Login
Hack The Box: Nocturnal Machine Walkthrough β Easy Difficulty
Introduction to Nocturnal:
In this write-up, we will explore the βNocturnalβ machine from Hack The Box, categorised as an easy difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
Objective:
The goal of this walkthrough is to complete the βNocturnalβ machine from Hack The Box by achieving the following objectives:
User Flag:
To grab the user flag on Nocturnal, we started by exploring the file upload functionality after creating an account. Uploading a .odt file and unpacking it revealed a hidden password inside content.xml using xmllint. Initial attempts to SSH or use pwncat-cs failed, but the password worked on the web dashboard, letting us upload files as Amanda. Leveraging the backup feature, we injected a reverse shell, landing a www-data shell. From there, we navigated the nocturnal_database directory, pulled password hashes, cracked Tobiasβs password (slowmotionapocalypse), and captured the user flag
Root Flag:
For the root flag, basic enumeration showed no exploitable binaries, but port 8080 was listening. After port forwarding, we accessed the ISPConfig panel. Tobiasβs credentials didnβt work, but the admin password gave us full access. Identifying the ISPConfig version from the source and Help section, we grabbed a public exploit, executed it, and gained root shell access. Finally, the root flag was obtained
Enumerating the Nocturnal Machine
Reconnaissance:
Nmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
nmap -sC -sV -oA initial 10.10.11.64Nmap Output:
ββ[dark@parrot]β[~/Documents/htb/nocturnal]
ββββΌ $nmap -sC -sV -oA initial 10.10.11.64
# Nmap 7.94SVN scan initiated Sat Aug 9 04:55:52 2025 as: nmap -sC -sV -oA initial 10.10.11.64
Nmap scan report for 10.10.11.64
Host is up (0.22s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 20:26:88:70:08:51:ee:de:3a:a6:20:41:87:96:25:17 (RSA)
| 256 4f:80:05:33:a6:d4:22:64:e9:ed:14:e3:12:bc:96:f1 (ECDSA)
|_ 256 d9:88:1f:68:43:8e:d4:2a:52:fc:f0:66:d4:b9:ee:6b (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://nocturnal.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Aug 9 04:56:46 2025 -- 1 IP address (1 host up) scanned in 54.95 secondsAnalysis:
- Port 22 (SSH): OpenSSH 8.2p1 running on Ubuntu, providing secure shell access for remote login. The server exposes RSA, ECDSA, and ED25519 host keys.
- Port 80 (HTTP): Nginx 1.18.0 serving the web application on Ubuntu. The HTTP title did not follow the redirect to
http://nocturnal.htb/, indicating the presence of a web interface.
Web Enumeration:
Web Application Exploration:
The website interface appears as shown above.
Tried logging in with the credentials admin:admin, but it failed.
Hereβs a smoother version:
Sadly, the credentials are invalid.
Attempted to register a new account using dark:dark, but received a βfailed to register userβ error.
However, account creation succeeded with test:test, which was unusual. Further troubleshooting revealed that both the username and password must contain more than six characters in total.
We were redirected to a file upload page.
Before proceeding, letβs attempt to upload a simple text file.
The upload failed because only certain file formats are allowed.
Therefore, letβs try uploading a random PDF file to the application.
In Burp Suite, it appears as shown above.
We successfully uploaded the PDF file, as shown in the screenshot above. Clicking on the uploaded file opens a PDF editor.
As shown above, the response is displayed when attempting to access the uploaded file.
Tried accessing with the admin user, but it returned a βFile does not existβ error.
Capture the packet request using Burp Suite
This FFUF command uses a saved HTTP request (req.req) to fuzz inputs from names.txt over HTTP, ignoring responses with a body size of 2985 bytes.
The fuzzing results revealed three valid usernames: admin, tobias, and amanda.
The URL http://nocturnal.htb/view.php?username=amanda&file=small.odt shows that file access is controlled through query parameters, which may expose the application to IDOR vulnerabilities if manipulated.
