dev.titanic.com

I will first register and then sign in.

Account created.

I found mysql credentials in Dev Explorer.

I found software named gitea which is Version control software.

We can see that data is present in gitea/data location.

Previously, I found that there are Path Traversal vulnerabilities present. I will use this to get this file.

I will try to fetch this file.

Copy and paste the URL in the browser. You will see that one file was downloaded. Open the file to see it's content.

In this file, I found the path to a database.

Using same method I will try to fetch/download this DB.

../../../../../../../../../../../home/developer/gitea/data/gitea/gitea.db

We can see that in the response we have SQLite format mentioned meaning the database got fetched. I will click on "Show response in browser". So, that File gets downloaded.

When we open the downloaded file it will open in DB Browser for SQLite.

In the database structure, I found that there is a user table. So, I will extract all the content of this table.

Got the password.

Looks like the password is Hashed and also salted.

HTB: Compiled0xdf hacks stuff

I will be using same command as used in this. This is because password hash algorithm is same in both.

sqlite3 gitea.db "select passwd,salt,name from user" | while read data; do digest=$(echo "$data" | cut -d'|' -f1 | xxd -r -p | base64); salt=$(echo "$data" | cut -d'|' -f2 | xxd -r -p | base64); name=$(echo $data | cut -d'|' -f 3); echo "${name}:sha256:50000:${salt}:${digest}"; done | tee gitea.hashes

Hashes got saved in gitea.hashes.

Cracking it.

hashcat gitea.hashes /usr/share/wordlists/rockyou.txt --user

Previoushttp NextProblem

Last updated 10 months ago

Was this helpful?