deadface 2025 web/headers game
My solution for deadface web/headers game challenge
Challenge overview
The challenge presents a web server that validates incoming requests through a series of HTTP header checks. Only the “perfect packet” with all correct headers will reveal the flag.
Steps to solve
Starting with a basic GET request to env02.deadface.io:8001, we receive an immediate rejection:
The server responds with 405 METHOD NOT ALLOWED, suggesting we need a different HTTP method.
An OPTIONS request reveals the allowed methods: GET, POST, PUT, DELETE, OPTIONS, LOGIN, TRACE, CONNECT.
Interesting! LOGIN is a custom HTTP method, not part of standard HTTP specifications. Let’s try it!
And it worked, so let’s move on. The server wants us to identify as “Smith”. Adding User-Agent: Smith:
Progress! On to the next check. The message is pretty straightforward, we need to set our location. Adding Location: Germany:
This one took some trial and error. I initially tried headers like Date, If-Modified-Since, and other time-related headers. After some fuzzing, I discovered the Age header was the key:
Note: The Age header typically indicates how long a response has been in a cache.
This one also required some persistence. Simple values like localhost or 127.0.0.1 didn’t work. After fuzzing different localhost variations, I found that http://127.1 did the trick:
Tip: Remember that 127.1 is a shorthand notation that resolves to 127.0.0.1.
Now we’re dealing with security headers! This one is straightforward if you’re familiar with web security headers.
Note: This header is deprecated in modern browsers.
“You are being tracked” hints at the Do Not Track header:
Another security header! This one prevents clickjacking attacks:
“Old-school caching” is the key phrase here. Before modern cache-control mechanisms, Pragma was used. I tried a few caching-related headers before finding the right one:
Content-type sniffing protection:
The final boss! The message hints at needing to “override” something. The X-HTTP-Method-Override header allows clients to override the HTTP method:
Setting X-HTTP-Method-Override: GET finally gives us the flag!
Flag
Flag value:
1
deadface{itsAllInMyHead|ers}
First Blood!!
The Perfect Packet
Here’s the complete request that solves the challenge:
1
2
3
4
5
6
7
8
9
10
11
12
LOGIN / HTTP/1.1
Host: env02.deadface.io:8001
User-Agent: Smith
Location: Germany
Age: 30
Origin: http://127.1
X-XSS-Protection: 0
DNT: null
X-Frame-Options: deny
Pragma: no-cache
X-Content-Type-Options: nosniff
X-HTTP-Method-Override: GET
Key Learnings
Pretty guessy chall, but sometimes it’s fun :D