Writeup was a box listed as “easy” on Hackthebox.eu. While it was technically easy, its use of fail2ban had the potential to slow down one’s progress toward user, and getting the root flag required careful enumeration under particular circumstances.
Recently I got interested in HTTP2. It’s a new protocol that’s going to change a lot in the way people work with web app pentesting. Among other changes, it’s binary, it allows servers to push data to clients, and it’s multiplexing (non-blocking). It’s supposed to be faster and more efficient than good old HTTP1.1. Apache and Nginx both support it, as does curl (the HTTP2 maintainers keep a list of known implementations here).
There also aren’t a lot of tools available for doing security testing of it.
Burp Suite doesn’t support it yet and hasn’t said when it will , although ZAP is working on it.
Yahoo’s pentesting group developed a very nice semi-intelligent fuzzer for HTTP2, described here, but they stopped development on it and let it without its replay mode.
I just released a new version which supports replay mode, when running as a client, on github. The original version is available here.
Aside – Paul’s Security Weekly did an episode on HTTP2 back in January (video | show notes).