. Each one has a different function.
POST requests are used to send data to a web server, like adding a comment or performing a login. There are more but most are not commonly used.
An HTTP request can be brokem down into parts. The first line is a verb and a path for the server such as:
GET /index.html
The second section is headers, which give the web server more information about your request. Importantly, cookies are sent in the request headers.
Finally, the body of the request. For POST requests, this is the content that is sent to the server. For GET requests, a body is allowed but will mostly be ignored by the server.
An example of a full GET request for a JavaScript file is as follows:
GET /main.js HTTP/1.1
Host: 192.168.170.129:8081
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36
Accept: */*
Referer: http://192.168.170.129:8081/
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8From the headers, you can tell the request was sent from Google Chrome version 80 from Windows 10
Responses
The server should reply with a response. The response follows a similiar structure to the request but the first line describes the status rather than a verb and a path.
The status will normally be a code. A basic breakdown of the status codes is:
100-199: Information
200-299: Successes (200 OK is the normal response)
300-399: Redirects (information is elsewhere)
400-499: Client errors (you did something wrong)
500-599: Server errors (The server tried but something went wrong)
For omre information on HTTP Status codes, click here
Response headers are important. They often tell you something about the web server sending them or give you cookies that may prove useful later.
The response will also have a body. For GET requests, this is normally web content or information such as JSON. For POST requests, it may be a status message or similiar.
Here is the response to the GET request above:
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 28
Content-Type: application/javascript; charset=utf-8
Last-Modified: Wed, 12 Feb 2020 12:51:44 GMT
Date: Thu, 27 Feb 2020 21:47:30 GMT
console.log("Hello, World!")Questions
Q1: What verb would be used for a login?
A: POSTQ2: What verb would be used to see your bank balance once you are logged in?
A: GETQ3: Does the body of a GET request matter? Yea/Nay
A: NayQ4: What is the status code for "I'm a teapot"?
A: Doing a quick Google search for "I'm a teapot HTTP status code" reveals that it is 418Q5: What status code will you get if you need to authenticate to access some content, and you are unauthenticated?
A: 401
Task 4 - Cookies
Cookies are small bits of data that are stored in your browser. Each browser stores them separately. They have a huge number of uses but the most common are either session management or advertising (tracking cookies). Cookies are normally sent with every HTTP request made to a server
Why Cookies?
Because HTTP is stateless, cookies are used to keep track of this. They allow sites to keep track of data like what items you have in your shopping cart, who you are, what you have done on the website and more.
Cookies can be broken down into several parts. Cookies have a name, a value, an expiry date and a path typically.
The name identifies the cookie
The value is where data is stored
The expiry date is when the browser will delete it
The path determines what requests the cookie will be sent with
The server is normally what sets cookies and these come in the response headers under “Set-Cookie”. Alternatively, they can be set from JavaScript inside your browser.
Using Cookies
When you log in to a web app, normally you are given a Session Token. This allows the web server to identify your requests from someone else’s.
To find out more about coockies, check here
Task 5 - Mini CTF
Making HTTP Requests
You can make HTTP requests in many ways. For CTFs, you will sometimes need to use cURL or a programming language as this allows automation.
Intro to cURL
By default, cURL will perform GET requests on the provided URL. Using command line flags however, allows you to do a lot more than just GET requests.
The -X flag allows us to specify the request type (-x POST). You can specify the data to POSt with —data, which will default to plain text data.
Worth mentioning that cURL does NOT store cookies and you have to manually specify any cookies and values you would like to send with your request.
Tasks
GET request - make a GET request to the web server with path /ctf/get
POST request - make a POST request with the body “flag_please” to /ctf/post
Get a Cookie - make a GET request to /ctf/getcookie and check the cookie the server gives you
Set a cookie - set a cookie with name “flagpls” and value “flagpls” in your devtools and make a GET request to /ctf/sendcookie
Questions
Q1: What is the GET flag?
A: To make the required GET request, we simply use the "curl [URL]" command as it defaults to get. We have to specify the path however by appending "/ctf/get" to the end of the URL - curl http://[IP]:8081/ctf/get
Q2: What is the POST flag?
A: To make a POST request with cURL, we need to specify we want to use POST as the method. To do this, we use the "-X POST" parameter. However, we also need to add a body of "flag_please". To do this we use the "--data" parameter with the body we want to submit - curl -X POST --data "flag_please" http://[IP]:8081/ctf/post
Q3: What is the "Get a cookie" flag?
A: To get a cookie from a specific path, we use the "-c -" flag followed by the URL we want to specify - curl -c - http://[IP]:8081/ctf/getcookie
Q4: What is the "Set a cookie" flag?
A: To set a cookie using cURL, we use the "--cookie" option followed by the "name=value" (flagpls=flagpls) - curl --cookie 'flagpls=flagpls' http[://[IP]:8081/ctf/sendcookie
