Skip to main content
  1. HTB/
  2. Machines/

Artificial

·4 mins·
HTB Machines
Broder
Author
Broder
Only the ones who have a true passion for mastering security truly stand out.
Table of Contents
Explore how to compromise a machine that hosts machine learning models built with Keras.

Exploitation Walkthrough
#

Port Scan Results
#

The target system exposes the following open ports and services:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Artificial - AI Solutions
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Initial Recon
#

Result from browser

→ Add the following entry to your hosts file 10.10.11.74 artificial.htb

After reviewing artificial.htb, I found several interactive features available:

  • Account registration and login
  • Uploading and executing machine learning models
  • A downloadable template.py for building models in .h5 (Keras) format

Upload model

Run model

The most significant risk lies in the server’s ability to execute user-uploaded machine learning models. It’s unclear whether any validation or filtering is performed before these models are run. This behavior presents a promising attack surface and is worth investigating for potential vulnerabilities.

Exploiting Model Execution
#

Research
#

After a bit of Googling, I found several resources suggesting that this functionality could be exploitable.

Prepare payload
#

I created two payloads: one to test command injection by triggering a sleep delay, and another to establish a reverse shell.

Reverse shell established successfully.

User Account Owned
#

After gaining a shell as the app user, I accessed the server-side code to analyze it further and identify the underlying vulnerability.

Using server_upload.py to receive data app.tar.gz .

  • Spotted user.db — looks like it holds the keys to user accounts on the site.

1|gael|gael@artificial.htb|c99175974b6e192936d97224638a34f8
2|mark|mark@artificial.htb|0f3d8c76530022670f1c6029eed09ccb
3|robert|robert@artificial.htb|b606c5f5136170f15444251665638b36
4|royer|royer@artificial.htb|bc25b1f80f544c0ab451c02a3dca9fc6
5|mary|mary@artificial.htb|bf041041e57f1aff3be7ea1abd6129d0

These are the first five accounts in the user table, all using the @artificial.htb domain. This suggests they belong to staff members or users associated with the organization or internal system.

Smashing the Hash
#

The gael account stands out as noteworthy.

They’re using MD5 for password hashing — perfect target for John the Ripper .

gael@artificial.htb: mattp005numbertwo
royer@artificial.htb: marwinnarak043414036

Cracked and logged in — both gael and royer accounts are now accessible.

Escalating Account Compromise
#

Is there a way to escalate further and gain access to other users?

In app.py, I discovered the secret_key, which allows me to forge valid session cookies. Using hijacking_session.py , I can hijack sessions and log in as other users.

mark@artificial.htb

…or hijack sessions of other players active on the box.

MeowMeow@artificial.htb

Mission Complete: Flag Acquired
#

At first, I tried switching to the gael user using the cracked password, but it failed. This left me confused, and I spent a significant amount of time exploring alternative exploitation paths — but nothing seemed to work…

Wasted half a day chasing dead ends… then I tried SSH — and boom, I was in.

Flag: 72c6100ad4e95442bfd90e3d0f66b706

System Pwned
#

Knowing the system runs Linux, I used linpeas.sh from PEASS-ng to enumerate potential privilege escalation vectors.

Fired up a server on my end and fetched linpeas.sh to the target — time to hunt for root.

python -m http.server 8000

After running it, the linpeas.sh output revealed several noteworthy findings worth investigating.

Service Discovery
#

backrest_backup.tar.gz

The backrest.log file also revealed that a web server is running locally on 127.0.0.1:9898

Setting up an SSH local port forwarding tunnel to view this service.

ssh gael@10.10.11.74 -L 9898:127.0.0.1:9898

Backrest

Service Breach
#

This is a base64-encoded bcrypt password. I’m also using John the Ripper to attempt to crack it.

backrest_root: !@#$%^

Escalate Privileges to Root
#

Backrest && Restic
#

First, I explored some of the available actions, such as creating a repository and testing the “run command” feature. I attempted command injection, but it didn’t work.

So, I needed to understand what Backrest actually does in order to find a way to leverage it for exploitation.

restic

Backrest: a cross platform backup orchestrator and WebUI for restic

Imagine setting up a repo that points to /root and exfiltrates the data straight to my Restic server — now that’s leverage.

Weaponized Restic Server
#

restic

rest-server

First, create a rest-server.

Init repo to my server.

Backup /root directory to my repo

Access to /root from server.

SSH access using the .ssh/id_rsa

Flag: 99b888214ef2cd3206a36fee7cba0918

Related

Compress
·5 mins
CTF Exploitation Pwn Write-Up Heap Unlink-Attack
Race Condition
13 mins
CTF Exploitation Operating Systems Vulnerability Analysis
pwnable.tw
·10 mins
CTF Exploitation Pwn Write-Up