Nifty Gateway, the marketplace that once helped bring NFT drops to a wider audience, will stop running its marketplace on February 23, 2026. The company put the site into a withdrawal-only mode the same day it made the announcement, and users were told they must move any remaining funds and NFTs off the platform before that date.
Withdrawal Window Opens
According to the company, withdrawal tools are available now. Reports note users can pull USD or ETH balances through a linked Gemini Exchange account or send funds to their bank via Stripe.
Emails with step-by-step instructions will be sent to account holders, and a shutdown notice already appears on the Nifty Gateway homepage. The aim, as described by the owner, is to let people retrieve what they own before the platform goes dark.
Today, we are announcing that the Nifty Gateway platform will be closing on February 23, 2026. Starting today, Nifty Gateway is in withdrawal-only mode.
Nifty Gateway was launched in 2020 with the vision of revolutionizing digital art. Since launching, Nifty supported dozens of…
Based on reports from Gemini, the closure is meant to let the parent firm concentrate on building one bigger app for customers. The move highlights how interest and trading activity in many NFT markets have cooled from the highs seen in earlier years.
Some collectors and artists are left scrambling to rehome items they once sold or stored on Nifty Gateway.
End Of An Early Player
Nifty Gateway helped make buying NFTs easier for people who preferred credit cards and familiar checkout flows. It launched as a high-profile marketplace and hosted major drops from well-known creators.
The platform supported hundreds of millions in sales at its peak and played a clear part in bringing NFT art into mainstream headlines. Its exit marks the end of an important chapter for that wave of marketplaces.
What Owners Must Do Now
Owners should check their inboxes for the official instructions, confirm where their tokens are stored, and move assets before the deadline. If NFTs are stored in custodial wallets on the site, they will need to be transferred out.
USD and ETH balances should be withdrawn or moved into a connected Gemini account if that option suits the owner. Waiting past the closure date will reduce options.
A Quiet Turning Point
For many collectors, this will feel like another sign that the early boom years have passed. For creators, the change raises questions about where drops and secondary sales will happen next.
Gemini says it will keep supporting NFTs through its other products, including the Gemini Wallet, but the specific ways that creators and buyers reconnect with those audiences will depend on new tools and services that arrive in the next months.
Featured image from Unsplash, chart from TradingView
Cryptocurrency exchanges are the backbone of the digital asset economy. They enable users to buy, sell, and trade cryptocurrencies securely while supporting liquidity, price discovery, and market growth.
As the crypto market continues to mature, businesses entering this space or scaling existing platforms must make one critical decision early on:
Choosing the right cryptocurrency exchange development company.
Image is created by ChatGPT
The wrong partner can lead to security gaps, scalability issues, regulatory trouble, and delayed launches. The right one accelerates time-to-market, ensures compliance, and builds long-term competitive advantage.
This guide explores what to look for in a crypto exchange development company and why ITIO Innovex is a preferred choice for businesses worldwide.
Understanding Cryptocurrency Exchange Development Services
Cryptocurrency exchange development services involve building, customizing, and deploying secure platforms that allow users to trade digital assets efficiently.
These services typically include:
Core Features of Cryptocurrency Exchange Development
1. Scalable Platform Architecture
A well-designed exchange must handle high transaction volumes while maintaining performance, uptime, and data integrity. Scalability is critical for future growth.
2. User Interface (UI) & User Experience (UX)
An intuitive, trader-friendly interface improves adoption, reduces friction, and enhances retention especially for first-time users.
3. High-Performance Trading Engine
The trading engine is the heart of the exchange. It must support:
Fast order matching
Multiple order types
Real-time price updates
High concurrency
Security & Compliance: Non-Negotiables in Crypto Exchange Development
1. Advanced Security Measures
A reliable exchange integrates:
Multi-factor authentication (MFA)
End-to-end encryption
Cold and hot wallet architecture
DDoS protection and monitoring
2. Regulatory Compliance
Adherence to global standards such as:
AML (Anti-Money Laundering)
KYC (Know Your Customer)
is essential for legal operation and long-term trust.
