HTB Era exposes FTP and HTTP. VHOST enumeration reveals file.era.htb with a vulnerable file manager. An IDOR leaks a full backup, SQLite DB, and OpenSSL keys. Cracked creds and an unsafe admin-only PHP wrapper enable RCE. Abusing security questions grants admin, and a signed cron-executed binary leads to root access.