Hack the box OWASP Top 10: Baby nginxatsu

Synopsis:  Sensitive data exposure leads to leakage of MD5 hashed admin password.

Skills Required:

1. Basic understanding of information disclosure.

2. Ability to analyze and understand source code.

3. Familiarity with directory listing.

4. Knowledge of basic to crack a hashed password.

5. Basic understanding of HTTP web server.

Skills Learned:

1. Understanding the information disclosure vulnerability.

2. Familiarity with the process of exploiting information disclosure vulnerability via directory listings.

3. Experience in analyzing and understanding Burp messages to identify secrets.

The exercise: Generate your own nginx config file

Analysis:

The first clue is in the exercise description. We have to generate a nginx config file.

nginx ("engine x") is an open source HTTP web server that can also function as a reverse proxy, content cache, load balancer, TCP/UDP proxy server, and mail proxy server. It's designed for high performance and stability, and is used by many popular websites.

First I tried to login with admin:admin. It did not work so I created a test account. Login with the credentials and generate the config file.

A box with the number 51 is created, so I clicked it. The config file is presented

There is a new clue in the comments section

"# We sure hope so that we don't spill any secrets

# within the open directory on /storage"

Let's go to the /storage directory

http://server_id:port/storage/

There is an interesting database backup file at the bottom of the page.

Let's use Burp GET /storage/ to see the message

Send the GET /storage message to repeater.

Next, let's include the file name to the get message.

I can see the users table containing information, including emails and what appear to be passwords.

With the help of https://sqliteviewer.app/#/database.sqlite/table/users/ I want to see the structure of the database and recover the password for the admin.

Let's use https://crackstation.net/ to discover the password.

Now, we have the email and password, let's login

How to prevent Sensitive Data Exposure - MD5 hashes:

• Store only salted and hashed passwords

Do not use MD5 as it is weak and vulnerable to collisions and brute-force attacks.

Use modern hashing algorithms like bcrypt, Argon2, or PBKDF2, which are resistant to attacks due to their computational cost.

Before hashing, always add a unique salt to each password to prevent rainbow table attacks.

• Implement TLS for secure transmission of sensitive data

Encrypt all data in transit using TLS 1.2 or 1.3 to prevent man-in-the-middle attacks.

Ensure HSTS (HTTP Strict Transport Security) is enabled to enforce HTTPS connections.

Regularly update certificates and enforce strong cipher suites to prevent protocol downgrade attacks.