Platform: Hack The Box
Season: 9
Difficulty: Medium
OS: Linux
Date: 2025-11-07
Author: x4cc3
Era is a Medium Linux machine running a file upload web application with PHP. A subdomain file.era.htb is discovered via DNS fuzzing. IDOR in the download endpoint leaks application source code containing SQLite credentials. An authentication bypass via security question manipulation grants admin access to a feature that triggers SSH2 command execution, yielding a shell as eric. A cron job running as root executes a monitor binary with signature validation that is bypassed by overwriting the binary with a reverse shell.
nmap -Pn -sV -sC 10.10.11.79
| Port | Service | Version |
|---|---|---|
| 21/tcp | FTP | vsftpd 3.0.5 |
| 80/tcp | HTTP | nginx 1.18.0 |
ffuf -u <http://era.htb/> -H 'Host: FUZZ.era.htb' -w subdomains-top1million-5000.txt -fw 4
# Found: file.era.htb
File subdomain