This walkthrough highlights the steps used to compromise the Titanic machine on HackTheBox
We start by discovering and exploring the machine’s running services before finding a vulnerable Local File Inclusion (LFI) which leads to accessing the Gitea database storage.
From here, we are able to extract hashed passwords, including the developer’s, and use these to log into the machine via SSH.
Using sudo -l checks we find no direct route to sudo privileges, so we explore folders like /opt and identify a script that uses a vulnerable version of ImageMagick.
With this, we see that the version of ImageMagick is vulnerable to known arbitrary code execution exploits, so we use this to craft a malicious file that executes the code when processed.
This ultimately affords us root access.
The walkthrough stresses the importance of keeping software updated and restricting file processing operations.