❌

Normal view

There are new articles available, click to refresh the page.
Before yesterdayMain stream

Federal agency business forecasts have gone dark, and companies are struggling to plan without them

βœ‡All News – Federal News Network
By: Terry Gerton
25 November 2025 at 20:01

Interview transcript:

Β 

Stephanie Kostro It is the end of the calendar year, beginning of the government fiscal year. And this is the time of year when a lot of companies take a step back and evaluate their business strategy and their planning for the next few years. We see a lot folks having off-sites in December or in January to do some of this strategic planning and I’ll be frank with you, I think a lot people will be happy to see 2025 end. And they will celebrate the new year in all sorts of ways, just because of what they’ve been through this year. If your listeners can harken back to earlier this year, the efficiency initiatives really did a number on a lot of the business plans that had been developed among government contracting companies. Some of them had massive de-scoping of their contracts. Some of them had contract terminations. Some, particularly those who worked for agencies like U.S. Agency for International Development, and the Department of Education, some at Health and Human Services really saw a diminution of their planned objectives for throughout the year. And so as we go into the December and January planning cycle for these companies, what they’re really looking for are signs from the government that there is work coming as they start to think through what calendar ’26 looks like. And they start to do their resource planning for personnel and for bid teams to put together proposals. That’s really what they are looking for. And I will have to say, Terry, earlier this year. PSC, the Professional Services Council, we represent services and solutions providers. And typically every year we put together something called our business forecast, which looks at our scorecard, which looks at all of the web-based procurement forecasts put out by agencies. And we would look at tens of agencies and their forecasts and we would rate them based on 15 key attributes, which we developed in industry, about what is useful for those forecasts. This year in 2025, we made the decision that instead of putting out our seventh annual forecast, we skipped this year. The forecasts just weren’t there, and they’re still not there.

Terry Gerton So how is it that agencies put those forecasts out, and what do they base it on? And I guess the third part of that question is, why aren’t they there?

Stephanie Kostro This was a mandate from, among others, from the Office of Federal Procurement Policy, which is a White House office that said, hey, agencies, to the extent that you can, put out forecasts on your websites. And it was really to help drive new companies to join the federal marketplace and to keep those companies that are part of the GovCon community interested. If you could look at a website and say, okay, there is an opportunity coming up in Q1, Q2, Q3, and let’s build towards that opportunity. What happened earlier this year is a lot of those websites went dark. I think it was because as part of the efficiency initiative, it was no longer a useful tool because things were moving very, very quickly. What I find interesting though, is that those websites are still dark. They’re still not there. And so I’m not entirely sure how our government contracting community can put together a reliable business strategy for 2026 and beyond in the absence of that information.

Terry Gerton Well, some estimates are that the contracting workforce itself has been reduced by over 25%. Are we just missing the people who used to do this?

Stephanie Kostro I think that’s part of it, Terry. We’re missing some of the folks who took that deferred resignation or the β€œfork in the road” option. Some of them did the voluntary early retirement programs. I would also say in many agencies, and I’ll use the phrase β€œOSDBU”, but I’ll actually speak out the acronym here, the Office of Small and Disadvantaged Business Utilization. Those were usually the offices that had the lead on publishing these websites, and those offices have sort of been dismantled in some agencies. They are certainly de-emphasized in a lot of the agencies. And so it might be … they’re missing the people, that is true, but it’s also they’re also missing the offices that have the lead on putting together these forecasts. And it really is a shame because, you know, the business community uses these forecasts in so many different ways. It helps them do, I mentioned the business planning, but helps them figure out who they want to partner with, who’s going to be their subcontractors or their suppliers, their vendors, etc. This is a real gap in understanding of what the federal marketplace can offer companies. And I do think it will have effects on whether commercial companies want to get involved in government work. They just don’t know what the opportunities are.

Terry Gerton I’m speaking with Stephanie Kostro, president of the Professional Services Council. Stephanie, one more question on this. I mean, GSA has gone through a lot of work to centralize procurement and forecasting. Would you expect that GSA will take this over perhaps and share their forecast?

