2025-08-03

Era

26^th Jul 2025

Difficulty: Medium

Machine Author(s): yurivich

Successfully Pwned Era

nquangit has successfully completed and pwned this machine on Hack The Box.

Machine Information

None.

Enumeration

Enumeration is the first step in our journey to pwn the machine. We will start with some scans to identify potential vulnerabilities and then proceed with manual inspection of the application.

Nmap Scan

Nmap scan result

# Nmap 7.95 scan initiated Sat Aug  2 13:42:39 2025 as: /usr/lib/nmap/nmap --privileged -F -vv -sV -sC -Pn -oN nmap.txt 10.10.11.79
Nmap scan report for 10.10.11.79
Host is up, received user-set (0.046s latency).
Scanned at 2025-08-02 13:42:39 +07 for 11s
Not shown: 98 closed tcp ports (reset)
PORT   STATE SERVICE REASON         VERSION
21/tcp open  ftp     syn-ack ttl 62 vsftpd 3.0.5
80/tcp open  http    syn-ack ttl 62 nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-methods:
|_  Supported Methods: GET HEAD OPTIONS
|_http-title: Did not follow redirect to http://era.htb/
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Aug  2 13:42:50 2025 -- 1 IP address (1 host up) scanned in 11.44 seconds

With the Nmap scan, we can see that the machine has two open ports: FTP on port 21 and HTTP on port 80. The HTTP service is running Nginx version 1.18.0.

Bonus information from the scan includes the FTP service version (vsftpd 3.0.5) and the HTTP server is redirecting to http://era.htb/.

We need to add the domain era.htb to our /etc/hosts file to access the web application.

Nuclei scan

Nuclei scan result

[waf-detect:nginxgeneric] [http] [info] http://era.htb/
[http-missing-security-headers:strict-transport-security] [http] [info] http://era.htb/
[http-missing-security-headers:permissions-policy] [http] [info] http://era.htb/
[http-missing-security-headers:referrer-policy] [http] [info] http://era.htb/
[http-missing-security-headers:cross-origin-embedder-policy] [http] [info] http://era.htb/
[http-missing-security-headers:cross-origin-opener-policy] [http] [info] http://era.htb/
[http-missing-security-headers:cross-origin-resource-policy] [http] [info] http://era.htb/
[http-missing-security-headers:content-security-policy] [http] [info] http://era.htb/
[http-missing-security-headers:x-frame-options] [http] [info] http://era.htb/
[http-missing-security-headers:x-content-type-options] [http] [info] http://era.htb/
[http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] http://era.htb/
[http-missing-security-headers:clear-site-data] [http] [info] http://era.htb/
[nginx-version] [http] [info] http://era.htb/ ["nginx/1.18.0"]
[tech-detect:font-awesome] [http] [info] http://era.htb/
[tech-detect:animate.css] [http] [info] http://era.htb/
[tech-detect:bootstrap] [http] [info] http://era.htb/
[tech-detect:nginx] [http] [info] http://era.htb/
[caa-fingerprint] [dns] [info] era.htb

The Nuclei scan reveals several security issues with the web application, including missing security headers such as Strict-Transport-Security, Content-Security-Policy, and X-Frame-Options. It also detects the Nginx version and some technologies used in the application, such as Font Awesome and Bootstrap.

But it does not provide any direct vulnerabilities or misconfigurations that we can exploit at this stage.

Scan for hidden directories

FFUF scan result


        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://era.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

css                     [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 191ms]
fonts                   [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 192ms]
img                     [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 176ms]
index.html              [Status: 200, Size: 19493, Words: 3922, Lines: 447, Duration: 176ms]
js                      [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 176ms]
:: Progress: [4744/4744] :: Job [1/1] :: 227 req/sec :: Duration: [0:00:23] :: Errors: 0 ::

The fuzzing scan reveals several directories, including css, fonts, img, js, and an index.html file. The presence of these directories suggests that the web application is using a standard structure for serving static files.

It isn’t very useful at this point, but it confirms that the web application is built with a typical structure.

Scan for subdomains

FFUF scan result for subdomains

ffuf -u http://FUZZ.era.htb/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -o ffuf-subdomain.era.htb.txt

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://FUZZ.era.htb/
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
 :: Output file      : ffuf-subdomain.era.htb.txt
 :: File format      : json
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

file                    [Status: 200, Size: 6765, Words: 2608, Lines: 234, Duration: 176ms]
:: Progress: [4989/4989] :: Job [1/1] :: 913 req/sec :: Duration: [0:00:06] :: Errors: 4988 ::

The subdomain scan reveals a subdomain file.era.htb that returns a 200 status code. This indicates that the subdomain is active and serving content.

