Objective | 目标

This challenge demonstrates how to interact with a CRUD API to perform Update, Delete, and Search operations to retrieve the flag.

本次挑战旨在演示如何与 CRUD API 交互，通过执行 更新、删除 和 搜索 操作来获取 Flag。

---

Steps | 操作步骤

Step 1: Retrieve the Current List of Cities | 获取现有城市列表

1. Use the GET method to retrieve all entries in the database: 使用 GET 方法检索数据库中的所有条目：

   curl -s http://94.237.54.42:48263/api.php/city/ | jq
   

2. Output Example | 输出示例:

   [{"city_name": "London","country_name": "(UK)"},{"city_name": "Birmingham","country_name": "(UK)"},...{"city_name": "Memphis","country_name": "(US)"},{"city_name": "Baltimore","country_name": "(US)"}
   ]
   

   Analysis | 分析:
   From this list, we can select any city for the Update and Delete operations. Here, we choose Memphis to update and Baltimore to delete.

---

Step 2: Update a City’s Name to ‘flag’ | 更新城市名称为 ‘flag’

1. Use the PUT method to update the city Memphis to flag: 使用 PUT 方法将城市 Memphis 更新为 flag：

   curl -X PUT http://94.237.54.42:48263/api.php/city/Memphis -d '{"city_name":"flag", "country_name":"HTB"}' -H 'Content-Type: application/json'
   

2. Explanation | 说明:

   • -X PUT: Specifies the HTTP method as PUT.
     指定 HTTP 方法为 PUT。
   • -d '{"city_name":"flag", "country_name":"HTB"}': Sends the updated city name and country in JSON format.
     以 JSON 格式发送更新后的城市名称和国家。
   • -H 'Content-Type: application/json': Sets the content type to JSON.
     设置内容类型为 JSON。

---

Step 3: Delete Another City | 删除其他城市

1. Use the DELETE method to delete the city Baltimore:
   使用 DELETE 方法删除城市 Baltimore：

   curl -X DELETE http://94.237.54.42:48263/api.php/city/Baltimore
   

   Explanation | 说明:

   • -X DELETE: Specifies the HTTP method as DELETE.
     指定 HTTP 方法为 DELETE。

---

Step 4: Search for the City Named ‘flag’ | 搜索名称为 ‘flag’ 的城市

1. Use the GET method to search for the city flag:
   使用 GET 方法搜索城市 flag：

   curl -s http://94.237.54.42:48263/api.php/city/flag | jq
   

2. Output Example | 输出示例:

   [{"city_name": "flag","country_name": "HTB{crud_4p!_m4n!pul4t0r}"}
   ]
   

   Result | 结果:

   The flag is found in the country_name field:
   Flag 位于 country_name 字段中：HTB{crud_4p!_m4n!pul4t0r}。

---

Summary | 总结

Key Steps Recap | 关键步骤回顾

1. Retrieve Cities: Listed all available cities using a GET request.

   获取城市：使用 GET 请求列出所有可用城市。

2. Update City Name: Updated Memphis to flag using a PUT request.

   更新城市名称：使用 PUT 请求将 Memphis 更新为 flag。

3. Delete Another City: Deleted Baltimore using a DELETE request.

   删除其他城市：使用 DELETE 请求删除 Baltimore。

4. Search for Flag: Retrieved the flag by searching for the city flag.

   搜索 Flag：通过搜索城市 flag 找到 Flag。

---

Flag | Flag

HTB{crud_4p!_m4n!pul4t0r}

---

Purpose of the Test | 测试目的

1. Understand CRUD Operations | 理解 CRUD 操作:

   • Practice creating, reading, updating, and deleting database entries through an API.

     练习通过 API 创建、读取、更新和删除数据库条目。

2. Direct API Interaction | 直接与 API 交互:

   • Gain hands-on experience interacting with APIs to manipulate backend data.

     通过直接操作 API 熟悉后端数据的操控。

3. Simulate Real-World Scenarios | 模拟真实场景:

   • Understand how unauthorized access to APIs can lead to unintended data modifications.

     理解未授权访问 API 如何导致数据被篡改。

---

Best Practices | 最佳实践

1. Restrict API Access | 限制 API 访问:

   • Ensure proper authentication and role-based access control for all API operations.

     确保所有 API 操作都进行适当的身份验证和基于角色的访问控制。

2. Validate Input | 验证输入:

   • Sanitize all user inputs to prevent malicious data injections.

     清理所有用户输入以防止恶意数据注入。

3. Log API Activities | 记录 API 活动:

   • Maintain logs of all API requests and responses to detect misuse.

     记录所有 API 请求和响应以检测滥用行为。