PicoGym Web Exploitation Writeup | GET aHEAD | Easy | PicoCTF

PicoGym Web Exploitation Writeup | GET aHEAD | Easy | PicoCTF

Originally posted on my Medium page.

In this challenge, we are tasked with uncovering a hidden flag on a server. The title, “GET aHEAD,” hints that we should use the GET HTTP method and possibly modify it to the HEAD method to retrieve the flag.

To solve this, we’ll use Burp Suite to intercept and modify the HTTP request.Open the provided website.

On the page, we can see two buttons: Choose red and Choose blue.

Click on the Choose red button. This sends a GET request, which we can view in Burp Suite.

Send the request to Burp Suite’s Repeater tab (by pressing Ctrl + R).

In the Repeater tab, change the HTTP method from GET to HEAD. Send the modified request.

By doing this, the server responds with the flag!

The flag is: picoCTF{r3j3ct_th3_du4l1ty_82880908}

📖 Want more CTF and OSINT writeups like this? Check out my Medium page here.