{"id":601,"date":"2025-09-01T02:15:43","date_gmt":"2025-09-01T02:15:43","guid":{"rendered":"https:\/\/infosecjake.net\/?p=601"},"modified":"2025-09-01T02:15:46","modified_gmt":"2025-09-01T02:15:46","slug":"hackthebox-titanic-walkthrough","status":"publish","type":"post","link":"https:\/\/infosecjake.net\/?p=601","title":{"rendered":"HackTheBox – Titanic Walkthrough"},"content":{"rendered":"\n

Back again with another HackTheBox machine. This time, an easy box called Titanic.<\/p>\n\n\n\n

As usual, let\u2019s start off with our trusty nmap scan.<\/p>\n\n\n\n

\"nmap<\/figure>\n\n\n\n

Pretty standard open ports from what we\u2019ve seen with other HTB boxes. We have an SSH port open, likely for connecting when we get an actual account and then a web service running.<\/p>\n\n\n\n

Let\u2019s add this to our \/etc\/hosts file and take a look at the website.<\/p>\n\n\n\n

\"etc\/hosts\"<\/figure>\n\n\n\n

Now, let\u2019s browse to http:\/\/titanic.htb and take a look around the site.<\/p>\n\n\n\n

\"website<\/figure>\n\n\n\n

Pretty simple webpage, only the \u2018Home\u2019 button and \u2018Book Now\u2019 button appear to be working. The \u2018Book Now\u2019 button does pop up a form that we can fill out. Maybe there\u2019s something there with what the form sends off. However, let\u2019s do some directory browsing with dirb and see if we can find anything else on this site.<\/p>\n\n\n\n

\"dirb\"<\/figure>\n\n\n\n

Looks like we have three directories it found. Book, download, and server-status. The \/book appears to be part of the \u2018Book Now\u2019 button and \/server-status gets us nowhere as it shows forbidden. Lastly, we have the \/download directory. Browsing to that brings us to the below page.<\/p>\n\n\n\n

\"download<\/figure>\n\n\n\n

\u201cTicket parameter is required\u201d. This appears to be requiring some input to download. This also appears like it\u2019s a JSON response on an API endpoint. So, we need to pass this some sort of ticket parameter in order to get something back.<\/p>\n\n\n\n

However, as I\u2019ve said before\u2026let\u2019s try a different directory browsing tool just in case we\u2019re missing something here. <\/p>\n\n\n\n

Tried out a new tool, ferric oxide\u2026pretty neat. However, still nothing new other than \/static\/assets\/.<\/p>\n\n\n\n

\"ferric<\/figure>\n\n\n\n

Also tried ffuf, but nothing new there.<\/p>\n\n\n\n

So, with that coming to a bit of a dead end\u2026.There may be something in the \/download portion we found previously. Let\u2019s go through the booking process and capture that in Burp to see what happens.<\/p>\n\n\n\n

\"Burp\"<\/figure>\n\n\n\n

We will fill out the form with some generic details and ensure we\u2019ve got intercept on.<\/p>\n\n\n\n

\"burp<\/figure>\n\n\n\n

Our intercepted request shows the details we are sending off to the server. Let\u2019s send this to repeater and go from there.<\/p>\n\n\n\n

\"Sending<\/figure>\n\n\n\n

In Repeater we can send the request and immediately see the response back from the server.<\/p>\n\n\n\n

\"Repeater<\/figure>\n\n\n\n

Notice the \/download link that includes a ticket. If we go to that URL now we then get a download for a JSON ticket.<\/p>\n\n\n\n

\"Ticket<\/figure>\n\n\n\n

However, this makes me wonder\u2026.could we change this download to something different?<\/p>\n\n\n\n

\"LFI<\/figure>\n\n\n\n

Sure enough, we can use this as a local file inclusion vulnerability. However, the \/etc\/passwd file doesn\u2019t give us a lot.<\/p>\n\n\n\n

