A Walk-Through Solving Hack The Box Academy’s Web Requests Module on CRUD API
Objective: First, try to update any city’s name to be ‘flag’. Then, delete any city. Once done, search for a city named ‘flag’ to get the flag.
Target(s): 94.237.57.115:58610
Note: I’m using Pwnbox, so you don’t need to set up a local VM for this.
Before updating any city’s name to be ‘flag’, we have to know the list of city names. To do this, we use the command curl -s http://<target ip>/api.php/city/ | jq , where -s is used to silence any unneeded cURL output and | jq is used to properly format the output in JSON format.
I decided to change the city name “Leeds” into “flag”. To update a data from the database table, we use PUT.
Command: curl -X PUT http://<target ip>/api.php/city/leeds -d ‘{“city_name”:”Flag”,”country_name”:”(UK)”}’ -H ‘Content-Type: application/json’
To check if our database has really been updated, we will have to once again show the list of city names in the database using curl -s http://<target ip>/api.php/city/ | jq . As you can see, we have successfully updated the city name Leeds into Flag.
Next, to try deleting any city, we will use the HTTP method DELETE as follows: curl -X DELETE http://<target ip>/api.php/city/Baltimore , where we’ll be deleting a city named Baltimore.
Let’s check whether Baltimore has been successfully deleted from the database : curl -s http://<target ip>/api.php/city/Baltimore | jq
To search for a city named ‘flag’ to get the flag, we will be using the same command as previously, but changing /Baltimore to /flag, as follows: curl -s http://<target ip>/api.php/city/flag | jq
Flag captured: HTB{crud_4p!_m4n!pul4t0r}