Nuclei scan for subdomains

nuclei scan result for new subdomain

[cookies-without-httponly] [javascript] [info] file.era.htb ["PHPSESSID"]
[missing-sri] [http] [info] http://file.era.htb/ ["https://fonts.googleapis.com/css2?family=Inter:wght@400;600;700&display=swap","https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.5.0/css/all.min.css"]
[cookies-without-secure] [javascript] [info] file.era.htb ["PHPSESSID"]
[waf-detect:nginxgeneric] [http] [info] http://file.era.htb/
[http-missing-security-headers:clear-site-data] [http] [info] http://file.era.htb/
[http-missing-security-headers:cross-origin-opener-policy] [http] [info] http://file.era.htb/
[http-missing-security-headers:x-frame-options] [http] [info] http://file.era.htb/
[http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] http://file.era.htb/
[http-missing-security-headers:cross-origin-embedder-policy] [http] [info] http://file.era.htb/
[http-missing-security-headers:cross-origin-resource-policy] [http] [info] http://file.era.htb/
[http-missing-security-headers:strict-transport-security] [http] [info] http://file.era.htb/
[http-missing-security-headers:content-security-policy] [http] [info] http://file.era.htb/
[http-missing-security-headers:permissions-policy] [http] [info] http://file.era.htb/
[http-missing-security-headers:x-content-type-options] [http] [info] http://file.era.htb/
[http-missing-security-headers:referrer-policy] [http] [info] http://file.era.htb/
[nginx-version] [http] [info] http://file.era.htb/ ["nginx/1.18.0"]
[php-detect] [http] [info] http://file.era.htb/
[tech-detect:nginx] [http] [info] http://file.era.htb/
[tech-detect:php] [http] [info] http://file.era.htb/
[tech-detect:font-awesome] [http] [info] http://file.era.htb/
[tech-detect:google-font-api] [http] [info] http://file.era.htb/
[caa-fingerprint] [dns] [info] file.era.htb

The Nuclei scan for the subdomain file.era.htb also has the same missing security headers as the main domain. It also detects the Nginx version and some technologies used in the application, such as Font Awesome and Google Fonts. And it confirms that the subdomain is running PHP.

FFUF scan for hidden files/directories on subdomains

FFUF scan result for hidden files/directories


        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://file.era.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
 :: Extensions       : .php
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 6765
________________________________________________

.hta                    [Status: 403, Size: 162, Words: 4, Lines: 8, Duration: 206ms]
.htaccess               [Status: 403, Size: 162, Words: 4, Lines: 8, Duration: 207ms]
.htpasswd               [Status: 403, Size: 162, Words: 4, Lines: 8, Duration: 206ms]
LICENSE                 [Status: 200, Size: 34524, Words: 5707, Lines: 663, Duration: 183ms]
assets                  [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 179ms]
download.php            [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 188ms]
files                   [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 175ms]
images                  [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 176ms]
layout.php              [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 181ms]
login.php               [Status: 200, Size: 9214, Words: 3701, Lines: 327, Duration: 179ms]
logout.php              [Status: 200, Size: 70, Words: 6, Lines: 1, Duration: 177ms]
manage.php              [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 176ms]
register.php            [Status: 200, Size: 3205, Words: 1094, Lines: 106, Duration: 180ms]
upload.php              [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 177ms]
:: Progress: [9488/9488] :: Job [1/1] :: 222 req/sec :: Duration: [0:00:43] :: Errors: 0 ::

With the FFUF scan for hidden files and directories on the subdomain, we find several interesting files and directories that we can explore further.

Manual inspection of the website

After some scanning, we can access the web application at 2 URLs: http://era.htb/ and http://file.era.htb/ for further exploration.

Era website

The main page of the web application is just a static page with some information about the application. It does not provide any direct functionality or features that we can exploit.

File backup website

The subdomain file.era.htb is a storage service that allows users to upload and manage files. The main page shows us some information about the service and provides links to the login page.

File backup page we can access

From the home page, we can access 2 pages/functions: login.php and security_login.php. The login.php page is the login page for the application, and the security_login.php page is allows users to login with their security questions/answers.

We can register and login

But from the previous scan, we can see that the register.php page is accessible, which allows us to create a new user account. Then we can register a new user account and login to the application.

Exploitation

Now we have access to the web application, we can start exploiting it to gain access to the shell and the user flag.

Upload file get id

We can try to use all functions of the web application, and after uploading a file, we can see that the application returns an URL to download that includes an ID for the uploaded file. From this link we can download the file that we just uploaded.

Brute force the resource id

With the id parameter, we can try to brute force the ID of the uploaded file to find the file that we just uploaded. We can use a simple ffuf command with a wordlist to find the ID of the uploaded file.

# Generate a list of numbers from 0 to 9999
seq -f "%04g" 0 9999 > numbers.txt

# Use ffuf to brute force the id parameter
# Replace <replace cookie> with the actual PHPSESSID cookie value from your browser
ffuf -u http://file.era.htb/download.php\?id\=FUZZ -w numbers.txt -H "Cookie: PHPSESSID=<replace cookie>" -fs 7686

Useful file

After brute forcing the ID, we find that the ID 54 and 150 might be useful. The ID 54 is the site backup file, and the ID 150 is a zip contain some signing information (key.pem and x509.genkey file).

Backup of the Source code

With the ID 54, we can download the site backup file, which contains the source code of the web application. We can analyze the source code to find potential vulnerabilities or misconfigurations that we can exploit.

Also from the site backup file, we have a database file filedb.sqlite that contains the user accounts and their passwords hashed with bcrypt.

IDOR Update security answers function

Read the source code of the application, we can realize that it has an vulnerability in the change security answer function - IDOR - We can change the security answer of any user.