🔔 Thinking of Launching a Crypto Exchange? Pause Here
Before investing heavily, a short technical review can save months of rework and costly mistakes.
👉 DM us directly or book a free consultation with ITIO Innovex 🌐 https://itio.in/ 📩 Message us on LinkedIn or request a callback
Let’s build a secure, scalable, and future-ready crypto trading platform together.
Conclusion
Choosing the best cryptocurrency exchange development company is a strategic decision that directly impacts security, scalability, and long-term success.
By evaluating experience, customization capabilities, compliance readiness, and technical support, businesses can avoid costly missteps. ITIO Innovex delivers all of this making it a reliable partner for cryptocurrency exchange development in today’s fast-evolving digital asset landscape.
In an era where digital payments dominate everyday transactions — from online shopping and mobile wallets to contactless in-store purchases — the security of cardholder data has never been more critical. The Payment Card Industry Data Security Standard (PCI DSS) stands as the global benchmark for protecting sensitive payment information. Developed by the PCI Security Standards Council (PCI SSC), it applies to any organization that processes, stores, or transmits credit or debit card data.
Generative AI
1. Exploding Cyber Threats and Data Breaches
Cyberattacks targeting payment systems have surged. Ransomware, phishing, supply-chain exploits, and advanced persistent threats (APTs) are common. Non-compliant businesses face higher breach risks — studies show compliant organizations experience up to 50% fewer incidents. A single breach can expose thousands of card records, leading to massive fraud and identity theft. PCI DSS enforces controls like encryption, access restrictions, and vulnerability management to minimize these risks.
2. Building and Maintaining Customer Trust
Consumers now prioritize security when choosing where to shop. A visible commitment to PCI DSS signals reliability — think “Your card details are safe with us.” In contrast, a breach erodes trust overnight, resulting in lost customers, negative reviews, and long-term reputational damage. Compliant businesses often see higher conversion rates and loyalty because customers feel protected.
3. Avoiding Severe Financial and Legal Penalties
Non-compliance carries heavy costs:
Fines from card brands (up to $100,000+ per month in severe cases)
Increased transaction fees
Liability for fraud losses and breach-related expenses (legal fees, notifications, credit monitoring)
Potential loss of payment processing privileges
With stricter enforcement under v4.0.1 — including mandatory MFA for admin access, enhanced password policies, anti-phishing measures, and continuous monitoring — regulators and acquirers are less tolerant of lapses.
4. Enabling Secure Digital Innovation
Modern businesses rely on cloud services, APIs, e-commerce platforms, and third-party processors. PCI DSS v4.0.1 introduces flexibility (e.g., customized approaches and targeted risk analysis) while raising the bar on emerging risks like payment page skimming and insecure authentication. Compliance helps organizations innovate safely — adopting new tech without exposing card data.
5. A Foundation for Broader Cybersecurity Maturity
PCI DSS isn’t just about cards — its 12 core requirements (build and maintain secure networks, protect cardholder data, maintain vulnerability management, etc.) strengthen overall security posture. Many organizations use it as a baseline for GDPR, HIPAA, or ISO 27001 alignment.
Bottom Line in 2026
In a world of nonstop digital transactions and sophisticated cybercriminals, PCI DSS compliance protects customers, safeguards revenue, and demonstrates responsibility. It’s no longer a “checkbox” — it’s a strategic imperative for any business handling payments.
If your organization processes card data, assess your current status against v4.0.1 requirements today. Non-compliance risks far outweigh the effort of achieving it.
What challenges have you faced with PCI DSS? Share in the comments — I’d love to discuss real-world tips!
I work in payment infrastructure, and I keep seeing the same pattern across startups, marketplaces, and PSP-style builds.
Teams spend weeks perfecting checkout.
Then they get blindsided by payouts, disputes, mismatched balances, and “why didn’t I get paid?” emails.
