Official 0xBOverchunked Discussion

Official discussion thread for 0xBOverchunked. Please do not post any spoilers or big hints.

Hint please


My biggest hint would be: don’t overthink it.

I made a huge assumption, based on the title, that turned out to be completely wrong. The code should show you one very specific point of vulnerability: just target that.


Sure because i am all thinking about http smuggling request which i dont know if it makes sense

Yep, that’s exactly what I thought; it’s not as complicated as that.

1 Like

still did not get it

What’s your thinking? Without giving too much away, what have you found?

i got it thanks … or still should i say something… like i couldnt do it manually and also i used title of the challenge in fast injection :grinning: thats a hint to others

1 Like

got em, no thanks to the sneaky title. As stated before, the code of the challenge clearly points to a vulnerable endpoint

I have successfully find the vulnerability and send a forged request, but still can’t get the post with the flag, am I going to far ?

Got the flag, was very slow though as http requests took multiple seconds and i had to use threading. Any idea why this happens?

Read the code provided in the zip file carefully :thinking:

You’re not setting the size correctly. Remember it needs to be in hex.

1 Like

Any further hints for this? I’m fairly sure I’ve found the vuln part of the code and able to receive the response from there having set a hex size but not able to get response with the flag

Fell free to DM me if you need some hints.

Took me some head scratching, but it’s not as complicated as one thinks in the beginning.

Hi all!

I’ve achieved do a solver with python, but the requests library takes a lot of time while curl do the same requests instantly. Do I missing any flag calling the function? I don’t know what could I tested more :frowning:

I already answered that question above.

Do you mind if you hit me up in PM’s? I’m 99.99% sure I’ve got the correct flag, however it doesn’t get accepted

same here, I got:
Incorrect flag