HTB- Baby Nginxatsu [Web]
Baby Nginxatsu is a web challenge of Hack The Box.
When connecting to the given <IP address, Port> couple, a simple login form is presented:
The first things I tried was to supply default credentials and to test the web application for SQL injection vulnerabilities, but nothing worked.
Then, I created an account for a random user and I logged in the web application using the chosen username and password.
Once logged in, the web app presented me a form that allows the user to generate automatically an nginx config file.
After submitting the form, an icon (representing the file just created) appeared at the bottom of the web page.
By clicking on the icon was possible to have a look at the content of the config file. At first glance, the content of the file was pretty standard, except for a comment tha caught my attention.
The comment revealed me the existence of a directory “/storage” inside the web server. Therefore, I tried to verify immediately the existence of that directory.
By navigating to the page:
http://<server_ip>:<port>/storage/
it was possible to access a list of various nginx config files, but the most interesting thing listed was a file that seemed a compressed database backup.
Once downloaded (by using wget) and extracted, it was clear that the file was a sqlite database backup. In order to see the content of the database backup I used Sqlitebrowser, that allowed me to retrieve the following table:
It is possible to see that the database contained some usernames and some hashed passwords. Moreover, it is possible to notice that the first user probably is the administrator of the web site.
Once retrieved the hashes, I used Hashid in order to discover the algorithm used to generate them:
It is possible to see that hasid suggested that the hashes were generated by using MD2 or MD5.
I used Hashcat, and in particular a dictionary attack, in order to crack the passwords.
hashcat -a 0 -m 0 crackme.txt /usr/share/seclists/Passwords/Leaked-Databases/md5decryptor-uk.txt -r /usr/share/hashcat/rules/best64.rule
I was able to crack only the password of the first user (the admin password).
Having the admin email and the admin password, I was able to login in the web app again, with the admin’s credentials. Once logged in as the admin, the flag was displayed.
Pwned!