QRouland/DevBlog
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix typos

Browse Source
This commit is contained in:
Quentin Rouland 2025-03-24 18:18:17 +01:00
parent 12e2ca11c0
commit 41d64619f3
1 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
posts/2025-03-24-htb-1-titanic.md
View File

@ -126,7 +126,7 @@ On `dev.titanic.htb`, we find a Gitea instance running version 1.22.1. Two publi
- `http://dev.titanic.htb/developer/flask-app` (contains code for the Flask app)
- `http://dev.titanic.htb/developer/docker-config` (contains Docker compose for the app)
In the Docker configuration, we found a MySQL configuration with the root password ```MySQLP@$$w0rd!```. However, it didn't seem like the MySQL server was running, so we kept this information but it appeared to be unusable at the moment.
In the Docker configuration, we found a MySQL configuration with the root password ```<SNIP>```. However, it didn't seem like the MySQL server was running, so we kept this information but it appeared to be unusable at the moment.
Additionally, we discovered that Gitea data is located at ```/home/developer/gitea/data/gitea``` in the Docker Compose files. We can use path traversal to access this data.
@ -150,19 +150,19 @@ $ cd giteatohashcat/
$ python giteaToHashcat.py ../../gitea.db
[+] Extracting password hashes...
[+] Extraction complete. Output:
administrator:sha256:50000:LRSeX70bIM8x2z48aij8mw==:y6IMz5J9OtBWe2gWFzLT+8oJjOiGu8kjtAYqOWDUWcCNLfwGOyQGrJIHyYDEfF0BcTY=
developer:sha256:50000:i/PjRSt4VE+L7pQA1pNtNA==:5THTmJRhN7rqcO1qaApUOF7P8TEwnAvY8iXyhEBrfLyO/F2+8wvxaCYZJjRE6llM+1Y=
administrator:sha256:50000:<SNIP>
developer:sha256:50000:<SNIP>
...
```
We focused on the `developer` user, as we identified that there is an SSH user with the same username and a shell. We hoped it used the same password, so we attempted to crack the password `hash` using hashcat.
```bash
hashcat -m 10900 sha256:50000:i/PjRSt4VE+L7pQA1pNtNA==:5THTmJRhN7rqcO1qaApUOF7P8TEwnAvY8iXyhEBrfLyO/F2+8wvxaCYZJjRE6llM+1Y= /usr/share/wordlists/rockyou.txt.gz
hashcat -m 10900 sha256:50000:<SNIP> /usr/share/wordlists/rockyou.txt.gz
....
```
After successfully cracking the hash, we get the password `25282528`.
After successfully cracking the hash, we get the password `<SNIP>`.
#### Getting SSH Access
@ -173,7 +173,7 @@ $ ssh developer@titanic.htb
$ whoami
developer
$ cat user.txt
979fbe270d355153aa5ee87ce670b273
<SNIP>
```
Now we have foothold on the machine and our first user flag.
@ -225,7 +225,7 @@ $ whoami
root
$ cd
$ cat root.txt
867da4d778e3cb6d310e60f2ae7366c1
<SNIP>
```
We have gained root access and obtained the root flag!