Member-only story
HTB’s Machine “Nocturnal” Walkthrough
Network Scanning and Service Discovery
Initial reconnaissance began with comprehensive network scanning using Nmap to identify open ports and running services on the target system. The scan revealed two primary services: SSH service running on port 22 and HTTP service operating on port 80. These findings indicated a typical web server configuration with remote administration capabilities.
HTTP requires a domain name to access, the domain is nocturnal.htb, and upon opening it, it is found to be a website that allows file uploads.
You can register a random user to log in and check, upload a PHP file, and find that there is a whitelist restriction on the uploaded file extensions, which seems difficult to bypass. Hint: Invalid file type. pdf, doc, docx, xls, xlsx, odt are allowed.
So let’s follow the normal process and try uploading a PDF first. The uploaded file appears in the file list, and a download interface is found.
mail in source: “support@nocturnal.htb”
tech stack: PHP, NGINX 1.18.0, Ubuntu
no SSTI in /dashboard.php
