Titanic
Linux
Easy
4.2
MACHINE RATING16613
USER OWNS12726
SYSTEM OWNS15/02/2025
RELEASEDMachine Synopsis
Titanic is an easy difficulty Linux machine that features an Apache server listening on port 80. The website on port 80 advertises the amenities of the legendary Titanic ship and allows users to book trips. A second vHost is also identified after fuzzing, which points to a `Gitea` server. The Gitea server allows registrations, and exploration of the available repositories reveals some interesting information including the location of a mounted `Gitea` data folder, which is running via a Docker container. Back to the original website, the booking functionality is found to be vulnerable to an Arbitrary File Read exploit, and combining the directory identified from Gitea, it is possible to download the Gitea SQLite database locally. Said database contains hashed credentials for the `developer` user, which can be cracked. The credentials can then be used to login to the remote system over SSH. Enumeration of the file system reveals that a script in the `/opt/scripts` directory is being executed every minute. This script is running the `magick` binary in order to gather information about specific images. This version of `magick` is found to be vulnerable to an arbitrary code execution exploit assigned [CVE-2024-41817](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41817). Successful exploitation of this vulnerability results in elevation of privileges to the `root` user.
Machine Matrix
