Self Notes: Web Security Academy HTTP Request Smuggling Lab 6

-
Link to Lab 6

This Lab shows a bit of promise of fun. The task is to exploit a CL-TE request smuggling vulnerability to bypass the Front-end Server Access control to the admin panel, the front end server doesn't support chunked encoding. Access to login endpoint:


As seen above the login endpoint is accessible without any restriction. But an attempt to admin endpoint:


well, it seems we can't access the admin panel, maybe not. Interestingly we have this endpoint to our rescue:


we have already been informed that the server pair is vulnerable to CL-TE request smuggling, let's craft the exploit:


 the above request poison the Back-end server such that the next request will be routed to "/admin". Let's request the "/login" endpoint:


The Back-end server responded with 401 Not authorized, I guess not so fast, let render the full response:


I believe the Back-end server is very clear about what it expects from us, it expects that we either login as Administrator to access the Back-end admin interface or access from the internal network. To be honest, this took me a while to figure, at first, my assumption was that the Front-end server appends an HTTP Header to our request to indicate whether the request was coming from the internal network or the internet, as such I spent hours trying to figure out a way to get the output of the request sent to the Back-end server from the Front-end server in hope of finding the Headers added to our request. Well, to my disappointment nothing was appended to my request before it is sent to the Back-end server, it wasn't all a lost cause though, I discovered something along the way which is another topic for another post. After a few tests, I discovered that the Back-end server only checks if the Host is localhost to confirm you are coming from the internal network, while the Front-end server checks if your host Header matches a valid session before forwarding the request. So this request will get your past the Front-end Server:


The 'GET' request is smuggled past the Front-end server when this request is sent. Response from the server when the request is sent:


The Back-end server doesn't complain of the smuggled request, let's see what happens when a normal request is sent to the server:


We send a normal request to the login endpoint (it could be any endpoint it doesn't matter). Server's response:


It seems we have successfully smuggled our request past the Front-end Server. Now to complete the Lab, deleting the user Carlos:


Making a normal request after sending the above request:


Lab 6 Solved. This lab was really fun.

Comments

Post a Comment

Popular posts from this blog

Before You Dive In...

-
I have always wanted to write, partly to improve my writing skills but also to document my research in reverse code engineering, software exploitation and computer programming in general, my current goal is to have at least a post a week, but since am just starting out I do not know how feasible that will be considering school and my need for quality over quantity. In the coming weeks, I will post on varying topics from software reverse engineering to exploitation and basically anything that interest me. My primary aim is just to cement my knowledge in my fields of interest by giving back to the community as I learn and hopefully along the way help someone trying to learn. A quick disclaimer though is that I am no professional at either writing or the subject on which I will be writing (at least for now),  am just trying to navigate through the vast ocean of knowledge hoping to pick one or two things along the way, so corrections, constructive criticism, and even unconstructive ones
Read more

OverTheWire: Bandit Lab

-
Image
Bismillahirrahmanirrahim (In the name of Allah the most gracious, the most merciful) So recently I and @electro decided to solve wargames and CTFs in the spirit of honing the skills and because we are preparing for something really important (another post for another day). We decided to start with the labs at overthewire  and the first on the list was Bandit Lab. Bandit Lab was a fun experience, mostly easy, except for one or two tricky levels, level 26 and level 33 in particular. This Labs weren't so difficult but required a bit of thinking outside the box, hence why am documenting them. NB : this writeup doesn't include our thought process while solving the levels Level 26 Level Description When we attempt to login to this level using the private key obtained from the previous level we get automatically logged out and since the level goal already informed us that we are dealing with a different shell, we need to figure out what it is and how to break out of it. Above is the
Read more

SSRF Notes: PortSwigger Labs Continued

-
Image
  Lab 3: SSRF with blacklist-based input filter Task :  This lab has a stock check feature which fetches data from an internal system.  To solve the lab, change the stock check URL to access the admin interface at http://localhost/admin and delete the user carlos.  The developer has deployed two weak anti-SSRF defenses that you will need to bypass. This Lab is just like the previous ones except that we need to bypass blacklist filters. This is what a normal request to the stock check feature looks like: Passing http://localhost/admin to the stockApi parameter does not work this time. we get this response: That's the filter blocking us. It turned out 127.0.0.1, localhost, admin are all blacklisted so cannot be used. So after trying a couple things the following was able to bypass the filter: We get the following response: So to complete the Lab we just proceed to delete carlos. And that's it Lab solved.
Read more