HackTheBox - Ouija

00:00 - Introduction 01:00 - Start of nmap 03:15 - Fuzzing the API port port 3000 with ffuf 09:00 - Discovering the Gitea Domain and seeing a repo which discloses HA Proxy 2.2.16 is in use 11:50 - Exploring CVE-2021-40346 an integer overflow in HA Proxy which enables HTTP Smuggling 18:00 - Putting a 3rd request in to make the HTTP Smuggle reliable and grabbing the source code to app.js 28:45 - Taking a look at the APP.JS source code and discovering a Hash Length Extension attack 38:14 - Performing the Hash Lenght Extension attack and then using FFUF to find the length of the secret 45:00 - Have another File Disclosure, chaining it with the /proc symlink to read an SSH key to get shell on the box 52:45 - Discovering port 9999 58:00 - Opening the PHP Library up in Ghidra and discovering an integer overflow 1:04:00 - Creating a C Program to explain the integer overflow 1:11:50 - Setting up a test environment so we can debug the PHP Library and see how it behaves 1:17:15 - Getting a breakpoint to work and stepping through things in lverifier.so 1:21:00 - Creating a pattern so we can see where we write data to 1:24:22 - Creating a python script to build our payload 1:35:50 - Running into an issue, discovering the first parameter doesn't terminate where we thought and the fopen call fails. Playing with the exploit to find a way to terminate fopen (linebreak) 1:46:45 - Burpsuite wasn't URL Encoded a linebreak, doing it ourselves and then getting shell