team-logo
Published on

Headers Game

Authors

Challenge overview

Task

The challenge presents a web server that validates incoming requests through a series of HTTP header checks. Only the "perfect packet" with all correct headers will reveal the flag.

Steps to solve

Starting with a basic GET request to env02.deadface.io:8001, we receive an immediate rejection:

1

The server responds with 405 METHOD NOT ALLOWED, suggesting we need a different HTTP method.

An OPTIONS request reveals the allowed methods: GET, POST, PUT, DELETE, OPTIONS, LOGIN, TRACE, CONNECT.

2

Interesting! LOGIN is a custom HTTP method, not part of standard HTTP specifications. Let's try it!

3

And it worked, so let's move on. The server wants us to identify as "Smith". Adding User-Agent: Smith:

4

Progress! On to the next check. The message is pretty straightforward, we need to set our location. Adding Location: Germany:

5

This one took some trial and error. I initially tried headers like Date, If-Modified-Since, and other time-related headers. After some fuzzing, I discovered the Age header was the key:

6

Note: The Age header typically indicates how long a response has been in a cache.
This one also required some persistence. Simple values like localhost or 127.0.0.1 didn't work. After fuzzing different localhost variations, I found that http://127.1 did the trick:

7

Tip: Remember that 127.1 is a shorthand notation that resolves to 127.0.0.1.
Now we're dealing with security headers! This one is straightforward if you're familiar with web security headers.

9

Note: This header is deprecated in modern browsers.

"You are being tracked" hints at the Do Not Track header:

10

Another security header! This one prevents clickjacking attacks:

11

"Old-school caching" is the key phrase here. Before modern cache-control mechanisms, Pragma was used. I tried a few caching-related headers before finding the right one:

12

Content-type sniffing protection:

13

The final boss! The message hints at needing to "override" something. The X-HTTP-Method-Override header allows clients to override the HTTP method:

14

Setting X-HTTP-Method-Override: GET finally gives us the flag!

Flag

Flag value:

deadface{itsAllInMyHead|ers}

First Blood!!

First Blood

The Perfect Packet

Here's the complete request that solves the challenge:

LOGIN / HTTP/1.1
Host: env02.deadface.io:8001
User-Agent: Smith
Location: Germany
Age: 30
Origin: http://127.1
X-XSS-Protection: 0
DNT: null
X-Frame-Options: deny
Pragma: no-cache
X-Content-Type-Options: nosniff
X-HTTP-Method-Override: GET

Key Learnings

Pretty guessy chall, but sometimes it's fun :D