I presume it is just a normal PDF file content.
Letβs download the file to our machine for further analysis.
The file is formatted as an OpenDocument Text.
Opening the .odt file for further examination.
Surprisingly, the file does not open in OpenOffice but instead opens with a ZIP application.
As a result, letβs extract the file on our machine.
What is xmllint?
xmllint is a tool used to open and read XML files, which are special text files that store structured information. These files can be difficult to read normally, but xmllint makes them easier to understand by organising the text. In this case, it allowed us to look inside the file and discover hidden information, such as a password.
Using the xmllint command, we can read the file as shown above.
In the content.xml file, we can use xmllint to read the contents and identify the password (arHkG7HAI68X8s1J).
Attempted to connect to the machine via SSH using the credentials, but the login failed.
Earlier attempts using pwncat-cs and SSH both failed to establish access.
As a result, we proceeded to test it through the dashboard.
Unexpectedly, the attempt was successful, allowing us to upload files as the Amanda user.
There is an Admin Panel button located at the top of the interface.
No interesting files were found upon clicking the Admin Panel link.
There is a field that requires entering a password to access the backup.
Creating a password grants access to a collection of files for review.
We can download the file.
In Burp Suite, it appears as shown above.
Entered Amandaβs password, but the system returned an βincorrect passwordβ message.
However, we successfully unzipped the file using the password we created earlier.
Looking inside the backup directory, nothing of interest was found.
After further consideration, we attempted to enter a reverse shell payload into the password field.
Finally, we successfully obtained a www-data shell.
Nothing was missing from the file we downloaded.
There is a nocturnal_database directory present.
Letβs proceed to access the database.
We retrieved password hashes from the database.
One of the hashes was successfully cracked, revealing the password slowmotionapocalypse.
It was determined that the hashes belong to the user tobias.
We obtained the user flag by running the command cat user.txt.
Escalate to Root Privileges Access
Privilege Escalation:
There are no usable binaries available in this environment.
While checking the open ports with netstat -an, we discovered that port 8080 is open on the machine.
Setting up port forwarding for the previously identified port.
The service running on the forwarded port is ISPConfig.
Understanding ISPConfig: The Web Hosting Control Panel
ISPConfig is a web-based control panel used to manage websites, email accounts, and servers. It allows administrators to easily configure and control these services through a user-friendly interface, without needing to use complex commands. Think of it as a central dashboard for managing web hosting services.
Attempted to use Tobiasβs password, but the login failed.
The admin password was successful.
Accessed the ISPConfig dashboard successfully.
The ISPConfig version was identified from the source code.
Alternatively, the version was also found in the Help section.
Letβs investigate the ISPConfig version 3.2.10p1 vulnerability that corresponds to CVE-2023-46818.
CVE-2023-46818: PHP Code Injection Vulnerability in ISPConfig 3.2.10p1
CVE-2023-46818 is a high-severity PHP code injection vulnerability affecting ISPConfig versions before 3.2.11p1. It occurs when the admin_allow_langedit setting is enabled, allowing authenticated administrators to inject and execute arbitrary PHP code via the language file editor. The flaw stems from improper sanitisation of user input in the records POST parameter of /admin/language_edit.php.
The vulnerability has a CVSS 3.1 base score of 7.2 (High), posing a significant risk. Successful exploitation can lead to full server compromise, enabling attackers to steal sensitive data, install malware, or disrupt services.
To mitigate this issue, it is recommended to upgrade to ISPConfig version 3.2.11p1 or later. Alternatively, disabling the language editor by setting admin_allow_langedit=no in /usr/local/ispconfig/security/security_settings.ini can prevent exploitation.v
Downloaded the exploit to our machine and executed it.
We obtained the root flag by running the command cat root.txt.
The post Hack The Box: Nocturnal Machine Walkthrough β Easy Difficulty appeared first on Threatninja.net.
