HackTheBox - Ouija
11,225
Published 2024-05-18
01:00 - Start of nmap
03:15 - Fuzzing the API port port 3000 with ffuf
09:00 - Discovering the Gitea Domain and seeing a repo which discloses HA Proxy 2.2.16 is in use
11:50 - Exploring CVE-2021-40346 an integer overflow in HA Proxy which enables HTTP Smuggling
18:00 - Putting a 3rd request in to make the HTTP Smuggle reliable and grabbing the source code to app.js
28:45 - Taking a look at the APP.JS source code and discovering a Hash Length Extension attack
38:14 - Performing the Hash Lenght Extension attack and then using FFUF to find the length of the secret
45:00 - Have another File Disclosure, chaining it with the /proc symlink to read an SSH key to get shell on the box
52:45 - Discovering port 9999
58:00 - Opening the PHP Library up in Ghidra and discovering an integer overflow
1:04:00 - Creating a C Program to explain the integer overflow
1:11:50 - Setting up a test environment so we can debug the PHP Library and see how it behaves
1:17:15 - Getting a breakpoint to work and stepping through things in lverifier.so
1:21:00 - Creating a pattern so we can see where we write data to
1:24:22 - Creating a python script to build our payload
1:35:50 - Running into an issue, discovering the first parameter doesn't terminate where we thought and the fopen call fails. Playing with the exploit to find a way to terminate fopen (linebreak)
1:46:45 - Burpsuite wasn't URL Encoded a linebreak, doing it ourselves and then getting shell
All Comments (21)
-
Always when I hate myself, I'm watching ippsec's insane box walkthroughs, so I can feel even more stupid
-
Idk how people think of these, I can barely do a medium box, let alone a insane one. You're insane ippsec, much love from south africa
-
Even if you can't do the box, its good to take all the knowledge.
-
Insane… ❤I cannot even imagine how much you have studied to reach this level
-
Awesome box. I wish we could debug the HTTP smuggling part so we could figure out why it was acting the way it acted when you added a third header. Also, I used xclip -o > file.txt to paste into a file in a terminal and use tmux loadbuffer - to load data in the tmux buffer. Thanks for the video!
-
man, I love some aspects of this box
-
I give up on this one because I can't able to get the foothold but hey thanks for uploading this will try to understand where I lack
-
Awesome!!!!
-
The best.
-
Could you point to a resource where I could study more in detail about this Hash extension attack?
-
Good !
-
what certs do you have?
-
My head hurts
-
How long does it take to do a box like this?
-
Its Gonna Be More Fun If Using HTTP/2 Pipeline 😊
-
Push!
-
Hi Ipp, today is my birthday :3
-
Awesome
-
Ippsec the legend
-
I never click on an insane box 🤧