HTTP Attacks - TE.CL

I think I found the Transfer-Encoding header I need to use to bypass the firewall. However, my payload does not act how the example is provided in the lesson.

When I send the grouped payload one of my requests show both of the responses and the other one is empty. (it sounds weird, but i’ve never used group connections before)

Anyway, im still getting a 401 error, but I am getting 3 requests sent as the lab shows we should… however, the payload is not working.

Update:

This statement from the lab claims, ‘The WAF uses the TE header to determine the first request’s body length. The first chunk contains 0x27 = 39 bytes.’ and this one from ‘Request Smuggling Tools & Prevention’ (which should be in this current module), ‘Since chunked encoding specifies the size of each chunk in hexadecimal format, we need to convert the length for each chunk from decimal to hexadecimal.’ should help solve the lab.

When I try to identify the vulnerability, the first request (of the tab group) returns “HTTP/1.1 200 OK”, and the second one does also (instead of returning “HTTP/1.1 400 Bad Request”).

First request (with “Update Content-Length” unchecked):

POST / HTTP/1.1
Host: tecl.htb
Content-Length: 3
Transfer-Encoding: chunked

5
HELLO
0


Second request:

GET / HTTP/1.1
Host: tecl.htb


Does anybody have the same problem?

Of course, the exploitation then doesn’t work either.

Any ideas?