Ok we’ve got another one of the seasonal machines here, lets get to it!

Initial nmap scan scanning all ports only returns two, the common ones I come across

Description of image

Seeing as we have an open http port let’s run a quick curl command to pull in the header

Description of image

Based on the header response we are redirecting to a different domain, so let’s update our /etc/hosts file and curl again. Updating the /etc/hosts file is necessary to manually map the domain to the webservers IP address.

Description of image

So in this case, you would add that entry at the end of the file. Now let’s curl and see what we get!

Description of image

Nice! So with the second curl command you are gonna want to make sure you use the -L flag to follow all redirects and get to the destination. Web browsers would do this automatically after updating the /etc/hosts file.

Let’s visit the page

Description of image

So I poked around and found a form in the Contact Us form but based on the response after submitting I don’t believe that’s vulnerable. However a Nikto scan points out that nginx is out of date (which I probably should’ve noticed from the prior curl command)

Description of image

I poked around to see if this version had a vulnerability public but I realized I hadn’t done a version enumeration earlier of the software running on the server!

Description of image

The version enumeration returns something interesting…

Description of image

If we look at the ssh port that version number seems…familiar

Description of image

This could be it! I remember when this was announced. A search on GitHub finds the PoC. Let’s give it a shot!