Official Ouija Discussion

Official discussion thread for Ouija. Please do not post any spoilers or big hints.

1 Like

Good vibes and good luck, you all!

Good luck everyone!

any hint on how to pass the ihash header it wants?

any hints on the foothold?

any hint?

I think I got all the information but I don’t have a clue

1 Like

Could anyone offer a hint on the smuggling requests? I’ve read the code diffs from the patched software version and I’m trying to use that, but none of my attempts work.

Hi all,

A couple of hints to get the first part if you are struggling:

  • Do plenty of research into the vuln. There is a detailed github post which covers the details of the vulnerability. This will help a lot.
  • Spin up a local lab for testing to make sure you get a working payload. There is a handy github repo (which needed a little tweaking to work on my machine) and this will let you play around and make sure you are on the right path.
  • Perisitance…this was finnicky for me for some reason but eventually got it working consistently (even though I’m sure I tried the exact payload like an hour earlier haha).

Good luck and have fun :smiley:

Loving this box so much, thanks to the author! This season was really easy compared to the previous two, finally a box to struggle with.

There seem to be two different ways to root it actually (although both use the same vulnerability, the likely unintentional way seems quite interesting).

Fun machine for user, but based on the struggle of root for people, I will probably stop there :sob:

Some additional advice for the User:

  • For me personally, some things weren’t consistent with the vuln, and I ended up having to send a request multiple times before anything happened. I didn’t test locally or anything, and just noticed that between all of the POCs that exists, there really was only one big difference between them.
  • Look into what the vulnerability actually does and how it works. Chances are, it does more than what you may initially think it does.
    – if it helps, think about some oddities that occured during enumeration.

Hopefully this helps out a little, I dont want to give too much or spoilers! good luck!

I am positive I found something completely unintentional. It doesn’t go anywhere (that I can tell) but it really doesn’t seem remotely related to this at all.

Finally managed to get user, and it was a really fun pathway there. Very fun and interesting box so far!!

Noticing that only a dozen or so people have root, so not hopeful I’ll get there any time soon.

Some additional pointers (hopefully without requiring moderation :wink: )

  • Pay attention to the way the application works. Careful investigation will lead you down an extended though fruitful path. If this doesn’t make sense, just look at what you have and do some heavy research into potential flaws.
  • Encoding really tripped me up on my path to user. If you script something in order to try different lengths, be VERY careful that the encoding is correct. Validate it independantly if possible, I used cyberchef.
  • Once you are over this hurdle, you need to escape…re-read the basic literature on ways out, and focus on the ones which are possible from your current position.

Finally got user! hardest hard box I have done so far! anyone needs help on user give me a dm.

if anyone has rooted please dm me I am lost.

Same thing WRT to root. I know roughly what the issue is, and the possibilities for privesc are there, but I cannot figure out the details of exploitation.

If anyone is able to provide some guidance or resources where I can learn for this kind of exploit it would be very much appreciated!

1 Like

The user was crazy and the root was so hard/easy depend on the way you will take.
Here is some tips for the root

  • The map file contain the lib location for what you need
  • Run it on your system to debug
  • Keep padding the username until you find your way (I think this so big hint)
1 Like

hi man I’m lost can u help me with user?

1 Like

Root was just about as hard as user for me. Glad to have this one done though.


Rooted finally, Hardest hard box by far a lot of steps and trip ups on the way, but glad i completed this. Thank you @JimShoes for the help!


Great box, massive props to creator. Had lot of fun with the root part. Hope to see more boxes like this.