Stephanie Kostro I love that you asked this question, Terry, because as I mentioned the last time we put out our forecast, it was in 2024 and we had actually at PSC highlighted GSA as a model for putting out these forecasts. We mentioned that GSA has something called their Acquisition Gateway, which sets a high bar for government business forecasting and it encourages the migration to the GSA tool for other departments. So Department of Labor, Department of Justice, they were using the GSA Acquisitions Gateway. So I think this is a fantastic opportunity to go back to that gateway and have GSA take the lead.

Terry Gerton Speaking of forecasts, PSC’s got a big session coming up starting on December 1st. Your vision federal market forecast. Tell us about that.

Stephanie Kostro I love that our entire segment here is devoted to forecasting, because the procurement dork in me is celebrating here. So PSC has this conference and it’s actually run by our foundation, which is our 501c3 nonprofit affiliate dedicated to education. And so it is a year-long process where we have so many teams come together. There are 21 different study teams, they focus on things like Health and Human Services, or Customs and Border Protection as part of the Homeland Security team. And this year of agency discussions, they speak to think tank folks, they speak procurement officials within the government, and it culminates in this conference and it’s happening in person on December 1st. It’s a virtual day for December 2nd and 3rd. It is where these 21 different study teams present their findings. So it’s not just tied to a web-based procurement forecast, but rather these discussions that they’re having with officials. We had over 400 volunteers as part of this process, and I’m just very excited. It is a great opportunity to really hear what’s going on in the procurement world, not just for opportunities, but what the dynamics look like, what impact inflation is having, etc. And to be honest, what impact these efficiency initiatives have had on the federal marketplace. So I highly recommend this conference. Again, it’s December 1st through the 3rd, and December 1 is the only in-person day here in Arlington.

Terry Gerton It sounds like in the absence of the agency forecast that we were talking about at the beginning of our conversation, this may be a great opportunity for contractors, those who are considering government work, to find out from inside sources what’s going on.

Stephanie Kostro It’s a perfect opportunity to get some business intelligence. It’s also a great networking opportunity because we do have government folks come to this conference as well to hear about what other agencies are doing. And so I highly commend it to folks who are listening, but I’m certainly going to be there and soaking up all of the knowledge that I can. I’m particularly looking forward to the Defense Services presentation in light of the Secretary of War Hegseth and his arsenal of freedom speech that he gave about transforming the processes for requirements and acquisition. I’m really looking forward to that. And I always look forward sort of to the top-line and the IT modernization teams as well. So if I were going to recommend three sessions, those are the top three. But they’re all very, very interesting and I’m looking forward to it.

Terry Gerton So how do people who want to attend find out about it and register?

Stephanie Kostro They can go to PSCouncil.org, and you can also search for Vision Federal Market Forecast and the sessions will pop up. There is a fee, obviously, for this, but it is open to the public. It is a widely attended gathering which allows government folks to attend. That is how they can connect with this conference.

The post Federal agency business forecasts have gone dark, and companies are struggling to plan without them first appeared on Federal News Network.

Β© Federal News Network

Secretary of War Pete Hegseth delivers remarks at the National War College at Fort McNair, Washington, D.C., Nov. 7, 2025. (DoW photo by U.S. Navy Petty Officer 1st Class Alexander Kubitza)

White Label Crypto Payment Gatewayβ€Šβ€”β€ŠBest Choice for Entrepreneurs

βœ‡Coinmonks
By: Mathibharathi Mariselvan
4 November 2025 at 07:37

White Label Crypto Payment Gatewayβ€Šβ€”β€ŠBest Choice for Entrepreneurs

A Complete Guide that can really take your business to the next level via a Crypto paymentΒ gateway

Cryptocurrency transactions are becoming more prevalent and shortly, crypto payment gateways will be present in all the selling points and POS centers. A crypto payment gateway helps move your business to the next level by accepting payments from the population who are interested in crypto. So, it is better to initiate your crypto payment gateway business so that you can lead the business in that specificΒ area.

