MENAS'S Web Requests Challenge

Five small challenges based on HTTP fundamentals, headers, auth, cookies, JSON, and REST/CRUD. Everything is solvable with curl and your browser's dev tools. Flags look like MENAS{...}.

  1. 1. Header Hunter
    GET /api/challenge1

    This endpoint only responds well to specific requests. Start with curl -v and read the response headers carefully.

  2. 2. Basic Auth
    GET /api/challenge2

    Protected with plain HTTP Basic Auth. curl -u user:pass is your friend. Maybe start with something obvious.

  3. 3. Login Forms & Cookies
    POST /api/challenge3/login, then GET /api/challenge3/flag

    A classic HTML login form (not JSON), Params (username, password), The dev has forgotten the 'test' account ;). Log in, capture the cookie, then use it on the flag endpoint.

  4. 4. JSON Data
    POST /api/challenge4

    Wants a real application/json body with the right Content-Type header and the right field set.

  5. 5. CRUD API
    GET/PUT/DELETE /api/challenge5/cities/*

    Rename a city `{"name": "new-name"}`, delete another, then GET the city that shouldn't exist yet. These are the list of cities: Addis, Adama, Mekele, and Ambo.