HackTheBox - Ouija
00:00 - Introduction
01:00 - Start of nmap
03:15 - Fuzzing the API port port 3000 with ffuf
09:00 - Discovering the Gitea Domain and seeing a repo which discloses HA Proxy 2.2.16 is in use
11:50 - Exploring CVE-2021-40346 an integer overflow in HA Proxy which enables HTTP Smuggling
18:00 - Putting a 3rd request in to make the HTTP Smuggle reliable and grabbing the source code to app.js
28:45 - Taking a look at the APP.JS source code and discovering a Hash Length Extension attack
38:14 - Performing the Hash Lenght Extension attack and then using FFUF to find the length of the secret
45:00 - Have another File Disclosure, chaining it with the /proc symlink to read an SSH key to get shell on the box
52:45 - Discovering port 9999
58:00 - Opening the PHP Library up in Ghidra and discovering an integer overflow
1:04:00 - Creating a C Program to explain the integer overflow
1:11:50 - Setting up a test environment so we can debug the PHP Library and see how it behaves
1:17:15 - Getting a breakpoint to work and stepping through things in lverifier.so
1:21:00 - Creating a pattern so we can see where we write data to
1:24:22 - Creating a python script to build our payload
1:35:50 - Running into an issue, discovering the first parameter doesn't terminate where we thought and the fopen call fails. Playing with the exploit to find a way to terminate fopen (linebreak)
1:46:45 - Burpsuite wasn't URL Encoded a linebreak, doing it ourselves and then getting shell
Watch video HackTheBox - Ouija online without registration, duration hours minute second in high quality. This video was added by user IppSec 18 May 2024, don't forget to share it with your friends and acquaintances, it has been viewed on our site 14,785 once and liked it 348 people.