Welcome back on Exploitnetworking! Alienise was a web challenge of SECT CTF 2018, where you abuse of a nginx misconfiguration for get the flag. First step is open the website and inspect the source code:

How you can see there is a link commented, then try to insert this directory in url for see what happened, but the response is 403 error forbidden. Now we can inspect the request using Burp for see the details:

Interesting, there is a redirection, and there is an information disclosure because we have found new directory /static/admin_current.zip. Unfortunately this directory doesn’t work in alienise.se, but work only in the subdomain cdn (thanks to hint on Twitter by @sectctf!). Then type this url: cdn.alieni.se/static/admin_current.zip and download the zip file.

In zip file there is all site admin backup, with two interesting files: creator.py and nginx.conf. In creator.py there is this function:

Copy to Clipboard

that means that the index page output is the flag. But how to reach that directory? Open config.py and see that these server files are the admin “application” that are in the port 81:

Copy to Clipboard

then the flag is print out only if we can reach the home of the admin page! But how? Open the file nginx.conf for inspect it:

Copy to Clipboard

How we can see the server return 403 error if the url is “admin.alieni.se” and ip it is not “10.1.33.7”. But if we look carefully the first condition:

Copy to Clipboard

we can see that there is a “strict” compare, then what happened if we insert “Admin.alieni.se” or “aDmin.alieni.se”? Try to modify host in Burp, and parameter of url and port and execute:

Here there is an interesting book for web security: https://amzn.to/2OmkBMU

Recent Tweets

For privacy reasons Twitter needs your permission to be loaded.
I Accept