# Technical Report

## <mark style="color:purple;">Technical Security Report: "Titanic" System</mark>

### <mark style="color:purple;">Purpose of the Report</mark>

This document provides a detailed technical assessment of the Titanic machine from [HackTheBox](https://www.hackthebox.com/machines/titanic). The goal of this assessment was to identify security vulnerabilities, exploit them, and provide recommendations to mitigate potential risks.

***

### <mark style="color:purple;">Methodology</mark>

The security evaluation followed a structured penetration testing approach:

1. **Reconnaissance:** Identifying open ports and services using scanning tools.
2. **Enumeration:** Gathering information on the web application and system configuration.
3. **Exploitation:** Utilizing known vulnerabilities to gain unauthorized access.
4. **Privilege Escalation:** Escalating privileges to gain root access to the system.

***

### <mark style="color:purple;">Detailed Findings</mark>

#### 1. Reconnaissance

**Tool Used:** `nmap`\
**Command Executed:**

```bash
sudo nmap -F -T5 -sCV <ip_target>
```

**Results:**

* **Port 80:** Open (Apache httpd 2.4.52)
* **Port 22**: Open (OpenSSH 8.9p1 3ubuntu0.10)

#### 2. Enumeration

* **Web Enumeration:**
  * Accessing `http://<ip_target>:80` redirected to `titanic.htb`.
  * Added `titanic.htb` to `/etc/hosts` for proper resolution.
  * Navigating the website revealed a functional "Book Your Trip" form that generated a JSON file.
* **Directory Bruteforcing:**
  * **Tool Used:** `gobuster`
  * **Command Executed:** `gobuster dir -u http://titanic.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt`
  * **Results:** Found `/download` and `/book` directories

#### 3. Exploitation

* **Local File Inclusion (LFI):**
  * Exploited `/download?ticket=../../../../etc/passwd` to retrieve sensitive system files.
  * Retrieved `/etc/hosts`, revealing `dev.titanic.htb` subdomain.
  * Accessed `dev.titanic.htb` and discovered Gitea service.
  * Created a test account, found a repository with MySQL credentials.
  * Unable to access MySQL, continued to search for sensitive files.
  * Found `gitea.db` via LFI: `/download?ticket=/home/developer/gitea/data/gitea/gitea.db`.
  * Extracted user hash and salt, cracked password using hashcat.
  * **Hashcat Command:** `hashcat -m 10900 hashdeveloper.txt /usr/share/wordlists/rockyou.txt`

#### 4. Privilege Escalation

* Searched `/opt` directory and found `identify_images.sh` script.
* Discovered ImageMagick binary vulnerable to CVE-2024-41817 (Arbitrary Code Execution).
* Created a malicious shared library to execute arbitrary commands.
* Executed payload, obtained root access and the root flag.

***

### <mark style="color:purple;">Recommendations</mark>

* **Short-term Actions:**
  * Implement proper file validation to prevent LFI vulnerabilities.
  * Enforce strict password policies and use multi-factor authentication.
  * Regularly update and patch software, including ImageMagick.
* **Long-term Actions:**
  * Conduct regular security assessments and code reviews.
  * Implement network segmentation to isolate sensitive services.
  * Train staff on secure coding and vulnerability mitigation.

***

### <mark style="color:purple;">Conclusion</mark>

The assessment of the Titanic machine demonstrated multiple security vulnerabilities, including LFI and arbitrary code execution. Addressing these issues through regular updates, secure authentication, and access control measures will significantly enhance the system’s security posture and reduce the risk of exploitation.