skip to content
There is no spoon

Nocturnal - HackTheBox [Writeup]

/ 4 min read

View more blogs with the tag hackthebox , View more blogs with the tag writeup
Table of Contents

Nocturnal

As always, we start with a basic nmap scan

└─$ nmap 10.129.30.126 -sC -sV -p 22,80
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-16 22:07 +04
Nmap scan report for 10.129.30.126
Host is up (0.090s latency).


PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 20:26:88:70:08:51:ee:de:3a:a6:20:41:87:96:25:17 (RSA)
|   256 4f:80:05:33:a6:d4:22:64:e9:ed:14:e3:12:bc:96:f1 (ECDSA)
|_  256 d9:88:1f:68:43:8e:d4:2a:52:fc:f0:66:d4:b9:ee:6b (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://nocturnal.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.82 seconds

Ports 22 (SSH) and 80 (HTTP) are open

Add nocturnal.htb to your hosts file

Website has login and register functionality

Let’s register a new account

After logging in, we’re presented with a file upload form

I tried to upload php file but website is validating extensions and only pdf, doc, docx, xls, xlsx, odt extensions are allowed

Then I uploaded normal pdf file and checked it on dashboard

When downloading a file you need to provide username and file parameters

When file exists we will just get the file but if we check different usernames we will see that we get User not found error when provided username doesn’t exists in database

That I enumerated usernames and file for that users

we can use ffuf for that

we found 3 usernames straightaway

Now enumerate files for those users the same way

We found privacy.odt file of amanda

Let’s download and check it If you don’t have an ODT viewer to open odt files you can unzip it as archive and check content.xml file

Nice—we’ve found Amanda’s password

We can use that user (amanda) and password to login on website

Perfect, amanda has admin access

Admin panel allows us to see source code of application or create/download backup and check source code locally

I continued examining source code in vscode

inside admin.php we can see that it is running shell command to zip the source code for backup

That seems like a good attack vector to obtain RCE.

Key point here is that application is sanitizing user submitted password to prevent code execution

Most symbols that let’s us pipe or concatenate bash are disabled, even whitespace is prohibited but newline(\n) and tab (\t) aren’t sanitized. We can use those symbols to leverage RCE.

We can add newline after password and everything after newline will be executed as another command.

instead of whitespaces we need to use tabs (\t) to bypass sanitization.

in the following request we are just executing ls command

since this works and we can see that input isn’t sanitized anymore, to make command execution easier, we can upload (from the upload form we discovered at first) a PDF file with bash script content, which will be saved inside uploads folder then execute it

First upload the file with bash script (which will save the result inside result.txt file in my case)

Then execute it

and see the result

Cool, it works.

from the source code we know that website saves users inside nocturnal.db sqlite database

let’s copy that database inside webroot so we can download and open it

repeat the process, upload script

execute it

and open http://nocturnal.htb/nocturnal.db url to download our copied database

There are users and hashes inside users table

We already know Amanda’s password. We need to crack tobias password hash using hashcat.

Perfect, we can SSH in using Tobias’s credentials and get user flag

After checking listening ports it appears there’s something running on 8080 on localhost

we can port-forward it using ssh and open it our machine

now it will be available on port 9090 on our machine

It’s running ISPConfig v3.2, which has CVE-2023-46818 PHP Code injection vulnerability, with publicly available PoC

to exploit that vulnerability we need username and password of ISPConfig user. amanda and tobias user:passwords doesn’t work. However, it appears that admin user has same passwords as tobias

So we now have everything to exploit that vulnerability

and we’ve got the root flag 😋

Pwn3d! 🏁