## [See original writeup on
site](https://barelycompetent.dev/post/ctfs/2021-04-11-ritsecctf/#revolution)

### Revolution  
> The robots are taking over. They are posting their propaganda everywhere. Go
> here to find out more about it.  
>  
> 34.69.61.54:8799  
>  
> Might want to check out Robots first.  
> Hint: Almost all the important information you need is on the root page.
> Read carefully.  
>  
> THE HINTS ARE FREE.  
>  
> * **Hint 1**: Repeat the propoganda in your crafted message to the leaders
> at the proper address.  
> * **Hint 2**: Make sure you aren't encoding your message when sending it.
> Just use plain text when sending.  
> * **Hint 3**: Use your head [2]

The site looks like this:

{{< image src="/img/CTFs/2021/ritsecCTF/revolition-home.gif" alt="revolition-
home.gif" >}}

I tried `/robots.txt` first, which results in a 404. As does `/flag`, `/FLAG`,
etc... So that doesn't seem to be it.

After stumbling around the site trying various words mentioned on the home
page, I ended up trying the `/revolution` route, as mentioned in the bottom of
the page:

```bash  
curl http://34.69.61.54:8799/revolution  
```

... response:

```html

<title>405 Method Not Allowed</title>  
<h1>Method Not Allowed</h1>  

The method is not allowed for the requested URL.

  
```

Which is better than a 404! That means the page/route exists there, we just
aren't passing it the right options. I tried `GET/POST/OPTIONS`/etc, but none
of which where allowed.

I looked at the hints at this point, and the third of which caught my
attention:

> * **Hint 3**: Use your head [2]

So how about we try sending a [`--head`](https://beamtic.com/head-request-
curl) request?

```bash  
curl --HEAD http://34.69.61.54:8799/revolution  
```

```html  
HTTP/1.0 405 METHOD NOT ALLOWED  
Content-Type: text/html; charset=utf-8  
Allow: OPTIONS, UNLOCK  
Content-Length: 178  
Server: Werkzeug/1.0.1 Python/3.7.3  
Date: Sat, 10 Apr 2021 14:27:21 GMT  
```

Nice, so `UNLOCK` looks like what we want. If we try sending just that:

```bash  
curl -X UNLOCK http://34.69.61.54:8799/revolution  
```

... we get back:

```html

<html>  
<head>  
<title>404 ;)</title>  
</head>  
<body>  
<h1>404 ;)</h1>  
</body>  
</html>  
```

Now, we just need to figure out the "right crafted message"...

> Send me the right crafted message and you can join the revolution. Only then
> can we unlock your full potiential.

The challenge description/hint mention _head 2_. Originally, I thought this
only meant to refer to the `--head` option to learn about the `UNLOCK`. But
after a while, my teammate datajerk mentioned:

> H2's?

Which, when looking at the website, made sense. This correlated to each of the
**Friendly**, **Caring**, **Laws**, **Protect** sections.

As such, I sent this payload:

```curl  
curl -X UNLOCK -H "User-Agent: Robot-Queto-v1.2"
http://34.69.61.54:8799/revolution -d 'Friendly Caring Laws Protect'  
```

But no dice. After quite some time (a few hours) and talking with the author,
I learned that the challenge description was updated to be made quite a bit
more clear.

I noticed now:

> They expect a special type of request and only have the ability to read
> plain text from a special agent. ONLY SEND PLAIN TEXT DATA.

The _ONLY SEND PLAIN TEXT DATA_ is what stood out to me. As it turns out, [the
-d flag will by default send `Content-Type: application/x-www-form-
urlencoded`](https://stackoverflow.com/a/43056956). Per that SO comment, we
can specify `text/plain` explicitly like so, and this gives the flag:

```bash  
curl -X UNLOCK -H "Content-Type: text/plain" -H "User-Agent: Robot-Queto-v1.2"
http://34.69.61.54:8799/revolution -d 'Friendly Caring Laws Protect'  
```

Flag is `RS{W3lc0me_t0_th3_R3volut1on}`.

Original writeup
(https://barelycompetent.dev/post/ctfs/2021-04-11-ritsecctf/#revolution).