PicoCTF - Who are you?

1. The website lands us on an interesting page:

   

   

2. This challenge is focusing on HTTP headers, so having a list of HTTP header fields open would be handy. Since it mentions PicoBrowser we can add that to the User-Agent HTTP header:

   The User-Agent header is an HTTP header intended to identify the user agent responsible for making a given HTTP request.

   

   

3. Now the message directs us to the request’s origin, so let’s add the Referer HTTP header and set its value to the same origin as the Host’s header:

   In HTTP, “Referer” (a misspelling of Referrer) is an optional HTTP header field that identifies the address of the web page (i.e., the URI or IRI), from which the resource has been requested. By checking the referrer, the server providing the new web page can see where the request originated.

   

   

4. Based on the message, we can now add the Date HTTP header:

   The Date general HTTP header contains the date and time at which the message originated.

   

   

5. Next, let’s add the DNT (Do-Not-Track) HTTP header:

   Do Not Track (DNT) is a formerly official HTTP header field, designed to allow internet users to opt-out of tracking by websites.

   

   

6. Now, we have to find a relevant header that identifies the origin of the IP address, that is, X-Forwarded-For, combined with a Swedish IP address:

   The X-Forwarded-For (XFF) HTTP header field is a common method for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer.

   Sweden IP Address Ranges.

   

   

   

7. Let’s also add the Accept-Language HTTP header:

   The Accept-Language request HTTP header indicates the natural language and locale that the client prefers.

   List of Hreflang Country and Language Codes.