\"passwd<\/figure>\n\n\n\n

It does show us there is a developer user. With that in mind\u2026let\u2019s see if we can find a user.txt file in the developer\u2019s home folder. (I wasn\u2019t sure what _laurel was so I had to google it, laurel is an event audit plugin, basically it creates audit logs for security\u2026.so I learned something new)<\/p>\n\n\n\n

\"download<\/figure>\n\n\n\n

Sure enough, here\u2019s the user flag.<\/p>\n\n\n\n

\"user<\/figure>\n\n\n\n

Entering that shows we have user flag. Now, lets continue to see what else we can do.<\/p>\n\n\n\n

Here I kind of hit a roadblock. We can download files from the host system but that will only get us so far, especially when we have to know what files are there to download.<\/p>\n\n\n\n

I spent some time looking into a good way to do subdomain directory brute forcing and this resulted in me just using gobuster. I did this initially with a different wordlist and made the mistake of not outputting it to a text file. Next, I outputted it to a text file on my desktop to better be able to browse. Additionally, for a CTF box like this, you will need to use the gobuster flag \u2018vhost\u2019 so that it doesn\u2019t try looking up DNS response. Since this is a CTF box and there won\u2019t be any DNS responses, running it without the vhost flag will fail.<\/p>\n\n\n\n

\"gobuster\"<\/figure>\n\n\n\n

After a bit, I opened up the file and looked for responses with a code of 30X. Anything with a 40X indicates it was a bad request.<\/p>\n\n\n\n

After a bit of digging I noticed \u2018dev\u2019 got a positive response from the server. So, I added dev.titanic.htb to our \/etc\/hosts file and lets browse that site.<\/p>\n\n\n\n

\"dev<\/figure>\n\n\n\n

Simply hitting the \u2018Explore\u2019 lets us anonymously view repositories here.<\/p>\n\n\n\n

\"Viewing<\/figure>\n\n\n\n

We have docker-config and flask-app. In the flask-app we can see the app.py code that allows us to do the local file inclusion above. This Gitea instance also appears to be installed into \u2018developer\u2019 home directory based on the README in the git.<\/p>\n\n\n\n

After reading the Gitea documentation, it shows the config file location – https:\/\/docs.gitea.com\/installation\/install-with-docker#customization<\/a><\/p>\n\n\n\n

It notes that \/data\/gitea\/conf\/app.ini will be the config file location. If this is in \u2018developer\u2019 directory then we can use the local file inclusion vulnerability to download it.<\/p>\n\n\n\n

Let\u2019s try!<\/p>\n\n\n\n

\"config<\/figure>\n\n\n\n
\"config<\/figure>\n\n\n\n

Looks like we have the config file!<\/p>\n\n\n\n

It does look like we have a database file we could download.<\/p>\n\n\n\n

\"database\"<\/figure>\n\n\n\n

Let\u2019s see if we can download that as well\u2026<\/p>\n\n\n\n

\"db<\/figure>\n\n\n\n

Now that we downloaded, lets try opening this up in SQLite db viewer.<\/p>\n\n\n\n

\"sql<\/figure>\n\n\n\n

In the \u2018Database Structure\u2019 column we can find the \u2018user\u2019 table. Let\u2019s right click that and click \u2018Browse Table\u2019<\/p>\n\n\n\n

\"users\"<\/figure>\n\n\n\n

Now we see that we have three users with their passwords. We can also query this from command line with sqlite3. However, we\u2019re simply going to copy and paste into a text file, as shown below.<\/p>\n\n\n\n

\"hashed<\/figure>\n\n\n\n

Now, let\u2019s try hashcat\u2026<\/p>\n\n\n\n

Well\u2026initial tries with hashcat weren\u2019t working\u2026so I spent some time googling on this.<\/p>\n\n\n\n

I found this nice write up on cracking gitea passwords. https:\/\/www.unix-ninja.com\/p\/cracking_giteas_pbkdf2_password_hashes<\/a><\/p>\n\n\n\n