From there, we can change the security answer and logged in as user admin_ef01cab31aa.

From the admin account, we can see that it contains 2 files that we found by fuzzing ID above (signing.zip and a site backup file).

Get a reverse shell

After logged in as admin user, now we need to find a way to get a reverse shell because from the nmap scan the SSH port isn’t open.

Crack password hash

Within the database file filedb.sqlite, from the password hash we can perform a crack password attack with John-The-Ripper and we can crack the password of 2 user: eric & yuri.

FTP access

With the cracked credentials, we can use the username and password of the user yuri to access the FTP service that we have scanned in the nmap scan.

In there, we could access 2 directories apache2_conf and php8.1_conf and we doesn’t have permission to write on that shares.

But in the php8.1conf directory, we realize that it has a file ssh2.so that belongs/related to the ssh2 extension for the PHP - we could perform the SSH connection with the PHP code/syntax.

And now, we need to find a position that we can use to exploit with the SSH2 extension.

Source code analyze

From the download.php file in the source code site backup, we got a note for a BETA function that only available for admin user.

Read the code and we got that it calls a fopen function to read the file uploaded and return it to the user.

It has a special point here is it receive a param format from the user GET parameter input (as the prefix) and concatenate with the file name then pass it to the fopen function.

fopen function inject

From here, we can perform a simple injection to perform some checks like use another scheme, use PHP wrapped.

SSH2 extension Stream Wrappers

SSH2 wrapped

And it the SSH2 extension we have discovered above, read the documentation and we can see that it support PHP stream wrapped and we can use the ssh2.exec to make a connection to the local SSH service and run a reverse shell.

Part of this article is encrypted with password:

