HTB Nocturnal IDOR → Command Injection → Root via ISPConfig ...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html
• Blog Title: HTB Nocturnal: IDOR → Command Injection → Root via ISPConfig (CVE‑2023‑46818)
• Suggested Section: Generic Hacking -> Command Injection (filter bypass with newline/tab); cross-reference in Web/IDOR techniques if available

🎯 Content Summary

HTB Nocturnal — Technical Exploitation Summary

Target and Attack Chain

Target: HTB Nocturnal (Linux/Ubuntu 20.04.6 LTS kernel 5.4.0-212, OpenSSH 8.2p1 Ubuntu 4ubuntu0.12, nginx 1.18.0, PHP).

Attack chain:

• IDOR → admin backup command injection → www-data shell → dump/crack MD5 → tobias → ISPConfig PHP code injection (CVE-2023-46818) → root.

Recon

• nmap: 22/tcp (OpenSSH 8.2p1), 80/tcp...

  🔧 Technical Details

  IDOR-based enumeration and file theft: When a download endpoint accepts both username and filename, diff error responses to build an oracle that confirms user existence and lists files. Use an authenticated ffuf run against /view.php?username=FUZZ&file=test.doc, filtering "User not found" to enumerate valid users, then request their files directly.

  Bypassing command-injection blacklists with newlines/tabs: If user input is concatenated into a she...

  🤖 Agent Actions

  I analyzed the blog and updated HackTricks with the core, reusable techniques it contains:

  What I added/updated

  • Command injection blacklist bypass using newline/tab in PHP proc_open/system contexts

    • Added a concise, practical subsection in pentesting-web/command-injection.md that explains:
      • Why newline (%0a) starts a new command and tab (%09) can replace spaces when filters block space/;|& etc.
      • How this behaves under PHP proc_open/system (string spawns /bin/sh -c).
      • Working payloads, including a multi-line fetch-then-execute chain without needing &.
    • Appended references to the PHP proc_open manual and the 0xdf blog post.

  • IDOR error-response oracles for user/file enumeration

    • Augmented pentesting-web/idor.md with “Error-response oracle for user/file enumeratio...

  ---

  This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

  📚 Repository Maintenance

  • MD files processed: 874
  • MD files fixed: 1

  All .md files have been checked for proper formatting (headers, includes, etc.).

  🗑️ File Cleanup

  • searchindex.js removed: This auto-generated file has been removed to prevent conflicts

  The searchindex.js file is automatically generated and should not be included in manual commits.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html

Content Categories: Based on the analysis, this content was categorized under "Generic Hacking -> Command Injection (filter bypass with newline/tab); cross-reference in Web/IDOR techniques if available".

Repository Maintenance:

• MD Files Formatting: 874 files processed (1 files fixed)

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge