“Speedy” is an interesting challenge hosted on http://game.rop.sh. It’s somehow strange because it has nothing to do with the normal and traditional hacking techniques… but let’s go on.
This is the main screen of the web site:
You are asked to insert some data (HTTP header manipulation?). Let’s start Burp and intercept the requests/responses.
And the response:
Oh! we got an hint: secret.php. So let’s call this page:
Hmm.. so we have to make 2 subsequent requests with 1 ms..it would be hard manually, so let’s try to do it from command line, with nc.
A simple text file speed.req:
GET index.php HTTP/1.1 GET secret.php HTTP/1.1 cat speedy.req | nc -vv lcx.op.sh 8005
We did in 0.6 ms! But it’s not done.. another hint: h2c ?
H2C is the HTTP2 protocol which should dramatically increase the speed of the web sites introducing mechanisms such as multiplexing and push techniques.
Here you can find a nice document about the protocol (https://daniel.haxx.se/http2/http2-v1.10.pdf)
So we have to use HTTP2 (chrome, firefox, etc.. are compatible). But for our purpose, it would be better to use a “raw” client (curl is compatible with http2) but I decided to use nghttp (https://nghttp2.org/)
Again, i recalled the 2 pages with nghttp:
nghttp -vv http://lxc.rop.sh:8005/index.php \ http://lxc.rop.sh:8005/secret.php > out.txt
And this was the interesting part of the output:
So we have to use another HTTP2 method: PUSH
But, what is HTTp2 push?
HTTP/2 Push is not a mechanism for the server to notify things to the browser. Instead, pushed contents are used by the browser when it may have otherwise produced a request to get the resource anyway. But if the browser does not request the resource, the pushed contents become wasted bandwidth.
The idea was to push secret.php along with index.php , but how can I instruct the HTTP2 server to push reosurces?
Here comes the header manipulation, using the header “Link” I can inform the HTTp2 server to push the page with the requested resource. After some testing and debugging I found the solution:
nghttp -vv -H "Content-Type: application/x-www-form-urlencoded" -d \ post.txt 'http://lxc.rop.sh:8005/index.php'
and this was the content of post.txt:
hdrname=Link&hdrval=/secret.php;rel=preload Server Header output: Link: /secret.php;rel=preload
This means that the page secret.php should be preloaded by the client and would be sent along with the requested resource index.php by the server.
And finally, after some tries because of the 1ms delay, finally the output with the flag!
Feel free to contact me : decoder[dot]ap[at]gmail[dot]com