The DeconstruCT.F 2021

I played in the DeconstruCT.F 2021 with ps1ttacus! It's a little late, but these are my writeups for the web challenges I solved.

Never gonna lie to you (243 points)

The page linked in this challenge had a robots.txt file with the following content: 

User-agent:*
Disallow:/static/
Disallow:/never_gonna_give_you_up/

The first two lines are nothing unusual, but the last one was interesting. When visiting the path /never_gonna_give_you_up/, I got the following HTML code:

<!DOCTYPE html>
<html lang="en">
    <head>
        <!-- omitted... -->
    </head>
    <body id="page-top">
        <!-- omitted... -->
	<div class="container">
		<div class="row">
			<form class="column" action="/never_gonna_let_you_down" method="post">
				<label> Username: </label>
				<input type="text" name="username">
				<label> Password: </label>
				<input type="password" name="password">
			</form>
       </footer><!-- (sic!) -->
        <!-- omitted... -->
    </body>
</html>

There was a login form that would be POSTed to /never_gonna_let_you_down. And what's the first thing you do when you find a login form? You try an SQL injection. I sent the following request:

POST /never_gonna_let_you_down
username=
password=' OR 1=1; --

And it worked! That request returned the flag.

Curly Fries 1 (248 points)

This one linked to a page that looked like this:

Screenshot of a Webpage showing the Swedish flag in the background and four pictures in the foreground: The top left is of some guy I don't know, the top right is the logo of the Swedish clothing retail company H&M, the bottom left is the logo of the Swedish furniture store IKEA, the bottom right is the Swedish YouTuber PewDiePie

I don't know who the guy in the top left is, but the other images were all clearly related to Sweden. I requested the page again, this time with the Accept-Language header set to sv-SE (which stands for Swedish). Then I immediately got the flag.

Curly Fries 3 (600 points)

This one was similar to Curly Fries 1 - you had to change your HTTP request headers and parameters.

When I loaded the page at first, I got a 

405: Method not allowed
response. So, I tried again with a POST request.

This time, I got a response with the following content: 

perhaps try Googling me instead?
So I set the Referer header to https://www.google.com, which suggests that I came from a google search (btw, yes, it's really spelled that way).

Now, the response said 

did you attend that lovely dinner party Hosted by dscvit?
This was a hint that I should set the Host header to dscvit.

Next, I got a little poem: 

potates and carrots are my friends, milk and Cookies will be my end
This time, the response also contained an additional header:
Set-Cookie: user=anon
However, just sending Cookie: user=anon with my request wasn't enough. The correct value was something else.

Now, someone who goes outside occasionally might have known that potatoes and carrots are both root vegetables. But I didn't, so I had to use guessing to find that the correct value to send was Cookie: user=root.

The next response was: 

JFATHER, JMOTHER, JDAUGHTER, ____?
Obviously, this is a reference to JSON. I added a Content-Type: application/json header and an empty JSON body to my request.

Now, the response was also a JSON object:

{'error': {'messi': 'required'}}
Suggesting that the server was expecting a property called "messi". When I sent {"messi": "foo"}, I got back: 
{'error': {'messi': 'which club am i at?'}}
Google told me that Messi is a soccer player currently playing for Paris Saint-Germain. So, I sent the final request with {"messi":"Paris Saint-Germain"}, and got the flag.