Not because the payment gateway failed. But because KYB → risk → routing → settlement → reconciliation was treated like a straight line.
It isn’t.
It’s a system one that has to stay consistent when real money, real merchants, refunds, chargebacks, delayed webhooks, and regulatory scrutiny enter the picture.
If you’re building any of the following, this applies directly to you:
A marketplace (split payouts, vendor settlements)
A SaaS product (subscriptions, prorations, refunds)
Over the past three weeks, I’ve sent 50+ emails to Nigerian businesses — fashion designers in Lagos, freelance developers, gadget retailers, drone wholesalers, and crowdfunding platforms.
The feedback has been surprisingly consistent.
These aren’t isolated complaints. They’re systemic infrastructure gaps.
The pattern is clear:
Businesses are losing 10–15% to international payment fees
Freelancers are watching Naira devaluation eat their savings in real-time
E-commerce businesses are dealing with failed cross-border transactions
Operations teams face manual reconciliation nightmares
There’s constant fear of frozen accounts when accepting international payments
Traditional payment rails weren’t built for this moment. Banks can’t solve it. Payment processors won’t solve it. Someone has to create the alternative.
BillingBase is non-custodial crypto billing infrastructure for global businesses.
Let me break down what that actually means:
Non-custodial means payments go directly to YOUR wallet. We never hold your funds. We don’t control your money. We don’t have the ability to freeze your account. You maintain complete custody while we handle the infrastructure.
Crypto billing infrastructure means we provide the payment primitives you’re already familiar with — checkout links, subscriptions, refunds, webhooks, invoicing — except they work with stablecoins instead of traditional payment rails.
For Nigerian businesses, this means we understand the specific problems you face: Naira devaluation, international payment friction, high platform fees, and the need for dollar-denominated earnings that hold their value.
Here’s what you can do with BillingBase:
Accept stablecoin payments: USDT, USDC, DAI, and CNGN (Naira-pegged)
Use familiar tools: Payment links, recurring subscriptions, one-time payments, refunds, webhooks, and a dashboard to track everything
Get built-in protection: Chainalysis wallet screening, transaction-level risk checks, KYB verification, and audit trails for compliance
Why We’re Starting with a Beta
We don’t have all the answers yet.
What we know:
Nigerian businesses need better cross-border payments. Naira devaluation makes dollar earnings critical. Platform fees (Upwork’s 15%, Stripe’s 3.9%, PayPal’s conversion markups) are too high. International customers increasingly pay with stablecoins. Operations teams need reconciliation tools that traditional banks don’t provide.
What we need to validate:
Core features: Which payment primitives matter most? Do fashion designers prioritize deposit handling or subscription billing? Do freelancers want simple payment links or full API integration? Where’s the acceptable onboarding friction threshold?
Compliance: What documentation feels reasonable versus invasive? KYB is necessary, but where’s the line between thorough and annoying?
Infrastructure: Which blockchains — Base (lowest fees), Polygon (widely supported), Arbitrum (fast settlement)? Do businesses care, or just want “cheapest and fastest”? USDC (dollar-pegged) or CNGN (Naira-pegged)?
Integrations: QuickBooks? Xero? Google Sheets? Slack notifications when payments arrive?
Questions only real usage can answer:
How do designers handle deposits versus final payments?
Do freelancers prefer shareable links or automated invoicing? What reporting do finance teams need?
How often do merchants convert stablecoins to Naira?
What’s the right balance between automated risk controls and merchant control?
We can’t answer these in a vacuum. We need real businesses using BillingBase with real customers.
We’re looking for specific businesses where stablecoin payments solve real problems.
1. SME Businesses with Global Clients Fashion designers, bridal boutiques, custom clothiers, bespoke service providers with international clients who ship worldwide or provide remote services.
Your pain: 3–7 day payment delays, high cross-border fees, difficult deposit handling, currency conversion losses.