Everyone needs instant solutions these days. When it comes to instant ways, many of them prefer White Label solutions to create a well-functioning cryptocurrency payment gateway platform in a timely manner. White Label solution is a ready-made software with which business people can create their crypto payment gateway business promptly.

In this blog, let us know about the White Label Crypto Payment Gateway, its features, the benefits of starting your cryptocurrency payment gateway business, and how to do it in such a professional way to attract the crypto audience.

Before all that, as a startup, you need toΒ know…

Know about Crypto PaymentΒ Gateway

Cryptocurrency payment processors are intermediaries or facilitators between the buyer and the seller in the transaction. With the help of payment gateways, you can transfer your money from one end to another without any hassles. Payment gateways are a source of digital payments facilitating all the POS devices to do the payments.

If it is done with crypto transactions, then a crypto payment gateway is required. Crypto payment gateway development involves the same way of development procedure, but they come up with some extra benefits and features that stand out from other normal digital payment methods like Paypal, Skrill,Β etc.

White Label Crypto Payment Gateway Softwareβ€Šβ€”β€ŠA SimpleΒ Solution

As I said earlier, you can create your own cryptocurrency payment gateway using a White label solution. It is a turnkey solution for every startup and entrepreneur because they can save their time and money for the development process. As a startup, you can focus on your business rather than the development process. Even though White Label solutions are ready to use, they are already developed, tested, and implemented with prominent features. Here are some of the benefits of using White Label solutions.

Easy Branding

White Label Solution allow startups to focus more on branding the products than on research and development. Of course, having relevant product knowledge is essential. But, you are spared from devoting energy to issues that wouldn’t have significantly altered the market. Reaching out to customers and informing them that you have a worthwhile offering makes all the difference.

Time andΒ Money

The process of creating a new product is expensive. The cost of establishing a separate team to create and customize items will be borne by the corporation. White Label crypto payment gateway software enables companies to avoid such significant cost points. They are able to concentrate more on their main competencies thanks to this structure than on ancillary tasks.

Less Risk

The associated hazards grow as a company grows larger. Businesses can transfer the risk involved with the entire process of developing products to other parties by using white labeling services. Companies that specialize in product development, like Jungleworks, typically manage and mitigate those risksΒ better.

Satisfied and happy customers

Eventually, it all basically comes down to the customers. How businesses provide their goods or services has a big impact on how satisfied customers are. Because of a more effective value chain, including White Labelling, customers engage in profitable transactions with the companies.

Before entering into the White Label Crypto Payment Gateway, as a startup, you need to know the importance of creatingΒ it.

Benefits of Creating a White Label Crypto Payment GatewayΒ Software

Effective UI and easy toΒ use

Crypto payment gateways are crafted to make payments easier and so they have a well-knitted user interface along with an easy-to-use mechanism. The greater the coziness of the platform, the greater the performance and engagement. Also, the transactions happen in a really quick time making things easier and more effective.

Transparency

As it is a completely decentralized app with the freedom of the user to send his payments to his friends or for the bill to the nearby store, he can use this app to transact crypto. He or she can take a look over the paid transactions at a later time due to the security provided by software as you have access to your information in the blockchain.

Comfortable

Payment gateways have made transactions more convenient than fiat transactions. When it comes to White Label Crypto Payment Gateway, you can do convenient transactions with another person without the intervention of the crypto exchange platform. All you will need is a cryptocurrency wallet with a different coin address integrated with the crypto payment gateway so that you can make your crypto payments without any interruption.

Highly secureΒ platform

Have you ever thought of a payment gateway without any security? Normal digital payment platforms do have specified security specifications like two-factor authentication and pin codes. In that way, White Label crypto payment gateways come with blockchain technology covered so that they do not get hacked. Moreover, you can check your transactions and previous communications in the history of transactions stored in theΒ ledger.

