❯ fping -aqg 10.0.0.0/24
10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
10.0.0.201
❯ nmap -sC -sV -p- -oN nmap.log 10.0.0.201
Starting Nmap 7.93 ( <https://nmap.org> ) at 2023-01-15 08:53 +0545
Nmap scan report for eighty.hmv (10.0.0.201)
Host is up (0.00099s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 c9ced72af9482565a9334bd501e12c52 (RSA)
| 256 7e3d4db4820b13ebdb50e36070f04aad (ECDSA)
|_ 256 7f9d13c87bd9371dcbffe9cef590c332 (ED25519)
70/tcp open http pygopherd web-gopher gateway
| gopher-ls:
|_[txt] /howtoconnect.txt "Connection"
|_http-title: Gopher
80/tcp filtered http
Port 80 is filtered (probably can be knocked)
A gopher server (predecessor to HTTP) at port 80. Check the file in the nmap result.
❯ curl <http://10.0.0.201:70/howtoconnect.txt>
Ping us to: 4767 2343 3142
We get the knock sequence.
❯ knock 10.0.0.201 4767 2343 3142
It opens port 80. Let’s check the content.
❯ curl <http://10.0.0.201/robots.txt>
/nginx_backup.txt
❯ curl <http://10.0.0.201/nginx_backup.txt>
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
try_files $uri $uri/ =404;
}
}
server {
server_name henry.eighty.hmv;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
location /web {
alias /home/henry/web/;
}
}
server {
server_name susan.eighty.hmv;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
location /web {
alias /home/susan/web/;
}
}
there is an nginx backup. We get to subdomains whose root location is web pointing to /web/ directory in the user’s home.
A vulnerability of trailing slash.