MENAS'S Web Requests Challenge
Five small challenges based on HTTP fundamentals, headers, auth, cookies, JSON, and REST/CRUD. Everything is solvable with curl and your browser's dev tools. Flags look like MENAS{...}.
- 1. Header Hunter
GET /api/challenge1This endpoint only responds well to specific requests. Start with curl -v and read the response headers carefully.
- 2. Basic Auth
GET /api/challenge2Protected with plain HTTP Basic Auth. curl -u user:pass is your friend. Maybe start with something obvious.
- 3. Login Forms & Cookies
POST /api/challenge3/login, then GET /api/challenge3/flagA classic HTML login form (not JSON), Params (username, password), The dev has forgotten the 'test' account ;). Log in, capture the cookie, then use it on the flag endpoint.
- 4. JSON Data
POST /api/challenge4Wants a real application/json body with the right Content-Type header and the right field set.
- 5. CRUD API
GET/PUT/DELETE /api/challenge5/cities/*Rename a city `{"name": "new-name"}`, delete another, then GET the city that shouldn't exist yet. These are the list of cities: Addis, Adama, Mekele, and Ambo.