Scalability

The higher the scalability the higher the user engagement. You can also say vice versa. So, if you want to succeed as a Cryptopreneur, make sure that your platform reaches high scalability. Then things will turn up for you and you can succeed as a crypto businessman.

So far we have seen the benefits of creating your crypto payment gateway platform. On going through these benefits you may know the importance of creating it and the necessity of white label solutions. Up next let us move onΒ to…

Features of Crypto Payment Gateway Development

The feature that you integrate with your crypto payment gateway is the most essential thing for your business growth. So you must be careful while selecting and implementing features.

There are various features revolving around starting the cryptocurrency payment gateway. Some of them are listedΒ below:

Seamless conversionβ€Šβ€”β€ŠIn which you can convert your fiat to crypto and vice versa within seconds through the crypto payment gateways.

Quicker transactionsβ€Šβ€”β€ŠWith crypto payment gateways. All the transactions are done quickly and efficiently.

Securityβ€Šβ€”β€ŠAll the transactions and communications that happen in the payment gateways are highly secure due to their security system. The blockchain system guards your transactions and ledgers every transaction making it more secure andΒ safe.

Different blockchains for different coinsβ€Šβ€”β€ŠEach of the cryptocurrencies would be handled with a different blockchain that would be integrated with a wallet along with the cryptocurrency payment gatewayΒ app.

User-managed fund controlβ€Šβ€”β€ŠThe funds can be controlled by managing the blockchain with private keys thereby ensuring security and transparency. The flow of cryptos or exchanges of currencies cannot be done without complete control of yourΒ wallet.

Multiple walletsβ€Šβ€”β€ŠThe cryptocurrency payment gateways can support multiple wallets support and hence initiating a multi-wallet crypto wallet development software will help you to boost your business higher than yourΒ peers.

Multi-lingual supportβ€Šβ€”β€ŠIf you want to compete globally, then you should have a feature of a multi-lingual cryptocurrency payment gateway. Thereby you can boost your business to greater levels than at the regionalΒ level.

After going through the features, you would be intimidated to start your cryptocurrency payment gateway. That is no surprise. Before that, we can get toΒ know…

How to develop a White Label Crypto Payment Gateway Software?

You should follow specific processes to develop a successful White Label Cryptocurrency payment gateway platform. It is best recommended to create a multi-cryptocurrency payment gateway to manage the transactions of multiple cryptocurrencies rather than only the majorΒ ones.

Assessmentβ€Šβ€”β€ŠFirst of all, you should analyze the requirements of your crypto payment platform before starting it. You should have solid research and analysis of your wants and nots and then create an outline so that it will help you to get the requiredΒ outcome.

Brainstorm your ideasβ€Šβ€”β€ŠBrainstorm your ideas and gather all the software requirements to initiate your creation.

Developmentβ€Šβ€”β€ŠGo by the outline and carefully develop your crypto payment gateway platform. You can make modifications and changes accordingly.

Deploymentβ€Šβ€”β€ŠAfter development and a series of quality checks, you can go for the deployment of the software successfully. And that is how you can develop your crypto payment gateway software.

It is a difficult task to create a crypto payment gateway development software all by yourself. No worries. You can reach the best multi-cryptocurrency payment gateway development companies to create your desired platform.

All you need to do is clarify your idea and your desired outcome to them so that they can use their expertise to help you get your dream cryptocurrency payment gateway. Choosing an expert Cryptocurrency Payment Gateway Development Company with wide experience and affordable charges is key to initiating your platform with less investment.

Concluding Thoughts…

Cryptocurrency payment is becoming one of the most facilitative worldwide payment systems in the world. That leveraged the idea of the cryptocurrency payment gateway platforms. So, as you know the benefits of the platforms and how to develop them, it is the right time to initiate your crypto payment gateway with assistance from the best cryptocurrency payment development company and earn hugeΒ profits.