What you get: Instant stablecoin settlement, payment links for deposits/finals, dollar-denominated earnings, free integrated website during beta.
2. Freelancers & Service Providers Developers, designers, consultants, educators working directly with clients or through Upwork/Fiverr/Toptal.
Your pain: 10–15% platform fees, poor PayPal conversion rates, dollar invoices settled in devalued Naira, no professional low-cost direct payment option.
What you get:0.5% transaction fees, payment link dashboard, dollar earnings protected from devaluation, automatic receipts and audit trails.
Your pain: Slow, expensive wire transfers, high cross-border fees, poor reporting, and difficulty tracking recurring contributions.
What you get: Donation links (one-time/recurring), lower fees, instant international contributions via stablecoins, and clean reporting for finance teams and donors.
What we’re NOT looking for (yet):
High-volume enterprises: If you’re processing 10,000 transactions per day, we’re not ready for you. We’re optimizing for businesses with 10–500 transactions per month during beta.
Businesses requiring instant Naira conversion: We don’t provide off-ramp services yet. You’ll need your own method to convert stablecoins to Naira if needed (P2P platforms like Binance, Bybit, or local exchanges work well).
Companies needing white-label solutions: If you want to rebrand BillingBase as your own product, that’s not our focus right now.
Anyone expecting zero bugs: This is a beta. There will be rough edges. If you need production-perfect software on day one, wait for our public launch later this year.
What Beta Participants Get
1. Free Integration & Setup
No setup fees: Most payment platforms charge $500-$2,000 for integration. We don’t.
No monthly subscription during beta: Use BillingBase for free while we’re testing.
Transaction fees waived for first 90 days (or first 100 transactions): Whichever comes first. After that, standard fees apply (0.5% or lower depending on volume).
One-on-one onboarding support: We’ll walk you through wallet setup, dashboard usage, and first transactions. No “figure it out yourself” documentation dumps.
2. Custom Solutions Based on Your Business Type
For fashion designers: We’ll build you a one-pager website with integrated payment links. Free during beta. Professional design. Consultation booking system if needed.
For e-commerce businesses: We’ll integrate BillingBase API directly with your existing website. Custom checkout flow. Webhook setup. Testing support.
For freelancers: Payment link dashboard optimized for invoicing. Easy sharing via email, WhatsApp, or social media. Automatic receipt generation.
For educators: Subscription billing for courses or memberships. Payment links for one-time consultations or content. Recurring payment automation.
3. Direct Access to the Team
Weekly feedback calls (optional): Tell us what’s working and what’s broken.
Slack/WhatsApp channel with founders: Direct line to Ngozi and the team. No support ticket black holes.
Priority bug fixes: If something breaks, we fix it fast. Beta participants get priority.
Your input shapes the product roadmap: We’re not building in isolation. If you need a feature, we’ll consider adding it based on beta feedback.
4. Early Mover Advantage
Lifetime discounted pricing after beta: When we launch publicly, you’ll pay less than new customers — forever.
Featured case studies (with permission): If you’re willing, we’ll showcase how you’re using BillingBase. Good for your brand, good for ours.
First access to new features: New integrations, reporting tools, or blockchain support? Beta participants see it first.
Referral program with revenue share: Refer other businesses to BillingBase and earn a percentage of their transaction fees.
What We’re Asking From You
This isn’t passive testing. If you just want to “try it out and see,” that’s not what we need.
Time Commitment:
30–60 minutes: Initial setup (wallet, KYB verification, dashboard walkthrough, first test transaction)
15–30 minutes periodically: Feedback calls (every 2 weeks to monthly, depending on usage)
24–48 hour response time: When we ask “Can you try this again and tell us what happened?”
5–10 minutes monthly: Survey on feature usage and pain points
Honesty Requirement:
We need brutal feedback, not polite validation.
Tell us what’s confusing, broken, or doesn’t fit your workflow. Share what your customers say — positive and negative. If onboarding felt complicated, the dashboard doesn’t make sense, or a feature exists but you don’t understand why you’d use it, tell us. Screenshots help. Screen recordings are better.
