In this post, I would like to share a walkthrough of the Ouija Machine from Hack the Box


This room will be considered an Insane machine on Hack the Box

What will you gain from the Ouija machine?


For the user flag, you must abuse the smuggling vulnerability to enable access to a development site that HAProxy is intended to block. This access exposes information about the API, sufficient to perform a hash length extension attack to obtain a valid admin key for the API. With this key, I can exploit the API to read files from the system, including an SSH key, thereby gaining an initial foothold.


As for the root flag, you need to exploit a custom PHP module, written in C and compiled into a .so file containing an integer overflow vulnerability. This vulnerability allows for overwriting variables on the stack, enabling arbitrary write access as root on the system.

Information Gathering on Ouija Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start

┌─[darknite@parrot]─[~/Documents/htb/ouija]
└──╼ $nmap -sV -sC 10.10.11.244 -oA initial 
Starting Nmap 7.93 ( https://nmap.org ) at 2024-05-17 21:44 EDT
Nmap scan report for 10.10.11.244
Host is up (0.26s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 6ff2b4ed1a918d6ec9105171d57c49bb (ECDSA)
|_  256 dfddbcdc570d98af0f882f73334862e8 (ED25519)
80/tcp   open  http    Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
3000/tcp open  http    Node.js Express framework
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
Service Info: Host: localhost; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.71 seconds
┌─[darknite@parrot]─[~/Documents/htb/ouija]
└──╼ $

Let’s access the website interface


It shows an Apache2 Default Page when trying to access the website


After I analysed the Nmap output, I noticed another port opened as 3000 which is configured with the Node.js Express framework


As a result, we will be enumerating further using gobuster due to the lack of information on the website interface itself.


There’s a server-status information showing the log for the Apache Server on the machine.


While looking at the server-status, the process status caught my attention which provides some potential directories that we can investigate later.

Access the website using the domain name


Let’s access the website using a domain name like ouija.htb which shows an actual interface for a Web Application.


At least, we have found the potential username when looking at the Team section


Let’s send one message and see the response to the packet


Sadly, nothing that looks interesting in the response


Let’s try to enumerate further on the website that opens port 3000 to the public but we found an error while doing it.


As a result, let’s insert the additional command as –wildcard switch at the end of the gobuster actual command.


There are a few endpoints that look interesting so let’s try it on the website.




When accessing the endpoint that caught my attention, it required a few data to enter.

Enumerate possible subdomains on the Ouija machine


However, there is no interest to investigate more


Let’s change the wordlist and find a lot more result


There is one subdomain that has caught my attention


We got an error 403 Forbidden when trying to access dev.ouija.htb


On the subdomain gitea.ouija.htb, we have directed you to a Gitea main page.


I noticed there’s one repository that we can look into which is Leila


There is no suspicious thing that appears on the repo


While scrolling below, I noticed there’s HA-Proxy version 2.2.16 which looks new to me.


For those who are not sure about the vulnerability with HA-Proxy version 2.2.16, I hope that the information below makes you understandable

Apache internally listens on port 8080, and the HAProxy reverse proxy version 2.2.16, sourced from the repository, has been identified as vulnerable to request smuggling (GHSA-h2p2-w857-329f / CVE-2023-25725).

It doesn’t work as shown above so let’s workaround with the vulnerabilities


By using that vulnerability that I found earlier, I have found two files that we can investigate further



Let’s analyze the source code which we can use to proceed with the next stage.


We can look into the self-environ which it expose the potential username (Leila)


Sadly, we cannot retrieve the /etc/passwd at the moment


After changing the content-length, it works like a charm!


Let’s do some research on the Hash Length Extension Attack which can be read here


Another resource that can be used here to escalate further


Let’s get some ihash and identification by using hash_extender which can be downloaded here


Let’s obtain the user’s SSH private key and we can copy-paste the key into our machine.


We also can obtain the user flag by doing the method above.


Finally, we have successfully the machine via Leila’s access


We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access


As usual, we can try to obtain some binary but it failed because we need the password for the Leila


Let’s see the port that opens within the machine and notice that there’s one port that looks unusual


Therefore, let’s do Port-Forwarding on the machine


It looks like a normal login page


As a result, let’s enter common credentials such as admin:admin


Sadly, nothing looks interesting on the Response


There’s one directory that looks different than usual



After looking at the directory, I noticed there is one file that we need to investigate further


The screenshot above shows the source code of the index.php



There’s one file format that we should investigate deeper


Let’s download the file into our machine




We can download it using pwncat-cs


Let’s analyze the file using Ghidra



We should run the command above to escalate further


Let’s create buffer overflow command such as shown in the screenshot above


Therefore, let’s copy-paste the BoF file via Burpsuite


The command injection works like a charm


Finally, we managed to retrieve the reverse shell connection back to us


We can read the root flag by typing the “cat root.txt” command