Official Ouija Discussion

system · December 2, 2023, 3:00pm

Official discussion thread for Ouija. Please do not post any spoilers or big hints.

rek2 · December 2, 2023, 6:47pm

Good vibes and good luck, you all!

JimShoes · December 2, 2023, 7:18pm

Good luck everyone!

matus · December 2, 2023, 8:42pm

any hint on how to pass the ihash header it wants?

IceM4nn · December 3, 2023, 2:29am

any hints on the foothold?

userb1ank · December 3, 2023, 5:43am

any hint？

nanase · December 3, 2023, 7:18am

I think I got all the information but I don’t have a clue

matus · December 3, 2023, 8:12am

Could anyone offer a hint on the smuggling requests? I’ve read the code diffs from the patched software version and I’m trying to use that, but none of my attempts work.

jecpr636 · December 3, 2023, 9:10am

Hi all,

A couple of hints to get the first part if you are struggling:

Do plenty of research into the vuln. There is a detailed github post which covers the details of the vulnerability. This will help a lot.
Spin up a local lab for testing to make sure you get a working payload. There is a handy github repo (which needed a little tweaking to work on my machine) and this will let you play around and make sure you are on the right path.
Perisitance…this was finnicky for me for some reason but eventually got it working consistently (even though I’m sure I tried the exact payload like an hour earlier haha).

Good luck and have fun

thetempentest · December 3, 2023, 8:48pm

Loving this box so much, thanks to the author! This season was really easy compared to the previous two, finally a box to struggle with.

There seem to be two different ways to root it actually (although both use the same vulnerability, the likely unintentional way seems quite interesting).

ClovisMint · December 3, 2023, 9:25pm

Fun machine for user, but based on the struggle of root for people, I will probably stop there

Some additional advice for the User:

For me personally, some things weren’t consistent with the vuln, and I ended up having to send a request multiple times before anything happened. I didn’t test locally or anything, and just noticed that between all of the POCs that exists, there really was only one big difference between them.
Look into what the vulnerability actually does and how it works. Chances are, it does more than what you may initially think it does.
– if it helps, think about some oddities that occured during enumeration.

Hopefully this helps out a little, I dont want to give too much or spoilers! good luck!

CyberSecNV · December 4, 2023, 5:35am

I am positive I found something completely unintentional. It doesn’t go anywhere (that I can tell) but it really doesn’t seem remotely related to this at all.

jecpr636 · December 4, 2023, 7:05am

Finally managed to get user, and it was a really fun pathway there. Very fun and interesting box so far!!

Noticing that only a dozen or so people have root, so not hopeful I’ll get there any time soon.

Some additional pointers (hopefully without requiring moderation )

Pay attention to the way the application works. Careful investigation will lead you down an extended though fruitful path. If this doesn’t make sense, just look at what you have and do some heavy research into potential flaws.
Encoding really tripped me up on my path to user. If you script something in order to try different lengths, be VERY careful that the encoding is correct. Validate it independantly if possible, I used cyberchef.
Once you are over this hurdle, you need to escape…re-read the basic literature on ways out, and focus on the ones which are possible from your current position.

7H31NTR00D3R · December 4, 2023, 4:49pm

Finally got user! hardest hard box I have done so far! anyone needs help on user give me a dm.

if anyone has rooted please dm me I am lost.

jecpr636 · December 5, 2023, 2:48am

Same thing WRT to root. I know roughly what the issue is, and the possibilities for privesc are there, but I cannot figure out the details of exploitation.

If anyone is able to provide some guidance or resources where I can learn for this kind of exploit it would be very much appreciated!

ahmedmegjxdno · December 5, 2023, 11:17am

The user was crazy and the root was so hard/easy depend on the way you will take.
Here is some tips for the root

The map file contain the lib location for what you need
Run it on your system to debug
Keep padding the username until you find your way (I think this so big hint)

m0h4md · December 5, 2023, 2:05pm

hi man I’m lost can u help me with user?

JimShoes · December 5, 2023, 3:28pm

Root was just about as hard as user for me. Glad to have this one done though.

7H31NTR00D3R · December 5, 2023, 6:02pm

Rooted finally, Hardest hard box by far a lot of steps and trip ups on the way, but glad i completed this. Thank you @JimShoes for the help!

H4bu0n · December 6, 2023, 12:02pm

Great box, massive props to creator. Had lot of fun with the root part. Hope to see more boxes like this.

Topic		Replies	Views
Official Resource Discussion Machines	154	4339	October 29, 2024
Official OnlyForYou Discussion Machines	186	12435	September 7, 2023
Official Sekhmet Discussion Machines	6	2853	March 25, 2023
Official Horizontall Discussion Machines	173	24726	August 1, 2023
Official Drive Discussion Machines	98	5118	January 18, 2024

Official Ouija Discussion

Related Topics