Nocturnal presents a website with an IDOR vulnerability that allows me to read other user’s files, and leak the admin password. Inside the admin panel, I’ll find a command injection vulnerability in the admin backup utility and exploit it to get a foothold. I’ll crack a hash to get the next user’s password. For root, there’s an instance of ISPConfig. I’ll exploit a PHP code injection vulnerability to get execution and a shell as root. In Beyond Root, I’ll look at the website file download feature before HTB patched it one week after Nocturnal’s release.

0xdf hacks stuff

A detailed walkthrough of exploiting the Nocturnal HTB machine, starting with an IDOR vulnerability to access other users' files and leak admin credentials. The attack progresses through command injection in an admin backup utility to gain initial access, password cracking for lateral movement, and finally exploiting CVE-2023-46818 in ISPConfig for root access through PHP code injection.

HTB: Nocturnal