Baby Nginxatsu: A Tale of Web Exploitation for Beginners
Introduction:
If there's one thing we love about cybersecurity, it's the perpetual presence of puzzles to solve. One such puzzle we recently encountered is the web-based challenge, "Baby Nginxatsu." The task was to log in as the website administrator and free nginxatsu. Let's delve into the steps we took to navigate this intriguing challenge.
Machine name: baby nginxatsu
Difficulty: Easy
Category: Web
DESCRIPTION:
Can you find a way to login as the administrator of the website and free nginxatsu?
Our First Encounter:
Upon spinning up the Baby Nginxatsu machine, we were provided with an IP address, which we promptly navigated to on our Kali browser. We were greeted by a sleek login screen adorned with a pikachuu logo and a prompt to generate our own nginx config file.
Initial Strategy:
Our first step was to create an account using personal credentials. Upon successful registration and login, we encountered a configuration window with an option to generate the nginx configuration.
Revealing the Config:
Upon clicking the "Generate config" button, we were presented with a config file. Intrigued by a small numeric value '51' within the file, we clicked on it to open and inspect the file contents.
Hidden Clue:
The config file housed a note of interest within its comments. It read, "# we sure hope so that we don’t spill any secret within the open directory on /storage." This comment hinted at a potential vulnerability—an open directory at "/storage."
Unearthing Secrets:
Guided by the hint, we navigated to the "/storage" path on the website. To our delight, we found an index of various configuration files. Amidst these, one particular file, a database backup (v1_db_backup_1604123342.tar.gz), caught our attention. We proceeded to download this promising file.
Unzipping the Treasures:
After unzipping the downloaded file, we discovered a database.sqlite file. We opened this file using SQLite Browser, revealing a list of emails and passwords, likely hashed.
Deciphering the Code:
Our next task was to identify the type of hash used for these passwords. Using an online cipher identifier tool, we determined that it was most likely an MD5 hash.
Cracking the Code:
Our tool of choice to crack this password hash was Hashcat, a popular password recovery tool. We saved the hashed password in a text file named 2crack.txt and used the command:
hashcat -m 0 2crack.txt /usr/share/wordlists/rockyou.txt
Here, "-m 0" specifies MD5 mode, 2crack.txt is the file containing our MD5 password hash, and /usr/share/wordlists/rockyou.txt is a wordlist containing potential passwords.
Access Granted:
Our efforts were rewarded as Hashcat successfully cracked the password. Armed with the decrypted password and corresponding email, we returned to the login page and successfully accessed the admin account.
Claiming the Flag:
Much to our elation, we were greeted with the flag immediately upon login, marking the successful completion of the Baby Nginxatsu challenge.
Conclusion:
Baby Nginxatsu serves as a perfect example of how minor oversights, such as revealing hints in comments or insecure backup practices, can lead to significant security risks. It was an exciting journey that emphasized the importance of secure development practices and the art of exploiting them when they're overlooked. As we conclude our expedition, we're reminded once again - cybersecurity is a never-ending learning process, teeming with puzzles just waiting to be solved.