use nmap to do a thorough port scanning.

check the http service(port 80, 1337, 12320, 12322)

https://192.168.227.163:1337/ requires http auth

https://192.168.227.163:12320/ seems to be a browser based ssh server

left me with https://192.168.227.163:12322/ and http://192.168.227.163

found this: https://192.168.227.163:12322/robots.txt

seems to be an arbitrary file read, and the parameter is “file”

tried with get method but still get the same response.

tried with post method and the response was gone. fuzz fuzz fuzz

ok, now I can read arbitrary file. walked around and get nothing special, decided to take a look at the nginx configuaration file

noticed “include /etc/nginx/sites-enabled/*;”, take a look at its default configuration.

I can read the http auth file at /var/www/p4ss/.htpasswd and try to decrypt it, but that would take a lot of time, so I just take a look at the 1337’s main page.

there is an interesting link here: img src=”h1dd3n.jpg”

checked with binwalk and exiftool but get nothing.

tried steghide to extract information. successfully extracted n30.txt with the password “n30” from /etc/passwd

I guess “P4w0rd” would be the password for n30