We’re not looking for cheerleaders. We’re looking for honest partners who’ll tell us when we’re wrong.
Real Usage:
Use this with real customers. Test transactions catch bugs, but real revenue matters more. We can’t improve what we don’t see in production.
Send a payment link to a real client. Use BillingBase for a real deposit. Integrate it and see if customers choose the crypto option. We’re not asking you to bet your entire business on this, but we need real scenarios to see what happens when money is on the line.
Patience:
There will be bugs — we’ll fix them fast. Some features won’t exist yet — we’re prioritizing based on feedback. Documentation might be incomplete — we’re improving it weekly.
Beta means “we’re still learning.” If you need production-perfect software on day one, wait for our public launch.
In this writeup, we will explore the “Eureka” machine from Hack The Box, categorised as a Hard difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
Objective:
The goal of this walkthrough is to complete the “Eureka” machine from Hack The Box by achieving the following objectives:
User Flag:
During enumeration, we discovered Spring Boot Actuator endpoints, including /actuator/heapdump, which revealed plaintext credentials for oscar190. We logged in to SSH as oscar190, but found the home directory empty. The application.properties file revealed Eureka credentials (EurekaSrvr:0scarPWDisTheB3st), which allowed us to access the Eureka dashboard on port 8761. By registering a malicious microservice, we retrieved miranda.wise credentials and captured the user flag from user.txt.
Root Flag:
For privilege escalation, the vulnerable log_analyse.sh script allowed command injection, enabling creation of a SUID bash shell in /tmp/bash. Execution of this shell provided root access, and the root flag was obtained from /root/root.txt.
Enumerating the Eureka Machine
Reconnaissance:
Nmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
nmap-sC-sV-oAinitial10.10.11.66
Nmap Output:
┌─[dark@parrot]─[~/Documents/htb/eureka]└──╼$nmap-sC-sV-oAinitial10.10.11.66# Nmap 7.94SVN scan initiated Sun Aug 24 03:30:10 2025 as: nmap -sC -sV -oA initial 10.10.11.66Nmapscanreportfor10.10.11.66Hostisup (0.046s latency).Notshown:998closedtcpports (conn-refused)PORTSTATESERVICEVERSION22/tcpopensshOpenSSH8.2p1Ubuntu4ubuntu0.12 (Ubuntu Linux; protocol2.0)| ssh-hostkey:| 3072d6:b2:10:42:32:35:4d:c9:ae:bd:3f:1f:58:65:ce:49 (RSA)| 25690:11:9d:67:b6:f6:64:d4:df:7f:ed:4a:90:2e:6d:7b (ECDSA)|_25694:37:d3:42:95:5d:ad:f7:79:73:a6:37:94:45:ad:47 (ED25519)80/tcpopenhttpnginx1.18.0 (Ubuntu)|_http-title:Didnotfollowredirecttohttp://furni.htb/|_http-server-header:nginx/1.18.0 (Ubuntu)ServiceInfo:OS:Linux; CPE:cpe:/o:linux:linux_kernelServicedetectionperformed.Pleasereportanyincorrectresultsathttps://nmap.org/submit/.# Nmap done at Sun Aug 24 03:30:21 2025 -- 1 IP address (1 host up) scanned in 10.99 seconds
Analysis:
Port 22 (SSH): Secure Shell service (OpenSSH 8.2p1) for remote access.
Port 80 (HTTP): Web server (nginx 1.18.0) hosting furni.htb.
Web Enumeration:
Perform web enumeration to discover potentially exploitable directories and files.
Feroxbuster directory enumeration identified the following endpoints:
Analysis:
/actuator/heapdump: Full application heap dump (very sensitive, ~76MB).
The heapdump is usually the biggest goldmine here—it can contain hardcoded credentials, JWT secrets, API keys, or session tokens.
