Home Hack The Box Web Challenge - baby nginxatsu
Post
Cancel

Hack The Box Web Challenge - baby nginxatsu

Description

Can you find a way to login as the administrator of the website and free nginxatsu?

Solution

Looking at the provided URL 167.172.56.232:31642 , we see the following:

Default page when accessing the provided URL

As we dont have any valid credentials, we can simply create a new user and log in.

Once logged in, we are prompted with a configuration page. Apparently we are able to create our own nginx configuration.

nginx configuration generator page

Without modifying anything, I hit the Generate Config button to see what happens. A new config appears! Looking at the config, we see the following:

Snippet of the ngxinx configuration generator’s default output

The config reveals something very interesting: autoindex for /storage is set to on. This means, that directory-listing is enabled, thus we can see all files in this directory in our browser. Also the comment is very suspicious. It is more or less already telling us : *Go there and you will find a secret *.

1
2
3
4
5
6
# We sure hope so that we don't spill any secrets
# within the open directory on /storage

location /storage {
    autoindex on;
}

So, let’s have a look at the storage directory.

Listing of the /storage directory displayed in the browser.

Hmmmm a lot of files! But wait! There is file called v1_db_backup_1604123342.tar.gz . That seems off. Let’s download and inspect it on our local machine.

After we use tar to unpack it, we can use sqlite3 to take a look at the database.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(kali㉿kali)-[~/…/challenges/web/baby_nginxatsu/database]
└─$ sqlite3 database.sqlite 

sqlite> .tables
failed_jobs      nginx_configs    users          
migrations       password_resets

sqlite> PRAGMA table_info(users);
0|id|INTEGER|1||1
1|name|varchar|1||0
2|email|varchar|1||0
3|password|varchar|1||0
4|api_token|varchar|1||0
5|remember_token|varchar|0||0
6|created_at|datetime|0||0
7|updated_at|datetime|0||0

sqlite> select email,password from users;
nginxatsu-adm-01@makelarid.es|e7816e9a10590b1e33b87ec2fa65e6cd
nginxatsu-giv@makelarid.es|22d94e7c519d6074c57789674cc9959b
nginxatsu-me0wth@makelarid.es|1ae9603761473a3e375812989f9511db

There we go! We have 3 emails and 3 password hashes which look pretty much like MD5 hashes. I copied all of the hashes in a text file and used hashcat to crack them.

1
2
3
4
5
6
┌──(kali㉿kali)-[~/…/challenges/web/baby_nginxatsu/database]
└─$ hashcat -m 0 hashes /usr/share/wordlists/rockyou.txt 


e7816e9a10590b1e33b87ec2fa65e6cd:adminadmin1
Recovered........: 1/3 (33.33%) Digests

Great! We found a password. The cracked password hash belongs to the email nginxatsu-adm-01@makelarid.es. So now let’s use those credentials to log in.

Flag displayed on the configuration page, once logged in with the obtained credentials.

And there’s the flag!

This post is licensed under CC BY 4.0 by the author.