White Label Crypto Payment Gatewayβ€Šβ€”β€ŠBest Choice for Entrepreneurs was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.

Hack The Box: Eureka Machine Walkthrough – Hard Dificulty

βœ‡Threatninja.net
By: darknite
30 August 2025 at 10:58
Reading Time: 12 minutes

Introduction to Eureka:

In this writeup, we will explore the β€œEureka” machine from Hack The Box, categorised as a Hard difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.

Objective:

The goal of this walkthrough is to complete the β€œEureka” machine from Hack The Box by achieving the following objectives:

User Flag:

During enumeration, we discovered Spring Boot Actuator endpoints, including /actuator/heapdump, which revealed plaintext credentials for oscar190. We logged in to SSH as oscar190, but found the home directory empty. The application.properties file revealed Eureka credentials (EurekaSrvr:0scarPWDisTheB3st), which allowed us to access the Eureka dashboard on port 8761. By registering a malicious microservice, we retrieved miranda.wise credentials and captured the user flag from user.txt.

Root Flag:

For privilege escalation, the vulnerable log_analyse.sh script allowed command injection, enabling creation of a SUID bash shell in /tmp/bash. Execution of this shell provided root access, and the root flag was obtained from /root/root.txt.

Enumerating the Eureka Machine

Reconnaissance:

Nmap Scan:

Begin with a network scan to identify open ports and running services on the target machine. 

nmap -sC -sV -oA initial 10.10.11.66

Nmap Output: 

β”Œβ”€[dark@parrot]─[~/Documents/htb/eureka]
└──╼ $nmap -sC -sV -oA initial 10.10.11.66 
# Nmap 7.94SVN scan initiated Sun Aug 24 03:30:10 2025 as: nmap -sC -sV -oA initial 10.10.11.66
Nmap scan report for 10.10.11.66
Host is up (0.046s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.12 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 d6:b2:10:42:32:35:4d:c9:ae:bd:3f:1f:58:65:ce:49 (RSA)
|   256 90:11:9d:67:b6:f6:64:d4:df:7f:ed:4a:90:2e:6d:7b (ECDSA)
|_  256 94:37:d3:42:95:5d:ad:f7:79:73:a6:37:94:45:ad:47 (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://furni.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Aug 24 03:30:21 2025 -- 1 IP address (1 host up) scanned in 10.99 seconds

Analysis:

  • Port 22 (SSH): Secure Shell service (OpenSSH 8.2p1) for remote access.
  • Port 80 (HTTP): Web server (nginx 1.18.0) hosting furni.htb.

Web Enumeration:

Perform web enumeration to discover potentially exploitable directories and files.

gobuster dir -u http://furni.htb/ -w /opt/quickhits.txt

Gobuster Output: 

β”Œβ”€[dark@parrot]─[~/Documents/htb/eureka]
└──╼ $gobuster dir -u http://furni.htb/ -w /opt/quickhits.txt 
/actuator             (Status: 200) [Size: 2129]
/actuator/caches      (Status: 200) [Size: 20]
/actuator/features    (Status: 200) [Size: 467]
/actuator/info        (Status: 200) [Size: 2]
/actuator/health      (Status: 200) [Size: 15]
/actuator/env         (Status: 200) [Size: 6307]
/actuator/metrics     (Status: 200) [Size: 3319]
/actuator/refresh     (Status: 405) [Size: 114]
/actuator/sessions    (Status: 400) [Size: 108]
/actuator/scheduledtasks (Status: 200) [Size: 54]
/actuator/mappings    (Status: 200) [Size: 35560]
/actuator/loggers     (Status: 200) [Size: 98261]
/actuator/beans       (Status: 200) [Size: 202254]
/actuator/configprops (Status: 200) [Size: 37195]
/actuator/conditions  (Status: 200) [Size: 184221]
/actuator/threaddump  (Status: 200) [Size: 176397]

Analysis:

Spring Boot Actuator endpoints provide insights:

  • /actuator shows system details,
  • /caches shows cache info,
  • /features lists features,
  • /info gives metadata,
  • /health shows status,
  • /env shows variables,
  • /metrics shows performance,
  • /refresh returns 405,
  • /sessions returns 400,
  • /scheduledtasks shows tasks,
  • /mappings lists routes,
  • /loggers shows logs,
  • /beans lists beans,
  • /configprops shows config,
  • /conditions shows auto-config,
  • /threaddump shows threads.

