Era Hackthebox (HTB)

Era is a Linux machine that features an insecure `PHP` web application alongside a weakly protected system service. First, web enumeration reveals insecure file handling and authentication logic, which can be leveraged to obtain an administrator session. Further inspection of the application's source code reveals a vulnerable file-preview mechanism that enables remote code execution through PHP stream wrappers. Finally, upon gaining remote access, a root-executed scheduled task reveals a monitoring binary with an easily bypassed ELF signature check that can be overwritten to achieve full system compromise. 00:00 Introduction 00:56 Lab Information 01:12 Nmap Scanning 02:16 Host File Configuration 04:51 Homepage Enumeration 05:25 Subdomain Enumeration 08:23 File Management Interface 09:34 Directory Fuzzing with Dirsearch 12:56 User Registration & Login 14:03 Dashboard Functionality 15:22 Uploading Test Files 16:30 IDOR Discovery 17:36 Fuzzing IDs with FFUF 21:29 Discovering Backup Files 23:06 Downloading site-backup-30824.zip 24:25 Extracting & Analyzing Backup Files 26:57 Exploring Database Schema 28:28 Extracting User Credentials from Database 30:22 Formatting Hashes for John the Ripper 32:40 Cracking Password Hashes 34:10 Analyzing security-login.php 38:33 Registering New Account After Reset 39:48 Logging in as Yuri 40:08 Resetting Admin Security Questions 41:00 Gaining Admin Access 41:41 FTP Access Exploration 43:03 SSH2.so Extension 44:37 PHP Wrapper Analysis 45:49 Code Review with Copilot 48:08 Protocol Injection Vulnerability Discovery 49:25 Crafting SSH2 Wrapper Payload 52:00 Reverse Shell Command Construction 54:00 URL Encoding the Payload 56:08 Testing Initial Exploit 59:09 Successful Shell as Yuri 01:00:31 Switching to Enri Account 01:01:47 Capturing user.txt Flag 01:02:27 Privilege Escalation Enumeration 01:03:12 Finding Root & Devs Files 01:04:00 Discovering Monitor 01:05:44 Analyzing Monitor Binary 01:07:13 Monitoring processes with pspy64 01:12:04 Understanding Signature Validation Process 01:15:09 Planning Privilege Escalation Strategy 01:15:29 Creating Backdoor C Code 01:17:40 Validating Reverse Shell Code 01:19:10 Transferring Backdoor to Target 01:21:01 Compiling Static Binary with GCC 01:25:25 Extracting Signature from Original Monitor 01:27:37 Troubleshooting objcopy Command 01:29:26 Injecting Signature into Backdoor Binary 01:30:45 Replacing Original Monitor Binary 01:32:20 Waiting for Cron Job Execution 01:33:09 Debugging Binary Issues 01:39:34 Copying Backdoor to Monitor Location 01:40:07 Root Shell Obtained! 01:40:39 Capturing root.txt Flag 01:41:13 Conclusion & Wrap-up #era #appsec #htb