sQOwvq5+MzisGKlmaXGDzXuIyGMtfMbAf5o3WBhqYvFlK63b9hGrK2PxzI3W8envBGlAoA785JUs1jdu9ZPdX/IpgrHZf0qO7kSO7hH7mPil4gDf63XVBLA5bqjg8Oiv7fvgdsF9+FsqZ8548kFEPv2p20g2k29ztcOWMK/z4wsHID4/dWB2obS1zTtKriJ//KzVzpgg41Z5oQawbWXPFHdE5mglSNOqWlb+Khy7mTg5ZrrPfT/GTRadkhQQQg1IHLtNUA7VYgCXeMPdZQ7W3RNLbduj1c2de5vaW9cavaK6nbRID4t1rnfJq4IlrqDFmjZqr17CwhMqcorObWJA5XzIv0oP3NokQdxokuZlfWJdmRM9VoyJTNtOUT7KPditn1y8FwpUTqQKco+8rsU+AwiIXMV2EwdidIu25/0wTFcOKqW1eHlzW5GivNI4tyIc99fyWZBE9RenRKWlfweykF2DVFU5/Kf8eBid8Dx+/m+08I4Lc5bf9rjHXsH+X4GCZAxItuaOv6aa1AR0C77O4nu6V5es2RQyq47CBooSb8PXUSewGDeVB7ypdhhn2jLQCgDmf1pZNnvogxXraxDPgcrGofYz4Gb4qUoJLPFZgoXcTgYpQPo0YyL0hI2IL0tQGbuPsb4YdpzRCVHNW+uQfAPcSgUd5cMd0rBxqQDldbF6ZVKB48XM+kh6q1UEMnsM5E+J9lOjThWONvpGRjpGlzo28OQXY3eObLldtUl9pz9wDPn0+HclE+9I5y0KgsbywFsfV/uEwiZEIvfI/GMez5fEKwN/X9/xhSM4hTNK6zk9gH72gOaxXM8N+CcHuYpBtsgAz5+/svidmH6CX1kchFBDbC6q77sS6PZbEABWI80OAg/dmlvjbddGQqJyGCq3gfIiQP3KMx+XXxHmpfcFxvFVAucGWT/OhphICGmn6DaHzmCLwPR5qj9a9JbD32zBnus0763BpAbfpWwyC1IkEvJR1VK8MdlJ9i9JQ7p4Gq32zqfP4pueZ3rwVQ5viiTz4SwP6iYJyrwmykZ4z0s9JjA6RvziRqcZDvDaKazG5sn6nIWQ3ToS6jblxoxuA4wmsVfLxqm3TQue3jUC6F4bntVn+4AomfDMqgCvw8MLJAQMPJuIaIjiXJ0oW/iJznTAif6sAdzycDYjuq0ra+we/9QintsMiUUt/w+T9Ub8UNOBOSkHBmQKXgQjyuLQZXsGdqtOuWIoV0olG4WJ+d3K9ZvOuBFIGoZqjJo7yzWKwvdp5kvg0LWEfPVW/FFaFSLcYsypctRfeLchWJX5d7YJ47Dl7LTFDjpbCHDzyUhpf+QhnSawOGFHRhVN8ZYmjSNm6J/hyqdsNLVidyX1ADSzE/bkMBWYkXBb1IJq1rXCUsvKMWpp1lhJmlz5msyC1K8fxyhvd0L6cg67lKperTbiL8KvfFCNzsv2vgI71uo8f9VSXJDJnzqCzt4k0Y5a988Yk3FIjjjnVj8XHdTvt34IxwBOAJixMQMInzuR3xKxNPOXGAs/gB+aooLutCatAkOgi6tsYeNZxkC/isQq6hlTYulLwwxgzaJPH49EigSkGEnuyKn1kj2CPzyr+GLSMU+yrEz6vgdcKKRP96Dxzkz8fZeSiwJnJc5WrUmboCSy5iKSGcmLag0nFN5UCGT6MBrGVuFtMVx8znhpxdbur6c6ohr2Re/hBzprUC0V+bTt7blpP5RxZbw5MTNLXeIEz4fL87SjlYhCdzS1W93KDDma6G9s7Op3GBohAdovHeK4rQxl165zzbaoGpRHBwcXCCXWAnQ89i1pP49+GtzAZo1VHrW3q3z7LhftHlmISHl4QzaCLxWc9wTS40Y1hlunrSwQnlGigLMbBlcxV+448mqiR7DihWfVAlZZPWZR0X7Ra/PMxQ3Sg5ZS05z0azB+fuzGP8nbM8tl10usp1lnzZQMCRC/yzyA0ot09jRWCSZySsebuLz+2UDdoacC6tj/y40nortVFQzFozit0JIf/+K/Ba4wVqMwC4N/r9l1z1sItNBN1icFsJQgAMcM3/YLIXS2G0/3EV2Ab3Jo9mUymZvFgDm6gesGNpZQo/7NF4z5qwLx9D6PgW8kKlD46oq3EvC+5xBe3SbSfnKVW+6wsFiJlG8jdha3adzxtpDX+totr8n+fBgSSqjvEvkyMPLdOYk2vdLZ361Q4K8AHDQuCQwrkgWUXYxgTIEX1fGDsnJRCWBqubUMiePEtSkJmygM1DPv6IIjrHX6oad8MdgKs48UawT8eDls7bOmuK352DL4vv0o4IW3lERH1tWV+lLexSQmee9zS6UVPO51by376bq5Xop044GfIQIGhoTJZzVFM8GkrM4qSTic1++aVLPlmtbW1kP4cHVKUp1iO+HFG+WeaL8xA1UdTpUercZfEqLwV8XJ2BPlk69in70VA26hEp2Wljgk0NJjkt4fvXWu3FB+jOto879uBZM6J1gMqviC38nRwiKyPwJa+gTOYzO8F0s7MucN9lWsUQfomUEGEb5l7hnjVrLQJ43EVBGHDzZsR3KsBDCiNwIK+IonknjPUQoehCkeTIHsiiAPIwgjjQVs0z1kVaZaT7kNBiqvz5AyTwEEg9V8oiNeQO06ZdUPHrqO2Fw149oARiOe7M61i1Fg6Isyjkg8slBh5vepviCZaSwoWPBO9ImPXMI+JQmk+u0E04tiJzJEmEkKPq7zMRpXtcjjtrpDlk9mmmIQk4CdWCIK+86EGF9AZx9oPA2ZzJdNXsIgP7UldlzeDQnJ787tAFS6YtdCeSvVbSX75RErjF8NM+JBsLKuRnifZ+43fSkLjWgB72TP34UHXgqlr/LAfhBrIntorWpcXUIOk8X8vaj16yjtLv2F2ijFNguiZzFjTjQ/Iu5qM5VcXsiAGIDnAfv3NFxnrmpW2AOoRdzgokUP3cOeBYS5bmrmay4c9EXdJSXzJ3mqDyV0bTjsBTnmQAPWuDyNTUR+vRB7WhSR01zHSIumjNL+70LhA9qjEOytb7jI9VfXjMMCHG7hGyFVe20ScdVuNWFR1G+6I7jnZ8HE8lQraYD47zVjq2hLmJ/bwbkW21U757BdaNPuU9Zhd/EpyCtOoctzm5cLoUDszoG+KR+ZSkXj+qlyWvyidnKy+F1kC7g1zttB4HPtcgVxETKOzZULCah5v7Ek/UFOtSh5FjslclnUF0flvm+nmDuST/GfeFBz12JK+KEr+rNLvgu/fRrgstFqrXMfpd/nErzm4TO1HK+ff7ZT14N4kCqcXmqyL3KpuIftwnmElt0UsgaqYmKXIIHIjgQ/jRyJPbxOKZOn+rlKCd5hAsL36oNOpoxeIEfAJiEdSdkOyEHftVfG7UM2rZ+r+0wkBQDveVlVuI/ntDsMJfpbC//DTG764Q8b6RLjVaqaCLIcGQhz26GhTWxd/bm2eQLYtg0pNBvuEO6qIbfj+a1BGWFlIaskH9uhQSMGzacKPYCJpR/W0m4LAnYn/Cm83nMV+JFh8YnJXdeJY9UbVIdBQzj4qtW4AFsGx90C+5ec+skuDilfgoDImO7FMnbXq1DKImfyocbhTFgfwVooLKIk1+Qhky+YmYoQTYg96ISV4vt0ci4LZUbGN3JkBXt13M6EYVaGCt1N3ALF2wPCcG/7Ih9zkpLZqjTO7Q9pZWnDuGum02TCtzwHWgh5ShvhXaAAiVC4p1rTcj7JC0B/Z6/nws1lZlMWnhVLQEftGqfQMVmmJXZQBmmoRKsdwQ27kVWLSp6tce4ui/cR84GsgvKcvPCgG0uaybg3FeTLBLkRs9q4D+5jK5IBJV3K5JVWsyGKwir3sjvEbRnQ87WvwuIwHnqgR2KXQJ8M0Gu+NOunu0gVRn74CqLZQXdWujL5vjvdYlMyLLOQCVY4IuhQWeE1gmxp0wp8/xnqKVWhE0oCQBmqRvADplbOP+wEBqTO7xE8StGDibf4z7ls8pCyKh9vGuDBZ9ouK0+1YAhEdl7np9UyFt9CaApnrRfddCap6/HBaeXagQ4fd14fbY+Q9elZVlzyacfXSY1YjSnOziHwM6G+g7HDQ7zjI/UlL63AJp5F0YCWlBaB75ljXAwfgFDCPumcbARzxuMj6o+ddzXEa1sKgWih57VD197BM/+AtghVpTLzFfOywzpk5Mr72Vgew4PL4Tb4eqVMNZmCpfZhzoUXSxYTUaTPsHOZEIOSw0CzeWDOdUAuBTe2pGiMpX3ZgOxrfttpu9cmeCF9AT/5JSqeI1LGGzDeo7R4TfnEg4oEsZ8IS7+fWPk1ZGQfbSf+kYZWgDdfOep310+T+U61L+C58SYRL9sT8AxKKihsfKOzKJGMFR/Q1dpaz+QookuIpr0wBmfLBYi26rA5x4SFshWSGlxxGnfPdSaxY2q1B2M+5e7/eayOV0kPUuQJcrF+YsHGJPh0YbH5PI2K9DOWrq8bx0mg41FmPvDqv8D33NymVDuj+i/s6RN1cradSnS+guAeQKcUNkkbXyAHxgjtnCNrWcIL9NCY+X75nA73GQQ4ABgVWSO2QQKI8b6uS2h7FreCN9IoYWXMUE0GuyLsj7hTMZez9yd3LFHiafC39/ddymKZ/iyTB6q3g4oSeDgZ5JLoO1zsiznklzrCsjK4otuyi/GMwLIgikZocHuYfoNULfU2jA9Q7h6eG5sG8Ir7OtnNmHZ92xt/l1cJCFE5J+hgikUmFGc5AeMC2Nmn2RJH2RO+VQgWMgu6Zi7zAzf29WGzSXC448eBHJKbROzs1/FNyXz1Y2rurOxUSR6wiA0r0070F+0AdsVuJmDEFAC3Ei0dphzPsryobUWKspeE+JNu9Pc/bHvFy6lv0wJHaU70w4wGuXwucjcdbsfIiJO0OXVolhQAMx7yWkGtWwUPRqbIfgjerxKKKlK0sOgPkakgdXdBwN7ZmcZhx0wYPi6Su9UefhOrm8KC8llAyA6X0gAex6+AhbMBsLgNrlfhxMfrJDP7bZhGdsSnBWiFH71DHz3qH4UP782h8MMv2vEOGMzazAiDDHIfMA24Y03v18avp+cjR9paMJ1FTOzWY/bScMpKk1DWBomer2wfI7XEspqDIQRWEiiIfIWQKQ2LMBJ65stSDEsK9Va4w+tTnx6NIMkk6tOoFkQkx+BZnko4MlytP31AlARpcSijzuETVPLFEFMEEU2CWSgG/MUaI4yu3p92ybXI+ulnf8vC3uzz96w0O0PZFFsNtpQgKmWfjMW//hG8SDVwHeCUpAtsBRXHzo4Mhex9rt9EoojdYEoym26S80xQL89Iz4q7SBjNnOtUknX+YqXAC1iF3ZxGQ5oi+yUbD4AwY/i/wQl4C2FSz1kLyys+M3z7cucXNfBlxd2PpX164DaC9Fc/qukw5dzjz1cT4ca6ooRvWC0VpQETzST9Z6myvRqgi7MlIxUXIl8Rm3wP2cJaE+2gRXVH55S3k/wY+ImBZXBO/WhXDjjXYbY2ei73CnO6nRp/+R/S/RPoAjN3yut1qS983gzlIbSwRcQKIR5OBI8xelLRuSP7hYiqzcFcvw1/Z3b79qjsWtRdPum/GF9KlHyb4slU+0mfLUDYFtyinPn/kOO+OJEaeNXyJLuSqUXh7NYMobZWU+QO0cE2yS6JEEAqn7ntTo2bShNwfuhNt66IHzBATN/T6h+PFLef40BG0qfM6WwUDoa7oOUDafoQi75VxIRQIg7bjeSKiN96CW+UE7QLJzOo0/b+RMO+hWFJrOxr0dPYAE3H36LaIsoDH6XlDJimOH14KuKIx4Wn1xkO0C0CCyP5SubBwG9zjwNUssydIV0fhyB4HbZgRsxgF98yTRLCsw2ASGZhw7SS7U9sRJDwTUTmXYLt67TxL4MDK+iMafOy2xAuNxt2V3fiwgdZSonutuP8xAz18uU7xGjFM0uTX62YJBasyuHDippFT0s4QTEnarsL2oIxm4nSWpHnfeaREwr4wJ5Jw2YGPoqOoSr/6nrJfU8XDb0zCnD+O8ytvO9W537nx64YurZ1h1CVnC9Nr4y4aqRmvbo4EiM9GyeeMOWJtMVY4Zr7XyYe/hpsOzjunOKxRLrwDisp5ZI38xDZ+8VGIlwqXOAtYMiwKsPbbejIiIt+eO3/MJC26sGw2Ym+1dKZafwd4FCLH5WcYno7p8DFFoyU+2WTNgNET+P0O4RfJx20xzBCSluF9ss7yOzTqkIyQp/y4Ibh9F7r1Vfc+7I9uuByxM7ie0GocuCL+nbMHn5FrkGNNZJDnFGP/V3N45SmvIbNA2f1EfYQN1agsXOEsUNehwAcaaUe1xbjmjw6i+QqAq4c15o6LMV3oTAOBatWkecjyDhrI/hYIIETyODQVYR4zH+Rna6JywEVl7YuGMzkQ5Xut+u/7ZvBBvq/rRC3EfvU4TWx5ycz2ZyezMQB1I1T0Eer2RIg9LG+knpjDMl0+2m8D8jatxVmWFDf/p9TCnKdNPmALFVwNS/J1HbOfV7u52o6PN69Rb66WT6vnhbnYrzdywSGFNcNv53+Gj5EoVB+JsnNLVDJKskXceRCH8FNJwebnDc/7CwQwdZNC3vlHHZZiGbHVmC4Ro2WgLrJWlRJqzceCe82CzpquExrYOkY9MUkxWro4AcPKXujoeoeYWQDemEwfIFdUT0YMy4dWs0DLf1fCSHU9lYccTzWNxJTAVO6ejV02ZVcLwTwLPW7X5OLOUpuvFYf4FPJo/D4uGM/Z1wsn2l+LbxpTDIuQxpLbyhlBxJNFYZsLfat2LRxX/XHyV97yE9BZtETOhKI7CzkfBSJfdLavjsdk526vE8HhkHaXcS0iwYfUJJK32GmPZ2A+Q3St0RK1I1U+B9Q1+4KA8wl2c1tRTOWD2Qa+q5oEnqaBeStbAnX2sEJE8gKm0GOYHzJWQ/MFgLLQIDnsC8bIEgQM8YkyGEhgLNWkHUc3afqSEXFledZdyODa3TJL+dDHWsD8wh3cyjc55wEqhAV31HEkDfxqbersHh1TiftPhFHFGn0H88iWP/UxjgTw2z3UnFFxJyY7JouF6Op0lBTxrFme2uwO+ElHISOGlQEyotr2Kf+lep+flqsGP51nuB19zuQrSzNKAyBfnDuwF5nHv95WIq1j6m8/iOKJsdjR+dsLlAHRcp2RNJnjmM6DKvtO8DH7GMBL92k5rL2z6iS2zt+lzePfNUrQd2Awt+jRm4OGRCAxaGML8q8uBC+SXuu7eNiOoX9S3yffT0f15ybMaqwKVyV7NJYLNiT1ywYe6oR8lVwiMLlug94cD6mYZ1PxiogPza3D9kiw/RhdGkw++XMdOPvyN8LonukKvpuH+RP9PsZXmoizFt0syjEDWUBXhtrz9wvxZyLrdoZkj2s6wc3zJoW+VrbHx2QLxHr1TM2C0d82IHIluVU53uqm6pITKWEmN4Cig3H0UHvQB96BrMSQ0maMHRkCQahlDbSF6EX34i1Eg3YCLg7APoDwuDi5NA67X1uhYArTWedXFlLvO1lUafwEhbMDliAuI/o2JHOcVhPqELvJx9/Lv2hSFo4YAFvOja89Td6ERHmEc6vfPSziWg/B45sOzI6f04vvLG30nFt+aVk5