Web Application Exploration:
The website interface appears to be a standard design showcasing a Modern Interior Design Studio.
Create a new user account
Therefore, proceed with creating a new account using the credentials mentioned above.
The password must contain a minimum of 10 characters.
Attempted to log in with the previously created credentials, but the response only returned bad credentials with no further action.
Extracting Eureka Service Credentials from Heapdump as oscar190
Proceed to download the heapdump by directly accessing the /actuator/heapdump endpoint through the web browser
To analyze the downloaded heapdump, run the strings command and pipe the output into grep to look for potential credentials. For example, using strings heapdump.hprof | grep -i "password=" will filter for any occurrences of the keyword password= within the dump. If no useful results are found, the search can be expanded with broader patterns such as pass, user, token, secret, or key to uncover sensitive information like database passwords, API keys, or authentication tokens stored in memory. This approach provides a quick way to extract valuable data from the heapdump before performing deeper analysis with tools like Eclipse MAT.
As a result, a full port scan will identify any additional services accessible on the target system.
Attempting Access to oscar190 via Eureka Dashboard and SSH
An attempt to use the previously discovered credentials for authentication failed, with all login attempts unsuccessful.
We used pwncat-cs to test the recovered credentials against SSH. The login was successful, and we gained remote access to the target system.
Enumeration as oscar190
After gaining access, we inspected the oscar190 directory. It was empty and contained no useful files for further exploitation.
We also checked for SUID binaries on the system, but found no unusual or exploitable ones.
During enumeration, we found a notable file at ./web/Funi/src/main/resource/application.properties containing sensitive information, including credentials that revealed the password for the oscar190 user.
Most importantly, under the Eureka section you discovered:
This line shows the Eureka service uses embedded credentials:
Username:EurekaSrvr
Password:0scarPWDisTheB3st
These new credentials are different from oscar190. They may be valid for the Eureka dashboard (port 8761) or other services like SSH, MySQL, or the web portal.
Accessing Spring Eureka Dashboard on Port 8761 Using Discovered Credentials
The newly discovered credentials (EurekaSrvr:0scarPWDisTheB3st) were tested against the Eureka service endpoint. Authentication was successful, confirming valid access to the Eureka configuration interface.
Surprisingly, the credentials worked and granted access to the Spring Eureka application dashboard, confirming control over the service.
Monitoring System Activity and Command Execution with pspy64
The pspy64 output revealed that a scheduled task is being executed by the root user, which uses curl to send a POST request to http://furni.htb/login. The request is crafted to resemble a normal browser login, with headers such as Accept, Content-Type, User-Agent, and a session cookie included. Most importantly, the POST data is not hardcoded in the command but instead read from the temporary file /tmp/tmp.hJ3yAWDvEW. the file is writable or replaceable by a lower-privileged user, it may be possible to inject malicious data or commands into it, allowing code execution under root’s context whenever the automated task runs.
Cloud-Gateway Enumeration and Insight
During enumeration, a directory named cloud-gateway was discovered, which stands out as it is not typically present in standard web application structures. Given its uncommon presence, this directory warrants deeper inspection to determine whether it contains exploitable configurations or hidden endpoints.
The cloud-gateway directory was identified within the application files, which is uncommon in typical setups and indicates the use of Spring Cloud Gateway for routing and service communication. Such directories often contain sensitive configuration files, route definitions, or embedded credentials, making it an important target for closer inspection during enumeration.
Analysing the application.yaml Configuration File
It appears that the request is being passed to the user-management-service component, located under the path /var/www/web, specifically beneath the /login functionality. This suggests that authentication requests from /login are routed internally to the user-management-service, which likely handles user validation and credential processing.
HTTP Login Endpoint Hijacking via User-Management-Service
Inside the user-management-service directory, several files and subdirectories were identified, indicating this component is likely responsible for handling authentication and account-related functionality within the application. Since it sits directly under /var/www/web, its contents may include configuration files, source code, or compiled application resources that could expose sensitive information such as database credentials, API keys, or logic flaws.
