Lab: CORS vulnerability with internal network pivot attack - step 1 not working
While attempting to follow the instructions for step 1 it does not appear that after "store" the exploit and then "deliver exploit to victim" that the victim is actually visiting the exploit link. There is nothing in the access log to indicate that the exploit server has been visited by the victim.
I even went as far as just delivering the "Hello World!" to the victim, and nothing appears in the logs. Unless your code only triggers the victim on certain conditions? However, I would have thought the solution would work.
I have just taken a look at this lab and was able to complete Step 1, with the corresponding GET request being shown in the access logs, so it is working correctly. What code are you entering into the exploit server for this step?
Found the reason why the initial script wasn't working. Corrected that and proceeded to solve remaining steps.
HINT: Go back through other labs to find a solution.
Glad to hear that you were able to successfully solve this lab.