Technical Report

Detailed analysis for technical teams, covering methodologies, tools, and findings.

Technical Security Report: "Titanic" System

Purpose of the Report

This document provides a detailed technical assessment of the Titanic machine from HackTheBox. The goal of this assessment was to identify security vulnerabilities, exploit them, and provide recommendations to mitigate potential risks.


Methodology

The security evaluation followed a structured penetration testing approach:

  1. Reconnaissance: Identifying open ports and services using scanning tools.

  2. Enumeration: Gathering information on the web application and system configuration.

  3. Exploitation: Utilizing known vulnerabilities to gain unauthorized access.

  4. Privilege Escalation: Escalating privileges to gain root access to the system.


Detailed Findings

1. Reconnaissance

Tool Used: nmap Command Executed:

sudo nmap -F -T5 -sCV <ip_target>

Results:

  • Port 80: Open (Apache httpd 2.4.52)

  • Port 22: Open (OpenSSH 8.9p1 3ubuntu0.10)

2. Enumeration

  • Web Enumeration:

    • Accessing http://<ip_target>:80 redirected to titanic.htb.

    • Added titanic.htb to /etc/hosts for proper resolution.

    • Navigating the website revealed a functional "Book Your Trip" form that generated a JSON file.

  • Directory Bruteforcing:

    • Tool Used: gobuster

    • Command Executed: gobuster dir -u http://titanic.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

    • Results: Found /download and /book directories

3. Exploitation

  • Local File Inclusion (LFI):

    • Exploited /download?ticket=../../../../etc/passwd to retrieve sensitive system files.

    • Retrieved /etc/hosts, revealing dev.titanic.htb subdomain.

    • Accessed dev.titanic.htb and discovered Gitea service.

    • Created a test account, found a repository with MySQL credentials.

    • Unable to access MySQL, continued to search for sensitive files.

    • Found gitea.db via LFI: /download?ticket=/home/developer/gitea/data/gitea/gitea.db.

    • Extracted user hash and salt, cracked password using hashcat.

    • Hashcat Command: hashcat -m 10900 hashdeveloper.txt /usr/share/wordlists/rockyou.txt

4. Privilege Escalation

  • Searched /opt directory and found identify_images.sh script.

  • Discovered ImageMagick binary vulnerable to CVE-2024-41817 (Arbitrary Code Execution).

  • Created a malicious shared library to execute arbitrary commands.

  • Executed payload, obtained root access and the root flag.


Recommendations

  • Short-term Actions:

    • Implement proper file validation to prevent LFI vulnerabilities.

    • Enforce strict password policies and use multi-factor authentication.

    • Regularly update and patch software, including ImageMagick.

  • Long-term Actions:

    • Conduct regular security assessments and code reviews.

    • Implement network segmentation to isolate sensitive services.

    • Train staff on secure coding and vulnerability mitigation.


Conclusion

The assessment of the Titanic machine demonstrated multiple security vulnerabilities, including LFI and arbitrary code execution. Addressing these issues through regular updates, secure authentication, and access control measures will significantly enhance the system’s security posture and reduce the risk of exploitation.

Last updated