Home / Writeups

Nocturnal

Authentication discovery, backup parsing, and a dashboard path to root.

Start with a service scan against the host. The target exposes the usual web and SSH services, so I added the hostname to /etc/hosts and registered an account on the application.

The application shows uploaded files through a view.php flow. I noticed that the username parameter changes the output, so I used ffuf with the session cookie to discover a valid username, amanda.

From there, I downloaded the file, found the password used for the backup archive, and extracted the backup directory. That exposed a database backup with a hash for the user tobias, which I cracked and then used over SSH.

With user access, I identified an internal service on port 8080 and forwarded it locally with SSH. The dashboard used admin credentials with the recovered password, and additional research led to an ISPConfig path that ultimately yielded root-level access.

Key sequence: nmap -sV -sC → /etc/hosts → ffuf username discovery → backup extraction → hash cracking → ssh tobias → ssh -L 8080 → ISPConfig path

Back to writeups