CBL 2: String Handling in COBOL (50 pts)

HTTP GET Login

In a Web browser, open this URL:

http://ad.samsclass.info/COBOL/login1.php

A login page appears, as shown below.

Try logging in with a username of foo and a password of bar

The credentials are rejected, as shown below.

In your Web browser, log in with a username of dumbo and a password of dumbo

The credentials are accepted, but you don't get a flag, as shown below.

Flag CBL 2.1: Dumbo's Flag (10 pts)

Create a COBOL program to send a GET request for Dumbo's login with a User-Agent of COBOL as shown below.

The flag is covered by a green rectangle in the image below.

Flag CBL 2.2: Mickey's Flag (10 pts)

The user named mickey has a password that is a single digit, from 0 through 9.

Create a COBOL program to send ten GET requests to brute-force mickey's login as shown below.

The flag is covered by a green rectangle in the images below.

Hint: to change part of a string, see this MOVE explanation.

...

...

Flag CBL 2.3: Pluto's Flag (10 pts)

The user named pluto has a password that is a single letter, from A through Z.

Create a COBOL program to send GET requests to brute-force pluto's login as shown below.

The flag is covered by a green rectangle in the images below.

...

...

Accepting Input

Create a file named echo.cbl with this code: 
IDENTIFICATION DIVISION.
PROGRAM-ID. ECHO.

       DATA DIVISION.  
           WORKING-STORAGE SECTION.  
            01 NAME PIC A(20).  
  
       PROCEDURE DIVISION.  
           A-PARA.  
              DISPLAY 'ENTER YOUR NAME: '.  
              ACCEPT NAME.  
              DISPLAY "Hello, "NAME.  
       STOP RUN.
Execute these commands to compile the code and run it: 
cobc -free -x -o echo echo.cbl
./echo
Enter a name when you are prompted to. The program repeats your name back, as shown below.

Printing "Waldo"

Create a file named waldo.cbl with this code: 
IDENTIFICATION DIVISION.
PROGRAM-ID. WALDO.

       PROCEDURE DIVISION.  
           A-PARA.  
              DISPLAY 'Waldo'.  
       STOP RUN.
Compile the code and run it. It prints Waldo, as shown below.

Chaining Programs

Execute this command to run the "waldo" program and feed its output into the "echo" program: 
./waldo | ./echo
The output is "Hello, Waldo", as shown below.

Marco Polo

In a Web browser, go to

http://ad.samsclass.info/COBOL/marco.php

A challenge page appears, as shown below.

Enter a response of POLO as shown above.

The response is accepted, but you don't get a flag, as shown below.

Flag CBL 2.4: Marco's Flag (10 pts)

Create a COBOL program to send the response to the marco.php form with a User-Agent of COBOL.

The flag is covered by a green rectangle in the image below.

Challenge-Response in 30 Seconds

In a Web browser, go to

http://ad.samsclass.info/COBOL/chal1.php

A challenge page appears, with a random challenge string, as shown below.

Enter challenge string into the "You say" field, as shown above, and submit it.

The response is accepted, but you don't get a flag, as shown below.

Flag CBL 2.5: 30-Second Challenge (10 pts)

Create a COBOL program to send the correct response with a User-Agent of COBOL.

The flag is covered by a green rectangle in the image below.

Posted 4-7-2020 by Sam Bowne
Minor updates 6-24-22