Hi guys, i’m stuck on the Nginx Reverse Proxy & AJP flag, i’ve did everything according to HTB, have restarted multiple times the pwnbox, still got an error 502
here are the following copy paste cmd i’ve made on pwnbox (i tried my host as well):
echo '<tomcat-users>
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<user username="tomcat" password="s3cret" roles="manager-gui,manager-script"/>
</tomcat-users>' > tomcat-users.xml
sudo apt install docker.io --yes
sudo docker run -it --rm -p 8009:8009 -v `pwd`/tomcat-users.xml:/usr/local/tomcat/conf/tomcat-users.xml --name tomcat "tomcat:8.0"
sudo systemctl restart docker
wget https://nginx.org/download/nginx-1.21.3.tar.gz>tar -xzvf nginx-1.21.3.tar.gz
rm nginx-1.21.3.tar.gz
git clone https://github.com/dvershinin/nginx_ajp_module.git
cd nginx-1.21.3
sudo apt install libpcre3-dev --yes
./configure --add-module=`pwd`/../nginx_ajp_module --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules
make
sudo make install
nginx -V output:
nginx version: nginx/1.21.3
built by gcc 10.2.1 20210110 (Debian 10.2.1-6)
configure arguments: --add-module=/home/htb-ac-559209/nginx-1.21.3/…/nginx_ajp_module --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules
i’ve then changed the /etc/nginx/conf/nginx.conf file content by commenting out everything related to the server block (except for the last curly bracket which is http related)
then i’ve inserted the following:
upstream tomcats {
server 94.237.54.48:8009;
keepalive 10;
}
server {
listen 8080;
location / {
ajp_keep_conn on;
ajp_pass tomcats;
}
}
the final file looks like:
┌─[eu-academy-1]─[10.10.15.101]─[htb-ac-559209@htb-lbm3ggliam]─[~/nginx-1.21.3]
└──╼ [★]$ cat /etc/nginx/conf/nginx.conf | grep -v '#'
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
upstream tomcats {
server 94.237.54.48:8009;
keepalive 10;
}
server {
listen 8080;
location / {
ajp_keep_conn on;
ajp_pass tomcats;
}
}
sendfile on;
keepalive_timeout 65;
}
i’ve tried adding the block code both outside and inside the http block, same output:
┌─[eu-academy-1]─[10.10.15.101]─[htb-ac-559209@htb-lbm3ggliam]─[~/nginx-1.21.3]
└──╼ [★]$ curl http://127.0.0.1:8080
<html>
<head><title>502 Bad Gateway</title></head>
<body>
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.21.3</center>
</body>
</html>
would appreciate some help, i’ve already finished the entire bug bounty path, but still stuck on this one.
thanks