RNcaSn1eeThdiH0X8jBntsE2MJdaQQCiNMb3T9Sv0Xc6ENTuu9i1Db7r/hAJENQ6iLelQxcc7LnBEpUzfcJT7fZPQ/wjQRwECKH7fEvLKCNBee51nueJuQrRsHYjmfpK67aewgpdonhJsUU9WGPlsaECrh7NrVDhGcjd54qSLcNin2SHpKskQk4arh6ghkFlC4FtKhxlFQPoURcWqUz2ECMfY33gRwCaSr17osennaeBZxYIxfsPdLh1P9g3pEMe+bxG3+9I9qjZho0z/0KmVx0wRR+66IPvMte0HTSF0+XWDCKgLJIWcrZalQNFebbI+7tG/IXotxlE3MUJWhYGE2LXAXRK5xsD9XhzkiqnXdGTtLov+/tyiYAc/9rUeZQg/O5N+MvXffIr9NyAom73ZIcBxVfWWNaj7exRKjv27ZUz3AZi8e8nDm86La7MXItpTjB9ImeaBtTJgRI7RxTcKvD9l+OMZ1LHPAidzMQdqb/gJxcj2/llcRre5y1omuVnOejMxvSVFpOMSH2rn0O0EtQO8O/Sf7cgQyVR02Qv9QO1A6WY8TxyYhpglJL25c3gB6yTvtnX0pMwgIBrFjP5s8SGH4FCyrrsBBE5NKIKhgidi0UX/L3eVmml1T5l2mCLEvHL3L5/bNuZImIPgUVWaB1DvPzWSqY01TRsLVVmadx9WkTa4e8V0FCqgDqAksTflPkadJGFSuQ26fFGj13vB7I/49Tj/2G/tNEfMxZg0mqrXbjE3cu10c6n5zFxrq8EI38LbNWVWvVv3o5w070Kwp3/BYbp7WlakgYf7DpsQlt9VyJT2lBb5xpFYOksLaAap1QSWnlOa5pm1luK7NTnPDfC8xtk/vZMXyQDUso4HUFlTCp2cNIb6TLWZbHG1oMcffIElp9wUvUTbnREePMbnYFC8E65wQklUnMbUgVNIZdHxb46hUx6ECXi5h9ervAW+Kgn5tWLow5r4WpWJZTVqNrtHelRrKMpPWIpd0brZ++WbcOuCgVCfSKWcZ/4JzUJ94BGG/ajaHOZVvXGy4iRS3ZtIKuQDjT7E0qLFUM9vKNJVKzPrwsSHH1SBHzr19D6PBjEUEeDnC/8bwQZJzSLnJsbBQMwvZurLXalDShePIxyQLTkmuLPuvyhKTb2G3ZgazDI3BIAVDsI13QFb9sP6tz7JMu7SZ7djpr3wyz2nNYPb6qE+eNjUEw+3zoiOifJpzIqR/TJ5KvXUPtlkS8HuRt/8z+7e+afgGi9/vaopMA+Z0NumzuJcHXvS7DswWafNF/4ob0dDpgD6UgVRt3Wk8PRWC38Oy0gEh9GIqJNt/3B13TVxHhTy7kk2gO7Iv+2R0fbMnbE0BwDfD7Orr97gttBIUxtsW1aEGU9i9JCBJ0B/J8YSlCL/Z5gDSYSWDkhmUPyMB855trw1TxsE/jBPZ+GbJXegrj+5U0sd1+mnqBvbPy01vzfUlLbWEOqABwHEzcPZtVcbaWHp4Lu2/wPhmzOvNaKhSySCnh8hGjb2crY/Y8r4r8xcU7yGGxF2FFV7oZSb1Cl6UFmHZdAJXEfF9/VbONm5xUNnDYWMt+KKtHZztISWYT/kf5GhgBx25E2omI1hQdQcW2VXYztBY/QYL1OYuSCpkxS70gntKKmz4GuUF7NYs/bKdWx7XRoBzClC1G5u8HJ7ZOQdJ9142hL6NikPjQLdrON359fZKp7ywW7SmZZdRXPij+zN/tzesuDyw5q6d56VuVzxgRrh+5xGc8O+PleyAabUix4VvMMKzByK4yETuZvBU3O2WTCrj19f+5i3yMkIKq+GfqUGjNlVHNW8j++Wsv3e7I4jwplSKiIKami7iv+cxDTPfwFsKmPQ4YTlvBjhN03HE8zrpY9AjFVkm/sZU84A1yFQoYOS43bUenoDOXqUGTPrv4LXwH66XUjA1Q6ERUez4zIzyvo3WpjwROx+bL6nysQ+6bhHYcTEhpmnmds2wmuUe7rf5lDsAu5IxmbFFSNCGIh6TN5gBgZpcqrhFvTIVVGbB5OfTxP0SBEgWyXp+xFYO7ddbyiIcLSbpJbQjnJCIDg2Xa83IPNOomxDvmNgXk1i5tE4J2iLN2Ystz1WZze0uNjpFKhoz9Q/yALPSl9eSrlZouXqYL+GVxfv52Nzet6GWo4lfkIO3ppQiyyq3ilu5MZKyaUUV42maOpvAJLEQxgsoqkrxVTJCavugvAdbZmzOh17qZ1rIBqdyRk+I0OGFVJrsHVhxNfwFAJuXuicyQrBdvSOrJ7OYfMwEHlQ2N8tQ3jMhtxjhBBnUwc10dnsV47+OJrJUoa7XGHXvozm7l2kwQ4fi/9k3H3po0UAXP5r6mdLoDjLjwRbF/LNzpYoNZ0uXP7jeobKwAOb99GEdwPX4GwXv3+WIt0yBxC91JtOX1F5oTe4SGdxLpyZ3F4FAh7W2tGaVbtFyvlwQhB6E3IznUbdZS5sXG/4GxiQFhpihUd9Arhi7oZ/IRA7CmNm3m284qCovePX5V59dG2EyCCkDqqVJg2