The files discovered within the user-management-service directory were copied over to the attacker’s machine for further offline analysis. This allows deeper inspection of configuration details, source code, and potential hardcoded secrets without the risk of altering the target environment.
The application.properties and Eureka-related configuration files contain fields such as <instanceId>, <hostName>, <ipAddr>, <port>, <homePageUrl>, <statusPageUrl>, and <healthCheckUrl>. By modifying these values to match the attacker’s controlled IP address and port, it is possible to redirect the service registration in Eureka to point toward a malicious service instead of the legitimate one.
Retrieving miranda.wise Credentials and Capturing User Flag
The first command performs a POST request to register a new instance of the USER-MANAGEMENT-SERVICE application, where the configuration details (such as instance ID, host, IP address, and port) are provided in an external instance.xml file. By modifying this XML file with the attacker’s own machine details, it is possible to make Eureka believe that the legitimate service now points to the attacker-controlled host. The second command issues a DELETE request targeting the existing service entry localhost:USER-MANAGEMENT-SERVICE:9009, which corresponds to the genuine application running locally on port 9009.
A successful callback was received, which revealed system details tied to the user miranda.wise. This indicates that the malicious service registration worked as intended, and the compromised microservice forwarded traffic to the attacker-controlled host, exposing valuable information about another valid user account in the environment.
The user flag was captured by reading the user.txt file with the cat command.
Escalate to Root Privileges Access
Privilege Escalation:
We did not identify any unusual or exploitable SUID binaries on the system.
A script named log_analyse.sh was discovered on the system, which stands out as a potential target for further analysis to determine if it contains insecure commands, misconfigurations, or privilege escalation opportunities.
Analysis of log_analyse.sh Script
This script is a log analyser that examines server logs to track three key aspects: who’s logging in (successfully or not), what HTTP errors are occurring, and any system errors worth noting. It’s got some nice touches – colour-coded outputs for quick scanning and a clean report saved to log_analysis.txt.
This Bash script analyzes log files, extracting login attempts, HTTP status codes, and errors, then saves results to log_analysis.txt. A key function, analyze_http_statuses(), parses HTTP status codes using grep -oP 'Status: \K.*'. However, it’s vulnerable to command injection—if logs contain malicious strings like $(malicious_command), Bash will execute them when processing the file.
The output demonstrates the behavior of the log_analyse.sh script when executed, showing that it processes and reads the contents of application.log. This indicates that the script’s purpose is related to log handling, and analyzing its execution flow could reveal opportunities for manipulation or privilege escalation.
The original file was copied, then deleted, and after restoring it, the file ownership changed from www-data to miranda-wise.
Exploiting Bash SUID for Privilege Escalation
The bash script does not run with root privileges.
It defines two target log files located in the user-management-service and cloud-gateway directories, then injects a malicious payload into them. The payload attempts to execute a command substitution by copying /bin/bash to /tmp/bash and setting the SUID bit, effectively creating a root-privileged shell. To achieve this, the script removes the original log files and replaces them with the crafted payload. Once the vulnerable process or script that parses these logs executes the injected content, the attacker gains elevated privileges via the SUID-enabled /tmp/bash.
We then executed the crafted bash file, which replaced the targeted log files with the injected payload, preparing for privilege escalation once the vulnerable service processes the modified logs.
Running the script produced no immediate effect, suggesting the logs remained unprocessed or required additional conditions.
After some time, the injected payload successfully executed and resulted in the creation of a SUID bash binary inside the /tmp directory, allowing privilege escalation. By running ls -l /tmp/bash, the SUID bit could be confirmed, and executing /tmp/bash -p provided a root shell since the binary retains elevated privileges. From there, commands like id could be used to verify root access, and the final step was reading the root.txt file located in the /root directory to obtain the root flag and complete the exploitation.
The root flag was retrieved by executing the cat root.txt command.
Login
