“Speedy” is an interesting challenge hosted on http://game.rop.sh. It’s somehow strange because it has nothing to do with the normal and traditional hacking techniques… but let’s go on.

This is the main screen of the web site:

screenshot-from-2017-01-07-19-02-49

You are asked to insert some data (HTTP header manipulation?). Let’s start Burp and intercept the requests/responses.

screenshot-from-2017-01-07-18-41-28

And the response:

screenshot-from-2017-01-07-18-41-42

Oh! we got an hint: secret.php. So let’s call this page:

screenshot-from-2017-01-07-18-42-08

Hmm.. so we have to make 2 subsequent requests  with 1 ms..it would be hard manually, so let’s try to do it from command line, with nc.

A simple text file speed.req:

GET index.php HTTP/1.1

GET secret.php HTTP/1.1

cat speedy.req | nc -vv lcx.op.sh 8005

screenshot-from-2017-01-07-19-10-23

We did in 0.6 ms! But it’s not done.. another hint: h2c ?

H2C is the  HTTP2 protocol which should dramatically increase the speed of the web sites introducing mechanisms such as multiplexing and push techniques.

Here you can find a nice document about the protocol (https://daniel.haxx.se/http2/http2-v1.10.pdf)

So we have to use HTTP2 (chrome, firefox, etc.. are compatible). But for our purpose, it would be better to use a “raw” client (curl is compatible with http2) but I decided to use nghttp (https://nghttp2.org/)

Again, i recalled the 2 pages with nghttp:

nghttp -vv http://lxc.rop.sh:8005/index.php \
http://lxc.rop.sh:8005/secret.php  > out.txt

And this was the interesting part of the output:

screenshot-from-2017-01-07-20-26-10

So we have to use another HTTP2 method: PUSH

But, what is HTTp2 push?

From wikipedia:

HTTP/2 Push allows a web server to send resources to a web browser before the browser gets to request them. It is, for the most part, a performance technique that can help some websites load faster.

HTTP/2 Push[1] is not a mechanism for the server to notify things to the browser. Instead, pushed contents are used by the browser when it may have otherwise produced a request to get the resource anyway. But if the browser does not request the resource, the pushed contents become wasted bandwidth.

The idea was to push secret.php along with index.php , but how can I instruct the HTTP2 server to push reosurces?

Here comes the header manipulation, using the header “Link” I can inform the HTTp2 server to push the page with the requested resource. After some testing and debugging I found the solution:

nghttp -vv -H "Content-Type: application/x-www-form-urlencoded" -d \
post.txt 'http://lxc.rop.sh:8005/index.php'

and this was the content of post.txt:

hdrname=Link&hdrval=/secret.php;rel=preload

Server Header output:
Link: /secret.php;rel=preload

This means that the page secret.php should be preloaded by the client and would be sent along with the requested resource index.php by the server.

And finally, after some tries because of the 1ms delay, finally the output with the flag!

screenshot-from-2017-01-07-20-41-34

That’s all 🙂

Feel free to contact me : decoder[dot]ap[at]gmail[dot]com

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s