I'm Bow Ninecandle, and while everyone's busy unpacking, I'd much rather invite you to try something more exciting - a curling challenge without ice! I'm talking about using Curl, a magical command-line tool for sending web requests - it's as simple as typing 'curl https://example.com' to start with, and while that's just scratching the surface, I'm here to help if you get stuck!
cURL Manual Hints: The official cURL man page has tons of useful information on how to use cURL.
cURL: Don't squash Hints: Take a look at cURL's "--path-as-is" option; it controls a default behavior that you may not expect!
We follow the instructions in the dialogue. We are already familiar with many of the options or can quickly find them using a search.
Welcome to Curling Fun! We will learn some basic curl commands while playing a round of curling.
Are you ready to begin? [y]es: y
1) Unlike the defined standards of a curling sheet, embedded devices often have web servers on non-standard ports. Use curl to retrieve the web page on host "curlingfun" port 8080.
If you need help, run the 'hint' command.
alabaster@curlingfun:~$ curl http://curlingfun:8080
2) Embedded devices often use self-signed certificates, where your browser will not trust the certificate presented. Use curl to retrieve the TLS-protected web page at https://curlingfun:9090/
alabaster@curlingfun:~$ curl -k https://curlingfun:9090
3) Working with APIs and embedded devices often requires making HTTP POST requests. Use curl to send a request to https://curlingfun:9090/ with the parameter "skip" set to the value "alabaster", declaring Alabaster as the team captain.
alabaster@curlingfun:~$ curl -k -d "skip=alabaster" https://curlingfun:9090
4) Working with APIs and embedded devices often requires maintaining session state by passing a cookie. Use curl to send a request to https://curlingfun:9090/ with a cookie called "end" with the value "3", indicating we're on the third end of the curling match.
alabaster@curlingfun:~$ curl -k --cookie "end=3" https://curlingfun:9090
5) Working with APIs and embedded devices sometimes requires working with raw HTTP headers. Use curl to view the HTTP headers returned by a request to https://curlingfun:9090/
alabaster@curlingfun:~$ curl -k -v https://curlingfun:9090
6) Working with APIs and embedded devices sometimes requires working with custom HTTP headers. Use curl to send a request to https://curlingfun:9090/ with an HTTP header called "Stone" and the value "Granite".
alabaster@curlingfun:~$ curl -k -H "Stone:Granite" https://curlingfun:9090
7) curl will modify your URL unless you tell it not to. For example, use curl to retrieve the following URL containing special characters: https://curlingfun:9090/../../etc/hacks
alabaster@curlingfun:~$ curl -k --path-as-is "https://curlingfun:9090/../../etc/hacks"
Great work!
You know... rumor has it you can breeze through this with just three commands. Why don’t you give it a whirl?
We only find the hard challenge after we have looked around a bit in the file system. But then we build the commands as before.
alabaster@curlingfun:~$ cat HARD-MODE.txt
Prefer to skip ahead without guidance? Use curl to craft a request meeting these requirements:
- HTTP POST request to https://curlingfun:9090/
- Parameter "skip" set to "bow"
- Cookie "end" set to "10"
- Header "Hack" set to "12ft"
alabaster@curlingfun:~$ curl -k -d "skip=bow" --cookie "end=10" -H "Hack:12ft" https://curlingfun:9090
Excellent! Now, use curl to access this URL: https://curlingfun:9090/../../etc/button
alabaster@curlingfun:~$ curl -k --path-as-is "https://curlingfun:9090/../../etc/button"
Great! Finally, use curl to access the page that this URL redirects to: https://curlingfun:9090/GoodSportsmanship
alabaster@curlingfun:~$ curl -k -L "https://curlingfun:9090/GoodSportsmanship"
Excellent work, you have solved hard mode! You may close this terminal once HHC grants your achievement.
I'm absolutely amazed at your web wizardry - you've mastered the Curl challenge faster than a curling stone on magical ice, and even managed to condense it all into just three commands! You're truly a Curling conjurer!