Titanic is a Hack The Box machine released on 15 Feb 2025
Summary (How?)
Titanic is a web application with a Local File Inclusion (LFI) vulnerability, which allowed me to enumerate sensitive files, including the /etc/hosts file that revealed a secondary host dev.titanic.htb. This led to a Gitea instance where I found configuration files exposing the path to Gitea’s database. Using the LFI vulnerability, I downloaded the database, extracted password hashes for the developer user, and cracked them to gain SSH access to the machine as developer.
These are the general things we will be enumerating in the process below
OS
OS Version
Kernel Version
Services
Running Services: ps aux | grep root
Installed Packages and Versions
User
whoami, id, hostname
User Home Directories
Sudo Privileges: sudo -l
Files & Directories
Configuration files: .conf & .config
Readable Shadow File
Password Hashes in /etc/passwd (more common on embedded devices and routers)
Writeable Directories
Writeable Files
SETUID and SETGID Permissions
Cron Jobs
Under: /etc/cron*
File Systems
Unmounted File System and Aditional Drivers
File Systems & Additional Drives
Process of enumeration
1. Gaining Situational Awareness
whoami
id
hostname
cat /etc/os-release
echo $PATH
env
uname -a
lscpu
cat /etc/shells
lsblk # block deviceslpstat # printerscat /etc/fstab
# network informationroute
arp -a
cat /etc/passwd
cat /etc/passwd | cut -f1 -d: # usernamesgrep "*$" /etc/passwd
cat /etc/group
getent group sudo
ls /home
# file systemsdf -h
# unmounted fscat /etc/fstab | grep -v "#" | column -t
# hidden files for $USERfind / -type f -name ".*" -exec ls -l {}\; 2>/dev/null | grep $USER
# setuid filesfind / -perm -4000 -exec ls -ldb {}\; 2>/dev/null
find / -perm -4000 -type f -exec ls -l {}\; 2>/dev/null
# setgid filesfind / -uid 0 -perm -6000 -type f 2>/dev/null
# hidden directoriesfind / -type d -name ".*" -ls 2>/dev/null
ls /var/tmp # data retained 30 daysls /tmp # data retained 10 days or until system reboot
2. Linux Services & Internals Enumeration
ip a
cat /etc/hosts
lastlog # users's last login commandwho # check who's logged infinger
history
find / -type f \( -name *_hist -o -name *_history \) -exec ls -l {}\; 2>/dev/null
# finding history files# Cronjobsls -la /etc/cron.*/
cat /etc/crontab
# writeable files (check for cronjob abuse)find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null
# proc filesystem is a virtual fs that contains info about system processes, hw, system infofind /proc -name cmdline -exec cat {}\; 2>/dev/null | tr " ""\n"apt list --installed | tr "/"" " | cut -d" " -f1,3 | sed 's/[0-9]://g' | tee -a installed_pkgs.list # list of installed packagessudo -V # sudo versionls -l /bin /usr/bin/ /usr/sbin/ # list of binaries# compare available binaries against GTFOfor i in $(curl -s https://gtfobins.github.io/ | html2text | cut -d" " -f1 | sed '/^[[:space:]]*$/
# analyze system calls and signal processingstrace ping -c1 IP
find / -type f \( -name *.conf -o -name *.config \) -exec ls -l {}\; 2>/dev/null # configuration files# Scriptsfind / -type f -name "*.sh" 2>/dev/null | grep -v "src\|snap\|share"ps aux | grep root
# running services by user
find all possible configuration files on the system
for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name "*$l" **2**>/dev/null | grep -v "lib\|fonts\|share\|core" ;done
run the scan directly for each file found with the specified file extension and output the contents. In this example, we search for three words (user, password, pass) in each file with the file extension .cnf.
for i in $(find / -name "*.cnf" **2**>/dev/null | grep -v "doc\|lib");do echo -e "\nFile: " $i; grep "user\|password\|pass" $i **2**>/dev/null | grep -v "\#";done
We gain initial access to the internal Active Directory environment through a web shell. We begin by enumerating the host and retrieving the first flag located on the administrator’s desktop. Using the compromised host, the web shell, and Ligolo-ng, we pivot into the internal network.
During internal enumeration, we discover a host named MS01. We compromise the local administrator account on this machine using a Pass-the-Hash attack, leveraging NTLM hashes obtained from the initial foothold.
La ISO 27001 es una norma internacional que define los requisitos generales y establece que debes implementar controles de seguridad específicos como parte de un Sistema de Gestión de Seguridad de la Información (SGSI), no detalla cómo hacerlo. Indica qué controles son necesarios para gestionar los riesgos de seguridad de la información de manera efectiva.
Es aplicable a todo tipo de organizaciones donde la información es un activo del que dependen los objetivos y resultados de una organización.
sqlmap is an open-source penetration testing tool designed to automate the detection and exploitation of SQL injection vulnerabilities in web applications. It supports a wide range of SQL injection techniques, including boolean-based, time-based, error-based, and UNION query-based attacks.
The goal of this module is to introduce us into the tool and how it is useful in real-world scenarios where SQLi is feasible. That’s why in this writeup the key is in finding the vulnerable parameter.
Notas utilizadas para mi presentacion sobre criptografía post cuántica con la que me recibí de Ingeniero en Computación 🎓
Introducción/Contexto de PQC
La criptografía de llave pública depende de funciones matemáticas que son “fáciles de hacer y difíciles de deshacer” (to do and to undo). Las variantes más utilizadas hasta ahora son vulnerables al Algoritmo de Shor:
RSA: factorización de números primos
Diffie-Hellman: problema del logaritmo discreto
Si se puede resolver el problema matemático, se puede romper la criptografía.