HackTheBox - Ouija

11,225

298 0

Published 2024-05-18

00:00 - Introduction
01:00 - Start of nmap
03:15 - Fuzzing the API port port 3000 with ffuf
09:00 - Discovering the Gitea Domain and seeing a repo which discloses HA Proxy 2.2.16 is in use
11:50 - Exploring CVE-2021-40346 an integer overflow in HA Proxy which enables HTTP Smuggling
18:00 - Putting a 3rd request in to make the HTTP Smuggle reliable and grabbing the source code to app.js
28:45 - Taking a look at the APP.JS source code and discovering a Hash Length Extension attack
38:14 - Performing the Hash Lenght Extension attack and then using FFUF to find the length of the secret
45:00 - Have another File Disclosure, chaining it with the /proc symlink to read an SSH key to get shell on the box
52:45 - Discovering port 9999
58:00 - Opening the PHP Library up in Ghidra and discovering an integer overflow
1:04:00 - Creating a C Program to explain the integer overflow
1:11:50 - Setting up a test environment so we can debug the PHP Library and see how it behaves
1:17:15 - Getting a breakpoint to work and stepping through things in lverifier.so
1:21:00 - Creating a pattern so we can see where we write data to
1:24:22 - Creating a python script to build our payload
1:35:50 - Running into an issue, discovering the first parameter doesn't terminate where we thought and the fopen call fails. Playing with the exploit to find a way to terminate fopen (linebreak)
1:46:45 - Burpsuite wasn't URL Encoded a linebreak, doing it ourselves and then getting shell

All Comments (21)

@AAHyo 21 days ago

Always when I hate myself, I'm watching ippsec's insane box walkthroughs, so I can feel even more stupid
@KohzmikYT 21 days ago

Idk how people think of these, I can barely do a medium box, let alone a insane one. You're insane ippsec, much love from south africa
@pavi013 21 days ago

Even if you can't do the box, its good to take all the knowledge.
@antoniob.6515 21 days ago

Insane… ❤I cannot even imagine how much you have studied to reach this level
@NatteeSetobol 14 days ago

Awesome box. I wish we could debug the HTTP smuggling part so we could figure out why it was acting the way it acted when you added a third header. Also, I used xclip -o > file.txt to paste into a file in a terminal and use tmux loadbuffer - to load data in the tmux buffer. Thanks for the video!
@and_I_am_Life_the_fixer_of_all 21 days ago

man, I love some aspects of this box
@csgosmoke 21 days ago

I give up on this one because I can't able to get the foothold but hey thanks for uploading this will try to understand where I lack
@george___43 21 days ago

Awesome!!!!
@sponge5643 21 days ago

The best.
@ujsimrananees 21 days ago

Could you point to a resource where I could study more in detail about this Hash extension attack?
@Giyosiddin_Muxammadiyev- 21 days ago

Good !
@takatoekoe 21 days ago

what certs do you have?
@thedude4723 21 days ago

My head hurts
@coltonthomas3658 21 days ago

How long does it take to do a box like this?
@elcapitanodeltimbuktu1O1sir 21 days ago

Its Gonna Be More Fun If Using HTTP/2 Pipeline 😊
@tg7943 21 days ago

Push!
@AUBCodeII 21 days ago

Hi Ipp, today is my birthday :3
@maniakdemi3548 21 days ago

Awesome
@genelkanininaksine 21 days ago

Ippsec the legend
@berthold9582 21 days ago

I never click on an insane box 🤧