Machine Info
Titanic is a Linux-based, easy-level machine. The initial foothold begins with a Local File Inclusion (LFI) vulnerability, which allows access to sensitive information. Through LFI, the Gitea database was accessed, revealing a password hash that facilitated gaining user access. For privilege escalation, the machine was vulnerable to arbitrary code execution in the AppImage version of ImageMagick, leveraging the vulnerability detailed in the GitHub security advisory AppImage version ImageMagick. This exploit allowed elevation to root access, completing the machine’s compromise.
Enumeration:
Nmap:
nmap -sC -sV 10.10.11.55 -oA nmap/Titanic
Nmap scan report for 10.10.11.55
Host is up (0.76s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 73:03:9c:76:eb:04:f1:fe:c9:e9:80:44:9c:7f:13:46 (ECDSA)
|_ 256 d5:bd:1d:5e:9a:86:1c:eb:88:63:4d:5f:88:4b:7e:04 (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://titanic.htb/
Service Info: Host: titanic.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
The Nmap scan of the target machine 10.10.11.55 reveals two open ports. Port 22 is running OpenSSH 8.9p1 on Ubuntu Linux, indicating an accessible SSH service. This version of OpenSSH is known to have standard security features, so potential areas of exploitation could include checking for weak or default credentials, vulnerabilities specific to this version, or service misconfigurations.
Port 80 is running Apache HTTP Server 2.4.52 on Ubuntu. The server responds with a redirect to http://titanic.htb/, which indicates that a virtual host is configured. To properly access the site, the hostname titanic.htb needs to be mapped to the target IP (10.10.11.55) in the /etc/hosts file. Once mapped, further web enumeration can be conducted by visiting the site and using tools like gobuster, dirb, or feroxbuster to identify hidden directories and files. Running nikto can also help identify misconfigurations, outdated software, or common vulnerabilities in Apache. If HTTPS is discovered, it may be worth investigating SSL/TLS settings for potential weaknesses.
⛔ This box is still active on HackTheBox. Once retired, this article will be published for public access as per HackTheBox's policy on publishing content from their platform.
⛔ For more hints and assistance, come chat with me and the rest of your peers in the HackTheBox Discord server. Or, you can reach out to me at my other social links in the site footer or site menu.
Appreciation
If my write-up helped you, I’d really appreciate it if you could show your support! 🙏 Also, if you like my content, please consider giving me respect on HTB—your support truly means a lot! 💚✨
Found a Mistake?
If you notice any errors or have feedback, feel free to email me at ashwin200323@gmail.com. Thanks for your help!