http

80/tcp open  http    Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://titanic.htb/
|_http-server-header: Apache/2.4.52 (Ubuntu)

We can see that nmap was not able to redirect to mentioned url. We need to first add that url to our host file.

echo "$titanic titanic.htb" | sudo tee -a /etc/hosts

Now Visit the site.

Start the burp suite and fill form for testing purposes.

As soon as I clicked on submit I got one ticket downloaded in json format.

Checking for Path traversal [Present]

Now I will send a download request to the repeater.

Looks like the ticket parameter is vulnerable to path traversal vulnerability.

I will try to display the content of the SSH config file.

../../../../../../../../../etc/ssh/ssh_config

From the config file data, It is clear that no user is blocked from having access to SSH.

I will be using the curl command for further testing.

Trying to fatch id_rsa file from ssh.

We can see that id_rsa is not found but for authorized_keys we got 200 OK messages. Which means there is an authorized key present.

As we are using flask as technology. this means that it is using Python in the backend.

Checking for RFI.

Making reverse shell file.

It's the same code, just removed the Python run command.

start the server and listener.

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://titanic.htb/ -H "HOST:FUZZ.titanic.htb" -fc 301

Add ffuf tool in the tools cheat sheet. (Delete this then)

Now, Let's check for dev vhost. but first add this to hosts file.

Last updated 10 months ago

Was this helpful?