HTTP in detail | TryHackMe [Write-up]

Room can be found here: https://tryhackme.com/room/httpindetail

Note: in order to comply with THM’s guidelines, I have purposefully edited all my screenshots so no flags are revealed. For learning purposes, I have also included explanations or other useful excerpts and infographics from the room.

Task 1: What is HTTP(S)?

What does HTTP stand for?

HyperText Transfer Protocol

What does the S in HTTPS stand for?

Secure

On the mock webpage on the right there is an issue, once you’ve found it, click on it. What is the challenge flag?

The issue was the HTTP protocol, once clicked on the icon referring to the scheme, we get an alertbox containing the flag.

Task 2: Requests and Responses


HTTP/1.1 200 OK
Server: nginx/1.15.8
Date: Fri, 09 Apr 2021 13:34:03 GMT
Content-Type: text/html
Content-Length: 98

<html>
<head>
    <title>TryHackMe</title>
</head>
<body>
    Welcome To TryHackMe.com
</body>
</html>

What HTTP protocol is being used in the above example?

HTTP/1.1

What response header tells the browser how much data to expect?

Content-Length

Task 3: HTTP Methods

HTTP methods are a way for the client to show their intended action when making an HTTP request.

What method would be used to create a new user account?

POST

What method would be used to update your email address?

PUT

What method would be used to remove a picture you’ve uploaded to your account?

DELETE

What method would be used to view a news article?

GET

Task 4: HTTP Status Codes

When a HTTP server responds, the first line always contains a status code informing the client of the outcome of their request and also potentially how to handle it.

What response code might you receive if you’ve created a new user or blog post article?

201

What response code might you receive if you’ve tried to access a page that doesn’t exist?

404

What response code might you receive if the web server cannot access its database and the application crashes?

503

What response code might you receive if you try to edit your profile without logging in first?

401

Task 5: Headers

Headers are additional bits of data you can send to the web server when making requests. We know

1) Request Headers – sent from the client to the server

2) Response Headers – returned to the client from the server after a request

What header tells the web server what browser is being used?

User-Agent

What header tells the browser what type of data is being returned?

Content-Type

What header tells the web server which website is being requested?

Host

Task 6: Cookies

They’re just a small piece of data that is stored on your computer. Cookies are saved when you receive a “Set-Cookie” header from a web server. Then every further request you make, you’ll send the cookie data back to the web server.

Because HTTP is stateless (doesn’t keep track of your previous requests), cookies can be used to remind the web server who you are, some personal settings for the website or whether you’ve been to the website before.

Which header is used to save cookies to your computer?

Set-Cookie

Task 7: Making Requests

Make a GET request to /room

GET http://tryhackme.com/room

Make a GET request to /blog and using the gear icon set the id parameter to 1 in the URL field

GET http://tryhackme.com/blog
/blog

Make a DELETE request to /user/1

DELETE http://tryhackme.com/user/1

Make a PUT request to /user/2 with the username parameter set to admin

PUT http://tryhackme.com/user/2

POST the username of thm and a password of letmein to /login

POST http://tryhackme.com/login