Feroxbuster directory enumeration identified the following endpoints:

Analysis:

  • /actuator/heapdump: Full application heap dump (very sensitive, ~76MB).

The heapdump is usually the biggest goldmine hereβ€”it can contain hardcoded credentials, JWT secrets, API keys, or session tokens.

Web Application Exploration:

The website interface appears to be a standard design showcasing a Modern Interior Design Studio.

Create a new user account

Therefore, proceed with creating a new account using the credentials mentioned above.

The password must contain a minimum of 10 characters.

Attempted to log in with the previously created credentials, but the response only returned bad credentials with no further action.

Extracting Eureka Service Credentials from Heapdump as oscar190

Proceed to download the heapdump by directly accessing the /actuator/heapdump endpoint through the web browser

To analyze the downloaded heapdump, run the strings command and pipe the output into grep to look for potential credentials. For example, using strings heapdump.hprof | grep -i "password=" will filter for any occurrences of the keyword password= within the dump. If no useful results are found, the search can be expanded with broader patterns such as pass, user, token, secret, or key to uncover sensitive information like database passwords, API keys, or authentication tokens stored in memory. This approach provides a quick way to extract valuable data from the heapdump before performing deeper analysis with tools like Eclipse MAT.

Heapdump analysis revealed valid plaintext credentials:

  • Username: oscar190
  • Password: 0sc@r190_S0l!dP@sswd

Failed Authentication Attempts with Extracted Credentials

β”Œβ”€[dark@parrot]─[~/Documents/htb/eureka]
└──╼ $nmap -sC -sV -p- -oA fullport 10.10.11.66
8761/tcp open  unknown
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 401 
|     Vary: Origin
|     Vary: Access-Control-Request-Method
|     Vary: Access-Control-Request-Headers
|     Set-Cookie: JSESSIONID=052BB32927ACF7E3EC6D4104D8933C61; Path=/; HttpOnly
|     WWW-Authenticate: Basic realm="Realm"
|     X-Content-Type-Options: nosniff
|     X-XSS-Protection: 0
|     Cache-Control: no-cache, no-store, max-age=0, must-revalidate
|     Pragma: no-cache
|     Expires: 0
|     X-Frame-Options: DENY
|     Content-Length: 0
|     Date: Sun, 24 Aug 2025 04:16:36 GMT
|     Connection: close
|   HTTPOptions: 
|     HTTP/1.1 401 
|     Vary: Origin
|     Vary: Access-Control-Request-Method
|     Vary: Access-Control-Request-Headers
|     Set-Cookie: JSESSIONID=F7494079A8B84CF8089636498980649E; Path=/; HttpOnly
|     WWW-Authenticate: Basic realm="Realm"
|     X-Content-Type-Options: nosniff
|     X-XSS-Protection: 0
|     Cache-Control: no-cache, no-store, max-age=0, must-revalidate
|     Pragma: no-cache
|     Expires: 0
|     X-Frame-Options: DENY
|     Content-Length: 0
|     Date: Sun, 24 Aug 2025 04:16:36 GMT
|     Connection: close

As a result, a full port scan will identify any additional services accessible on the target system.

Attempting Access to oscar190 via Eureka Dashboard and SSH

An attempt to use the previously discovered credentials for authentication failed, with all login attempts unsuccessful.

We used pwncat-cs to test the recovered credentials against SSH. The login was successful, and we gained remote access to the target system.