A8l7Ew5HsLT8Pz9JjP0uFWwx6pmkHvd1opNjsDL7cYneNTSZ/STIhFplbKM1xuhUNG4fcqselp+/WOQ/FfJm8yuNVvX5NKu8fYo+6OyYOFaPNRthTbHwQmQo2iTbJJAWFsCNHqvPYOL7M3eKt9Lhab8puFUkMzFdNeHt4Yo/cSUBck30EMEwyyEh0uMZV+XQQSAUcPlik3qnIq1buR1m4Anfwx87Ilc0lZaX2KTHr7FEMebgjDymk9brYbB3W9lZsIL9irPThndPl1IUNTy+Y7Nus6ejegBfbz57o9jQ4efs0p3RvSwsGE4/+Ftcl1XST+FheWfDk3dcnqTE4mKKlfrVbLJ46muFU6EXo48z/WMHIJ0gMI9EpJy7aUqr9TpHGYDsOOWrpf3OyWBgape/tbFp9Kfw1MIMDseC4XTQRrDczqe3sWBdA9cvLMvx+6in4D04Zg9K8tFwAIYw6TegXvnPogMhJo1EFbmJ6b41Xf4EYu1ehlt4iFL3E29LTlJuoGz9BC0wxOSi3vJ4P0gU8ds8SQse9lzsX/aboWEUTU30puOtSAWZDWIFlKiKAQDu1YyCHqCKHlffqANx9aGEeCabf/JY5pdwxU8HEiRnP2SVrfne/vJbZgdJoeN+mS5HN3m3G7SVYe41TJbxD/VjJE0r9Y5e/EINdulTndH5jdWR7PCxqCB09HL8VIEo2QVnw0DbnmCn6VDT/mpsvWXcMdXzXGYvZ2py/58Qz2vh/T2jZGwSGDJwbzE1TwqIjrol3xRHzXcn3tCLCQ0Ee40igyfMYO9NbJ4wgUAp17sTDCSBKYxNAxakhnR+V/6xmnBMvoH8odvu7JQGQgxFXPQ0tC9ogggNa0FsXZ9O74ettkGsTlBWQ/3iD+cCs2UfpvPefJcnqVzPIJOWGwBR509golQxwevVeJPTQJL9G3o236+swX7KRyj/LxkDvfpIWVOm1U9oLoekDB+ZFI0DrD31d4ka1Mzoy1lHNBZwIMR8UFM7K9Blvd7nUbkYqtWkSbNj92T2j6SrbjjYbDxhWAKlsWKDrLeA6COsSJmfTQ1ESFsQ4hLAJZ5tFYxxFEFoWTSj3qgU55hhem7yeKCTS6U5zREQplQ4Dw/LOCuQ5QUb8DA4U2AmE5oZ6jeIIZdiSnGkZ1BD5lCzbuzmlgUZ0SY7L9PhIO9orXRd7pztIY1pASQH96rO9v2YIXfct9przsbs7s1ggZeJvKOUz02HlbFomQvDduxveTSgnEto3cVp2itMYZyNKu74N3GFQERdoQSnz/WFSgFrFArnuMkJAHaqy4n0dA3lT+knS369ln72XUzqwcBYlljhV7kyz8h9j5J/BHyXOfkX/Ik9QK7svjBmGRrf5/QH01MA5jImwpQah+PH/zV0FR9gdIQ20IGGwvdCpjs0H2BCzQNI6qWpR6O/a3iRanWphbj7jril41uKY6PkVX5VlBQBJ7znCDBRP/sZEhCZ6Ifs30L1e5RTIsaKuVsVoTS33+XWjAD2fro6tfHBsBtZkNqncT+2tZXAc0181IOOjhyDQRDGnf349HC85SDa10otUZNkZADpcLBVrhWCUtv+UdcvswI/d7Wbb49g0LJ5txOTE/+NGDh21WaCtHyKzPSa/IF0ZsYuLXFcm5uZLVM3fYLjcOSoGSJLLMUUa27RvTCKDvG0luy/7iflCjrn+JBVembgJDcWCw+VlvlAKfKeQnY8HWQviNOvyftzfIKYqqy2oKahQ6NEZyL5dYTXDz2BZgzWerKsnQChiXKVToq3YTVh554aNCWsy78tDEaScc39spRoet0JpXSHgYnXOWBSQmD78fetmdauAjm/KevZ5UpMDaqcwT9H6voWObYL6xc6F1gD89jRGCWgJmHKiEShEvoLw0bClESS1vsIIrWqZkbPZJv0Pok+/dhTGCUuAbXHCSXCBl4Inw0ULFId5Cy5iUiG26zXA9YggRHhTsGiTmZUwBP9Tuy6mhSPeK+vKxE23NBG/uiybCpG+lxKWdOWFvsNuwACaaGJxdbPSD2Pa5f5RCKEeqtXpJkFKNUN+V4rwIIFewVVIqZ2nyRShbh4blAvs7jUwgIdEiC8L2t0Rcw3g0dG5KinC1yyolH9ioqNBx1vMsLpaJ/LghslAVj9q4Mf3vMPBsGfKih4XJ5j3a/faarw+7H1upQC94K8rs/jHnuxKRIL6ehnjMLCFY57eT6

❌ This box is still active on HackTheBox. Once retired, this article will be published for public access as per HackTheBox’s policy on publishing content from their platform.

For more hints and assistance, come chat with me and the rest of your peers in the HackTheBox Discord server.

Good luck!

HTB Era

Era