Nocturnal - Hack The Box
This machine is part of Hack The Box (HTB) and is rated as an easy-level Linux challenge. It’s an excellent opportunity to practice skills in web enumeration, exploiting file upload vulnerabilities, and privilege escalation. Throughout this challenge, we will explore a vulnerable web application, uncover misconfigurations and ultimately escalate our privileges to gain root access. Let’s dive into the journey and see how we can break into this system!
Initial enumeration
To start, we add the target’s IP address to our /etc/hosts file and perform a full port scan using nmap :
1
nmap nocturnal.htb -sV -sC -p- -oN nmapres
The scan reveals two open ports :
22/tcp: usingsshservice80/tcp: usinghttpservice
Next, we can perform a directory enumeration using gobuster. I opted for the raft-medium-words.txt wordlist from SecLists, which is a solid middle ground for discovering common and semi-obscure paths.
1
gobuster dir -u http://nocturnal.htb -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-words.txt > gobusterres
The scan revealed several interesting directories :
-
/backups– returned a 301 redirect (potentially interesting for file exposure or backup leaks) -
Multiple
/uploads_*and/uploadsdirectories – all returned 403 Forbidden, suggesting restricted access areas that might become useful later on -
/uploadscript– also 403, could hint at some form of file upload functionality
The /backups directory was the most promising lead at this stage due to its accessible status (301), so I decided to investigate it further.
To complement the initial findings from gobuster, I ran a second enumeration using dirsearch, which is often effective at identifying files and directories with different heuristics and more HTTP feedback.
1
dirsearch -u http://nocturnal.htb
Key findings:
-
/admin.phpand/dashboard.php– both returned a302redirect tologin.php, indicating protected admin or user panels. -
/login.php– accessible (200 OK), confirms there is an authentication mechanism. -
/register.php– also accessible, which might allow user registration.
Let’s check the web page at http://nocturnal.htb:80 :
Then we can acess to the dashboard.php :
We can see that we can upload file. Let’s see if we can uncover some interesting informations.
First, I tried to upload au php file :
1
2
3
<?php
print "test printing my php file"
?>
And then I get this error message :
It’s seems that there is a mechanism that check the file format…
So I tried to bypass this check by using the double extension format by adding .pdf extension :
We can visit the following link : http://nocturnal.htb/view.php?username=test&file=test.php.pdf
We noticed that it lists all the files I’ve uploaded, which raises the question of whether we can view files uploaded by other users.
For this, we can FUZZ on the username parameter :
1
ffuf -u "http://nocturnal.htb/view.php?username=FUZZ&file=test.php%00.pdf" -w /usr/share/wordlists/SecLists/Usernames/xato-net-10-million-usernames.txt -H "Cookie: PHPSESSID=u92mhca6ftq8d9702thsuacfvi" -fw 1170
The output shows us a list of valid users that we can investigate for any relevant information:
-
admin: No files available for download. -
greg: Anaccounts.xlsxfile was found, but I wasn’t able to download it… -
amanda: There was aprivacy.odtfile available and I was able to download it :
After downloaded it, we have to unzip it :
If we check the content.xml file, we can find the Amanda’s password :
And the message tells us that it has been configured for all their services. However, it is not possible to connect to SSH with Amanda’s password…
Let’s see if we can connect to the Amanda’s account to the nocturnal website :
The login was successful, and we also noticed that Amanda has access to the Admin Panel. This reflects a Broken Access Control (Vertical Privilege Escalation) issue, the application failed to enforce user-level restrictions, letting us access files uploaded by higher-privileged accounts like Amanda.
The Admin Panel includes a feature to perform backups, which might be useful for further enumeration :
So let’s try to make a backup :
By using Amanda’s password, we can confirm that the backup process completes successfully. As part of this process, a file named nocturnal_database.db is saved within the generated ZIP archive. . This file is likely to contain valuable information that could be leveraged for further exploitation or privilege escalation.
Looking in the nocturnal_database.db file, we can find the password for the admin account :
So I tried to brute forced it by using john. However, I didn’t succeed to crack it. Thus, I tried to crack tobias’s password (Obviously, I skipped Amanda because we already have her password).
Initial foothold
And we can see that I’ve cracked it ! So now we can try to connect to his account by using SSH service :
User flag
Now that we have access, our next step is to retrieve the user flag.
By checking the running services, we found a web service running on localhost:8080 on the target machine. Since it’s only accessible locally, we used SSH port forwarding to map it to localhost:8081 on our machine. This allowed us to access the web application running on port 8080 via localhost:8081 in our browser.
1
ssh -L 8081:127.0.0.1:8080 tobias@nocturnal.htb
The service turned out to be ISPConfig, a hosting control panel, which could potentially help us find more ways to escalate our privileges or gain access to other parts of the system.
We used Tobias’s password with the admin username to log into the website :
It seems that we cannot find any relevant information on the page itself. However, if we check the View Page Source, we can see the version used by the application :
CVE-2023-46818 exploit
Searching on the Internet, I found an exploitation of this vulnerability via the following link : exploit
Root flag
Finally, after successfully exploiting this vulnerability, we are able to read the root flag :
Congratulations! This challenge provided an excellent opportunity to practice web enumeration, exploiting file upload vulnerabilities, and privilege escalation techniques. From discovering a Broken Access Control vulnerability in file access to exploiting a vulnerable ISPConfig service, this CTF demonstrated how persistence and methodical testing can lead to root access.
Thanks for reading, and happy hacking!