From 41d64619f3ba9c0029afd538c9a973a08fda0d2f Mon Sep 17 00:00:00 2001 From: Quentin Rouland Date: Mon, 24 Mar 2025 18:18:17 +0100 Subject: [PATCH] Fix typos --- posts/2025-03-24-htb-1-titanic.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/posts/2025-03-24-htb-1-titanic.md b/posts/2025-03-24-htb-1-titanic.md index 6f90b2d..6cba339 100644 --- a/posts/2025-03-24-htb-1-titanic.md +++ b/posts/2025-03-24-htb-1-titanic.md @@ -126,7 +126,7 @@ On `dev.titanic.htb`, we find a Gitea instance running version 1.22.1. Two publi - `http://dev.titanic.htb/developer/flask-app` (contains code for the Flask app) - `http://dev.titanic.htb/developer/docker-config` (contains Docker compose for the app) -In the Docker configuration, we found a MySQL configuration with the root password ```MySQLP@$$w0rd!```. However, it didn't seem like the MySQL server was running, so we kept this information but it appeared to be unusable at the moment. +In the Docker configuration, we found a MySQL configuration with the root password ``````. However, it didn't seem like the MySQL server was running, so we kept this information but it appeared to be unusable at the moment. Additionally, we discovered that Gitea data is located at ```/home/developer/gitea/data/gitea``` in the Docker Compose files. We can use path traversal to access this data. @@ -150,19 +150,19 @@ $ cd giteatohashcat/ $ python giteaToHashcat.py ../../gitea.db [+] Extracting password hashes... [+] Extraction complete. Output: -administrator:sha256:50000:LRSeX70bIM8x2z48aij8mw==:y6IMz5J9OtBWe2gWFzLT+8oJjOiGu8kjtAYqOWDUWcCNLfwGOyQGrJIHyYDEfF0BcTY= -developer:sha256:50000:i/PjRSt4VE+L7pQA1pNtNA==:5THTmJRhN7rqcO1qaApUOF7P8TEwnAvY8iXyhEBrfLyO/F2+8wvxaCYZJjRE6llM+1Y= +administrator:sha256:50000: +developer:sha256:50000: ... ``` We focused on the `developer` user, as we identified that there is an SSH user with the same username and a shell. We hoped it used the same password, so we attempted to crack the password `hash` using hashcat. ```bash -hashcat -m 10900 sha256:50000:i/PjRSt4VE+L7pQA1pNtNA==:5THTmJRhN7rqcO1qaApUOF7P8TEwnAvY8iXyhEBrfLyO/F2+8wvxaCYZJjRE6llM+1Y= /usr/share/wordlists/rockyou.txt.gz +hashcat -m 10900 sha256:50000: /usr/share/wordlists/rockyou.txt.gz .... ``` -After successfully cracking the hash, we get the password `25282528`. +After successfully cracking the hash, we get the password ``. #### Getting SSH Access @@ -173,7 +173,7 @@ $ ssh developer@titanic.htb $ whoami developer $ cat user.txt -979fbe270d355153aa5ee87ce670b273 + ``` Now we have foothold on the machine and our first user flag. @@ -225,7 +225,7 @@ $ whoami root $ cd $ cat root.txt -867da4d778e3cb6d310e60f2ae7366c1 + ``` We have gained root access and obtained the root flag!