Ok we’ve got another one of the seasonal machines here, lets get to it!
Initial nmap scan scanning all ports only returns two, the common ones I come across

Seeing as we have an open http port let’s run a quick curl command to pull in the header

Based on the header response we are redirecting to a different domain, so let’s update our /etc/hosts file and curl again. Updating the /etc/hosts file is necessary to manually map the domain to the webservers IP address.

So in this case, you would add that entry at the end of the file. Now let’s curl and see what we get!

Nice! So with the second curl command you are gonna want to make sure you use the -L flag to follow all redirects and get to the destination. Web browsers would do this automatically after updating the /etc/hosts file.
Let’s visit the page

So I poked around and found a form in the Contact Us form but based on the response after submitting I don’t believe that’s vulnerable. However a Nikto scan points out that nginx is out of date (which I probably should’ve noticed from the prior curl command)

I poked around to see if this version had a vulnerability public but I realized I hadn’t done a version enumeration earlier of the software running on the server!

The version enumeration returns something interesting…

If we look at the ssh port that version number seems…familiar

This could be it! I remember when this was announced. A search on GitHub finds the PoC. Let’s give it a shot!