📊 Challenge Overview

Category	Details	Additional Info
🏆 Event	PicoGym	Event Link
🔰 Category	Web	🌐
💎 Points	500	Out of 500 total
⭐ Difficulty	🟡 Medium	Personal Rating: 1/10
👤 Author	madStacks	Profile
🎮 Solves (At the time of flag submission)	23.593	solve rate
📅 Date	19-02-2025	PicoGym
🦾 Solved By	mH4ck3r0n3	Team:

📝 Challenge Information

Let me in. Let me iiiiiiinnnnnnnnnnnnnnnnnnnn http://mercury.picoctf.net:36622/

🎯 Challenge Files & Infrastructure

Provided Files

1	Files: None

🔍 Initial Analysis

First Steps

Initially, the website appears as follows:

We are told that the page is only accessible via PicoBrowser. When making an HTTP request, the header field that defines which “browser” we are using is the User-Agent. So, I opened the site with BurpSuite and sent the request to the Repeater:

From the repeater, I modified it by adding the suggested User-Agent: PicoBrowser, and I was able to move on to the next step:

As we can see, the message has changed. Now it tells us that it doesn’t trust users coming from another site. I think this challenge will be mainly about modifying and adding fields to the request header, so let’s proceed with the exploitation.

🎯 Solution Path

Exploitation Steps

Exploitation

After a few searches to bypass the second check, I found the Referer header. The HTTP Referer header contains the absolute or partial address from which a resource has been requested. By setting it as Referer: mercury.picoctf.net:36622, the server believes the request is coming from the server itself, allowing me to pass this check as well:

Now we are told that this site only worked in 2018. We can bypass this check by setting the Date field to 2018, i.e., Date: 2018:

The next check is about tracking. After some searching, I found the DNT (Do Not Track) field, which specifies tracking preferences. By setting DNT: null, I was able to bypass this check:

Next, we are told that the website is only for people from Sweden. This check can be bypassed by setting X-Forwarded-For to an IP address from Sweden. I did some research and found this: https://lite.ip2location.com/sweden-ip-address-ranges. However, there are other methods. One that came to mind was finding a website with the .se top-level domain, which indicates a Swedish site. Then, using tools like dig, ping, nslookup, etc., I found the IP associated with the domain and used it in the request:

As the last check, we are told that we don’t speak Swedish. This can be bypassed by setting the Accept-Language: sv,... field, as sv specifies the Swedish language. By modifying the field and sending the request, I passed the final check and obtained the flag.

Flag capture

🛠️ Exploitation Process

Approach

The automatic exploit replicates the request made manually, setting the headers shown in the image above using BurpSuite. Once the request is made, it extracts the flag from the response using a regex.

•  Exploit

🚩 Flag Capture

Flag

Proof of Execution

Screenshot of successful exploitation

🔧 Tools Used

Tool	Purpose
Python	Exploit
Burp Suite	Web Testing

💡 Key Learnings

New Knowledge

Ho imparato cos’è un DNT.

Skills Improved

• Binary Exploitation
• Reverse Engineering
• Web Exploitation
• Cryptography
• Forensics
• OSINT
• Miscellaneous

📚 References & Resources

Learning Resources

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/DNT
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Date
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/User-Agent
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Language

📊 Final Statistics

Created: 19-02-2025 • Last Modified: 19-02-2025 *Author: mH4ck3r0n3 • Team: *