nginx
High-performance web server and reverse proxy. The config files are the prize: sites-enabled leaks hidden vhosts and web roots, and alias/proxy misconfigurations enable path traversal and SSRF.
Ports
| Port | Proto | Notes |
|---|---|---|
80 | tcp | HTTP |
443 | tcp | HTTPS |
Fingerprint
- Server: nginx response header
- Default welcome page or a custom vhost
Key files
| Path | Holds | Sensitive |
|---|---|---|
/etc/nginx/nginx.conf | main config | |
/etc/nginx/sites-enabled/ | active vhosts, leaks other subdomains and web roots | sensitive |
/etc/nginx/sites-available/ | all defined vhosts | sensitive |
/etc/nginx/.htpasswd | basic-auth credentials when used | sensitive |
Service users
www-datanginx
Known CVEs
| CVE | Impact |
|---|---|
| CVE-2017-7529 | Integer overflow in the range filter, info leak |
Exploitation primitives
- Reading sites-enabled/* via LFI or file-read reveals hidden vhosts and web-root paths to pivot to
- Off-by-slash alias misconfig (location /assets { alias /var/www/assets/; }) enables directory traversal: /assets../
- proxy_pass to an internal host enables SSRF
Overview
nginx serves web content and proxies upstreams. On a box it is rarely the direct vuln; instead its config files leak the rest of the attack surface (other vhosts, web roots, basic-auth files) and common misconfigs give traversal or SSRF.
Enumeration
Check the Server header:
curl -sI http://<TARGET>/After a file-read / LFI primitive, read the vhosts (reveals server_name + root paths):
cat /etc/nginx/sites-enabled/defaultNotes
- Map every
server_nameandrootyou find to new vhosts (add them to /etc/hosts). - Test alias locations for the off-by-slash traversal.
Hardening
Avoid alias without trailing-slash care, restrict proxy_pass targets, and keep config files unreadable by app users.
Seen on these machines 3