Enumeration as oscar190

After gaining access, we inspected the oscar190 directory. It was empty and contained no useful files for further exploitation.

We also checked for SUID binaries on the system, but found no unusual or exploitable ones.

During enumeration, we found a notable file at ./web/Funi/src/main/resource/application.properties containing sensitive information, including credentials that revealed the password for the oscar190 user.

Most importantly, under the Eureka section you discovered:

eureka.client.service-url.defaultZone= http://EurekaSrvr:0scarPWDisTheB3st@localhost:8761/eureka/

This line shows the Eureka service uses embedded credentials:

  • Username: EurekaSrvr
  • Password: 0scarPWDisTheB3st

These new credentials are different from oscar190. They may be valid for the Eureka dashboard (port 8761) or other services like SSH, MySQL, or the web portal.

Accessing Spring Eureka Dashboard on Port 8761 Using Discovered Credentials

The newly discovered credentials (EurekaSrvr:0scarPWDisTheB3st) were tested against the Eureka service endpoint. Authentication was successful, confirming valid access to the Eureka configuration interface.

Surprisingly, the credentials worked and granted access to the Spring Eureka application dashboard, confirming control over the service.

Monitoring System Activity and Command Execution with pspy64

The pspy64 output revealed that a scheduled task is being executed by the root user, which uses curl to send a POST request to http://furni.htb/login. The request is crafted to resemble a normal browser login, with headers such as Accept, Content-Type, User-Agent, and a session cookie included. Most importantly, the POST data is not hardcoded in the command but instead read from the temporary file /tmp/tmp.hJ3yAWDvEW. the file is writable or replaceable by a lower-privileged user, it may be possible to inject malicious data or commands into it, allowing code execution under root’s context whenever the automated task runs.

Cloud-Gateway Enumeration and Insight

During enumeration, a directory named cloud-gateway was discovered, which stands out as it is not typically present in standard web application structures. Given its uncommon presence, this directory warrants deeper inspection to determine whether it contains exploitable configurations or hidden endpoints.

Source: Cloud management gateway overview

The cloud-gateway directory was identified within the application files, which is uncommon in typical setups and indicates the use of Spring Cloud Gateway for routing and service communication. Such directories often contain sensitive configuration files, route definitions, or embedded credentials, making it an important target for closer inspection during enumeration.

Analysing the application.yaml Configuration File

It appears that the request is being passed to the user-management-service component, located under the path /var/www/web, specifically beneath the /login functionality. This suggests that authentication requests from /login are routed internally to the user-management-service, which likely handles user validation and credential processing.

HTTP Login Endpoint Hijacking via User-Management-Service

Inside the user-management-service directory, several files and subdirectories were identified, indicating this component is likely responsible for handling authentication and account-related functionality within the application. Since it sits directly under /var/www/web, its contents may include configuration files, source code, or compiled application resources that could expose sensitive information such as database credentials, API keys, or logic flaws.

The files discovered within the user-management-service directory were copied over to the attacker’s machine for further offline analysis. This allows deeper inspection of configuration details, source code, and potential hardcoded secrets without the risk of altering the target environment.

The application.properties and Eureka-related configuration files contain fields such as <instanceId>, <hostName>, <ipAddr>, <port>, <homePageUrl>, <statusPageUrl>, and <healthCheckUrl>. By modifying these values to match the attacker’s controlled IP address and port, it is possible to redirect the service registration in Eureka to point toward a malicious service instead of the legitimate one.

Retrieving miranda.wise Credentials and Capturing User Flag

The first command performs a POST request to register a new instance of the USER-MANAGEMENT-SERVICE application, where the configuration details (such as instance ID, host, IP address, and port) are provided in an external instance.xml file. By modifying this XML file with the attacker’s own machine details, it is possible to make Eureka believe that the legitimate service now points to the attacker-controlled host. The second command issues a DELETE request targeting the existing service entry localhost:USER-MANAGEMENT-SERVICE:9009, which corresponds to the genuine application running locally on port 9009.