So, I copied the gitea2hashcat.py script to my desktop and walked through the same process as the documentation above.<\/p>\n\n\n\n

Query the db from where I downloaded it. Just an FYI, I renamed it to \u2018gitea1.db\u2019 instead of the super long name it downloaded as. Makes things simpler \ud83d\ude09<\/p>\n\n\n\n

\"sql<\/figure>\n\n\n\n

Ok, so this part is a bit tricky\u2026.we first have to run our python script\u2026<\/p>\n\n\n\n

\"script<\/figure>\n\n\n\n

Then we copy\/past the hash from the SQLite query\u2026<\/p>\n\n\n\n

\"copy<\/figure>\n\n\n\n

Ensure you don\u2019t copy the :pbkdf2 section for the algorithm.<\/p>\n\n\n\n

Now paste it\u2026<\/p>\n\n\n\n

\"pasting<\/figure>\n\n\n\n

After pasting it\u2019ll give us the output right below\u2026it can be hard to miss.<\/p>\n\n\n\n

Now we use hashcat to crack\u2026<\/p>\n\n\n\n

\"starting<\/figure>\n\n\n\n
\"hash<\/figure>\n\n\n\n

Now, we have a password. Let\u2019s see if we can connect via SSH with the developer username and the password we just got.<\/p>\n\n\n\n

\"login<\/figure>\n\n\n\n

We are finally in!<\/p>\n\n\n\n

Next, let\u2019s run linpeas and see what we can find. As a note, I curl linpeas from the victim machine to my attacker machine where I have it hosted on a simple python webserver. If you want to see how I do that then check out my other HTB write up for Underpass as I walk through how to do that. It\u2019s really simple though.<\/p>\n\n\n\n

\"linpeas<\/figure>\n\n\n\n

Now, we let it run and figure out what could be an avenue for privilege escalation\u2026<\/p>\n\n\n\n

\"Interesting<\/figure>\n\n\n\n

Some interesting files that it\u2019s calling out. Let\u2019s take a look at this \/opt\/app\/static\/ directories\u2026<\/p>\n\n\n\n

Digging around and found the \/images directory. Right inside is the root.txt file and it\u2019s not restricted to root access only\u2026so with simple user access we are able to read the root.txt file.<\/p>\n\n\n\n

\"Root<\/figure>\n\n\n\n

I\u2019m a little bummed out on this, to be honest with you. I was expecting a privilege escalation technique to be able to read the root.txt file. However, a win is a win and we\u2019ll take it.<\/p>\n\n\n\n

Additionally, I wanted to show that you can also just search for root.txt and find the file.<\/p>\n\n\n\n

\"Finding<\/figure>\n\n\n\n

Well, this was a bit different than what was expected\u2026but we were able to get both flags and finish this box. However, I wouldn\u2019t call this a true root pwn as we never actually got root access. I\u2019m unsure if this was intentional or someone left this file in the directory. However, we could have continue to try privilege escalation techniques to see if we could get actual root.<\/p>\n\n\n\n

Hope you enjoyed the walkthrough! Until next time!<\/p>\n","protected":false},"excerpt":{"rendered":"

Back again with another HackTheBox machine. This time, an easy box called Titanic. As usual, let\u2019s start off with our<\/p>\n

Continue readingHackTheBox – Titanic Walkthrough<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":639,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[31],"tags":[33,42,34],"class_list":["post-601","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ctf-challenge-walkthroughs","tag-ctf","tag-hackthebox","tag-walkthrough"],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/infosecjake.net\/wp-content\/uploads\/2025\/09\/titanic.png","jetpack-related-posts":[],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/posts\/601","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosecjake.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=601"}],"version-history":[{"count":1,"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/posts\/601\/revisions"}],"predecessor-version":[{"id":638,"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/posts\/601\/revisions\/638"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/infosecjake.net\/index.php?rest_route=\/wp\/v2\/media\/639"}],"wp:attachment":[{"href":"https:\/\/infosecjake.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=601"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosecjake.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=601"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosecjake.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=601"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}