A successful callback was received, which revealed system details tied to the user miranda.wise. This indicates that the malicious service registration worked as intended, and the compromised microservice forwarded traffic to the attacker-controlled host, exposing valuable information about another valid user account in the environment.

The user flag was captured by reading the user.txt file with the cat command.

Escalate to Root Privileges Access

Privilege Escalation:

We did not identify any unusual or exploitable SUID binaries on the system.

A script named log_analyse.sh was discovered on the system, which stands out as a potential target for further analysis to determine if it contains insecure commands, misconfigurations, or privilege escalation opportunities.

Analysis of log_analyse.sh Script

This script is a log analyser that examines server logs to track three key aspects: who’s logging in (successfully or not), what HTTP errors are occurring, and any system errors worth noting. It’s got some nice touches – colour-coded outputs for quick scanning and a clean report saved to log_analysis.txt.

grep "HTTP.*Status: " "$LOG_FILE" | while read line; do
    code=$(echo "$line" | grep -oP 'Status: \K.*')

if [[ "$existing_code" -eq "$code" ]]; then
new_count=$((existing_count + 1))
STATUS_CODES[$i]="${existing_code}:${new_count}"

This Bash script analyzes log files, extracting login attempts, HTTP status codes, and errors, then saves results to log_analysis.txt. A key function, analyze_http_statuses(), parses HTTP status codes using grep -oP 'Status: \K.*'. However, it’s vulnerable to command injectionβ€”if logs contain malicious strings like $(malicious_command), Bash will execute them when processing the file.

The output demonstrates the behavior of the log_analyse.sh script when executed, showing that it processes and reads the contents of application.log. This indicates that the script’s purpose is related to log handling, and analyzing its execution flow could reveal opportunities for manipulation or privilege escalation.

The original file was copied, then deleted, and after restoring it, the file ownership changed from www-data to miranda-wise.

Exploiting Bash SUID for Privilege Escalation

The bash script does not run with root privileges.

A computer screen with text on it AI-generated content may be incorrect.

It defines two target log files located in the user-management-service and cloud-gateway directories, then injects a malicious payload into them. The payload attempts to execute a command substitution by copying /bin/bash to /tmp/bash and setting the SUID bit, effectively creating a root-privileged shell. To achieve this, the script removes the original log files and replaces them with the crafted payload. Once the vulnerable process or script that parses these logs executes the injected content, the attacker gains elevated privileges via the SUID-enabled /tmp/bash.

A computer screen with text AI-generated content may be incorrect.

We then executed the crafted bash file, which replaced the targeted log files with the injected payload, preparing for privilege escalation once the vulnerable service processes the modified logs.

A screenshot of a computer AI-generated content may be incorrect.

Running the script produced no immediate effect, suggesting the logs remained unprocessed or required additional conditions.

A black screen with green and yellow text AI-generated content may be incorrect.

After some time, the injected payload successfully executed and resulted in the creation of a SUID bash binary inside the /tmp directory, allowing privilege escalation. By running ls -l /tmp/bash, the SUID bit could be confirmed, and executing /tmp/bash -p provided a root shell since the binary retains elevated privileges. From there, commands like id could be used to verify root access, and the final step was reading the root.txt file located in the /root directory to obtain the root flag and complete the exploitation.

A black background with green and blue text AI-generated content may be incorrect.

The root flag was retrieved by executing the cat root.txt command.

The post Hack The Box: Eureka Machine Walkthrough – Hard Dificulty appeared first on Threatninja.net.

Advanced anonymity on the Internet from scratch

βœ‡Tape-News
By: seo_spec
7 January 2023 at 14:18
Download now!

A course for those who care about anonymity online

You will learn how to:

  • Install and configure Linux Mint
  • Work with VPN
  • Install and configure Whonix Workstation and Whonix Gateway in a virtual machine
  • Set up a browser on Whonix Workstation
  • Hacking Wi-Fi
❌
❌